Microsoft 365 E5 Compliance license creating mailboxes for mail users (which we do not want)

Copper Contributor

We recently purchased Microsoft 365 E5 Compliance and E5 Security licenses to assign to our users (who already have the Microsoft 365 E3 license).

 

About 1/3 of our users do not have a mailbox hosted by us, and instead are mail users (as they have email accounts hosted by other companies they work for) - we are not assigning an Exchange Online license to them. 

 

When assigning the E5 Security we found we had to turn off "Office 365 Advanced Threat Protection (Plan 2)" and "Office 365 SafeDocs" for those users, since they do not have a mailbox.

 

However, we cannot apply any features of E5 Compliance, as they all create a mailbox for the user automatically, and then change the users primary email to either @domain.onmicrosoft.com or @domain.org - which then updates our Address Book to list those emails, rather than the external email address they use.

 

E5 Compliance covers OneDrive/SharePoint and all Office 365 applications, and we want all of users to covered by this, even those without a mailbox.  Is there a way we can apply this license without it creating a mailbox/changing the primary SMTP for mail users?  If not, is there an alternative solution for us?

 

Thank you in advance!

11 Replies
Hello Brandon,

Maybe the solution for this would be inviting the users from other company's as guest user in your azure ad. (Its called B2B collaboration, check here: https://docs.microsoft.com/en-us/azure/active-directory/b2b/what-is-b2b)

I dont think the features will work, without giving them access to exchange. As a workaround, you could change the GAL with powershell.

https://docs.microsoft.com/en-us/exchange/address-books/address-lists/configure-global-address-list-...

I'm not aware of which services exactly those SKUs contain, and it doesn't make much sense to me for them to have the Exchange Online plans included (although there are few features in the compliance stack that require you to have a mailbox). Can you paste the relevant details here? Something like this should do:

 

(Get-MsolAccountSku | ? {$_.AccountSkuId -eq "tenant:SKUNAME"}).ServiceStatus

@reneyagmur  - Thank you very much for your reply.  Unfortunately these user's that have outside mailboxes are not in the O365 environment.  Some are Gmail, some are Exchange on-prem, one might even be Domino.  Since they do not have O365 in their other companies I do not believe B2B will work in this instance.  

 

@Vasil Michev - Per your instructions, here are the services that are part of E5 Compliance (along with their more user-friendly names. Let me know if there is anything else I can provide, thank you for your assistance!

 

ServicePlans


M365_ADVANCED_AUDITING - Microsoft 365 Advanced Auditing
INFORMATION_BARRIERS - Information Barriers
PREMIUM_ENCRYPTIONPremium Encryption in Office 365

MIP_S_CLP2 - Information Protection for Office 365 - Premium
PAM_ENTERPRISE - Office 365 Privileged Access Management
EQUIVIO_ANALYTICS - Office 365 Advanced eDiscovery
LOCKBOX_ENTERPRISE - Customer Lockbox
RMS_S_PREMIUM2 - Azure Information Protection Premium P2

@Brandon Hofmann This isnt a problem. It works perfectly with google (Just needed as Identity provider) and other aad.

 

For everyone not using google or microsoft, there is a preview feature in aad. Use one time passcode, so your users will get a one time password and cat authenticate with this password in your azure ad.

@Brandon Hofmann None of these should result in provisioning a mailbox. Yes, some of the services listed do *require* an Exchange Online license to be assigned, but no mailbox should be provisioned without such license assigned by you.

 

I assume you have some spare licenses that include Exchange Online and one of those got assigned for some reason. Do you handle assignments via the O365 Admin center, or via group-based licensing or some other method?

@reneyagmur  - Sorry, I didn't clearly explain - these users need accounts in our on-prem Active Directory environment as well, as some of them have computers assigned to them, while others may use a shared computer.  So I believe in order for that we need to create them in AD, and then sync them to O365/Azure, which is why we have them as Mail Users.

 

So in this instance we wouldn't be able to do this solution, correct?  Again, thank you very much for your assistance!

 

 

@Vasil Michev  - I've been using a test account that was created as an on-prem AD user, then mail enabled it and sync'd it to our O365/EXO.  I then applied licenses directly to the user (we usually use group-based licensing).

 

If I remove the E5 Compliance license the EXO properties show up correctly, with the gmail.com address as the primary. But as soon as I add the E5 Compliance license back (even if I only enable 1 feature of it - and I tried each feature individually), the primary SMTP get's changed back to @domain.org (again only in EXO, it remains correct in our on-Prem Exchange, and AD, but it's wrong in the Address Book).

 

I also have a ticket with MS opened, they thought it might be our Address Book Policies that were causing the issue, but I turned them off for that mail user and it still changes.  It's quite perplexing.  I appreciate the assistance though!

I'm getting confused now, you originally spoke about mailboxes, now you mention mail user. There's no way you can have a mailbox with gmail.com address, so I suppose MEUs is what you are indeed creating. If you apply an Exchange license to those, any non-accepted-domain aliases will be stripped out of them, even if no mailbox is actually provisioned for the user. But that should only happen with an actual Exchange Online license assigned, not the compliance SKU.

 

Unfortunately I don't have the actual SKU to verify/reproduce this, but pining @Nino Bilic to confirm.

@Vasil Michev - Apologies for the confusion - the issue I'm experiencing with the E5 Compliance is only impacting Mail Users. 

 

"If you apply an Exchange license to those, any non-accepted-domain aliases will be stripped out of them, even if no mailbox is actually provisioned for the user."

 

I think that line describes our exact issue - even though we are not assigning an Exchange license to these users, when we assign any feature of the E5 Compliance license, it appears to assign a license to them, as the "Mail" tab for the user changes from "This user doesn't have an Exchange Online license" to listing all their Mail settings ("Mailbox Permissions", "Email apps", etc).

 

But again, the moment I remove E5 Compliance, it reverts back.  I even removed every other license assigned to the test user, then only assigned "Microsoft 365 Advanced Auditing" and "Office 365 Advanced Discovery" from E5 Compliance, and it still strips out the Gmail address, and makes "domain.org" the primary SMTP.

 

Although when I did that it says "This user doesn't have an Exchange Online license" in the mail tab.

 

Well I cannot talk on behalf of Microsoft whether this is expected or a bug, so lets see if Nino has something to say about it.

@Brandon Hofmann do you mind telling me exact name of the Compliance offering you speak of? I expect it is to be found under Billing > Products & services in the M365 portal (this link should take you there).

@Nino Bilic - Thank you for your reply!

 

It's just listed as "Microsoft 365 E5 Compliance". The following are the apps that part of this subscription:

 

Azure Information Protection Premium P2
Customer Lockbox
Information Barriers
Information Protection for O365
Microsoft 365 Advanced Auditing
Office 365 Advanced eDiscovery
Office 365 Privleged Access Management
Premium Encryption in Office 365

 

I did further testing, and found that "Azure Information Protection Premium P2" is the only app I'm about to turn on for mail users that won't change their primary SMTP address and strip out the non-accepted domain aliases.

 

"Premium Encryption in Office 365" I'm not able to turn on as it states that "Exchange Online (Plan 2)" is required, but that is the only one. All others I can turn on, but it removes the gmail address as stated in my previous replies.

 

Let me know if there is any additional information I can provide, thank you again!