How to work with Inactive Mailboxes
Published Jan 29 2019 05:00 AM 37.6K Views

It usually starts with the following question: Is there a way to release the license of an Exchange Online user that left the company, but at the same time, keep the mailbox content? To get this done, we have a feature called Inactive mailboxes, but as we have seen some of our customers being a bit confused about the sequence of steps that needs to be taken to do this correctly, I wanted to cover this scenario.

Scenario

David is a cloud-only user. David currently has an Office 365 Enterprise E5 license. David leaves the company, so as an Admin, I’ll need to remove his account, but I still need to have access to his emails.

Note: In this article, we will provide the steps that have to be taken in order to correctly move a mailbox from the Active state to the Inactive state. Details about how to access the content of an inactive mailbox can be found here.

Before you begin

You have to be connected with PowerShell to Azure Active Directory / Microsoft Online Directory Service (MSODS) and to Exchange Online in order to complete tasks mentioned on this article.

Steps to take

1. Put the mailbox on a hold (which will also place the Archive on the hold, if it is present). For this scenario I’ve used LitigationHold, but, any hold from Exchange Online, or Security and Compliance can be used:

Set-Mailbox David -LitigationHoldEnabled $True -LitigationHoldDuration Unlimited

Note: The hold setting may take up to 60 minutes to take effect.

2. Ensure the mailbox has Litigation Hold enabled:

Get-Mailbox David | fl PrimarySMTPAddress, Identity, LitigationHoldEnabled, LitigationHoldDuration, MailboxPlan, PersistedCapabilities, SKUAssigned

User properties should now show:

PrimarySmtpAddress : David@contoso.com
Identity : David
LitigationHoldEnabled : True
LitigationHoldDuration : Unlimited
MailboxPlan : ExchangeOnlineEnterprise-0527a260-bea3-46a3-9f4f-215fdd24f4d9
PersistedCapabilities : {BPOS_S_O365PAM, BPOS_S_ThreatIntelligenceAddOn, BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}
SKUAssigned : True

3. Check the number of licenses you have in total/assigned:

Get-MsolAccountSku | fl AccountSkuId, ActiveUnits, ConsumedUnits

Example of what you might get:

AccountSkuId : contoso:ENTERPRISEPREMIUM
ActiveUnits : 25
ConsumedUnits : 3

ConsumedUnits represents the number of licenses that are currently assigned.

4. Remove the Azure Active Directory user, which will move the mailbox to inactive state:

Remove-MsolUser -UserPrincipalName David@contoso.com

5. Check if the mailbox was deleted and become an inactive mailbox:

Get-Mailbox David -InactiveMailboxOnly | fl PrimarySMTPAddress, Identity, LitigationHoldEnabled, LitigationHoldDuration, SKUAssigned, IsInactiveMailbox, IsSoftDeletedByRemove, WhenSoftDeleted

The results should be similar to:

PrimarySmtpAddress : David@contoso.com
Identity : Soft Deleted Objects\David
LitigationHoldEnabled : True
LitigationHoldDuration : Unlimited
SKUAssigned : False
IsInactiveMailbox : True
IsSoftDeletedByRemove : True
WhenSoftDeleted : 6/4/2018 6:42:11 AM

6. Check if the Azure Active Directory user was deleted (you should be able to see it in the list of Deleted users, or you can run a command similar to the one below):

Get-MsolUser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "David@contoso.com"} | fl UserPrincipalName, IsLicensed, Licenses

The results should be similar to:

UserPrincipalName : David@contoso.com
IsLicensed : True
Licenses : {contoso:ENTERPRISEPREMIUM}

7. Check the number of licenses you have in total/assigned (the license for the user that is now deleted should be released):

Get-MsolAccountSku | fl AccountSkuId, ActiveUnits, ConsumedUnits

The results should be similar to:

AccountSkuId : contoso:ENTERPRISEPREMIUM
ActiveUnits : 25
ConsumedUnits : 2

Optional (if you want to remove the Azure Active Directory user for good):

8. Wait for 30 days to have the Azure Active Directory user deleted from the Deleted Users list, or run a command similar to the below in order to permanently remove the user:

Get-MsolUser –ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "David@contoso.com"} | Remove-MsolUser -RemoveFromRecycleBin

9. Check if the user still exists in the Active Users, or in Deleted Users (for both commands no results should be returned and you should not see the user within Deleted users anymore):

Get-MsolUser -All | where {$_.ProxyAddresses –match “David@contoso.com”}
Get-MsolUser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "David@contoso.com"}

10. Verify that the mailbox is still in the inactive state, and the Litigation Hold is still enabled:

Get-Mailbox David -InactiveMailboxOnly | fl PrimarySMTPAddress, LitigationHoldEnabled, LitigationHoldDuration, SKUAssigned, IsInactiveMailbox

The result should be similar to:

PrimarySmtpAddress : David@contoso.com
LitigationHoldEnabled : True
LitigationHoldDuration : Unlimited
SKUAssigned : False
IsInactiveMailbox : True

References; additional information / more details on:

Thanks to Mark Johnson, Nino Bilic and Murali Natarajan for their support and contribution to this blog post!

Cristian Dimofte

24 Comments
Version history
Last update:
‎Jul 01 2019 04:35 PM
Updated by: