SOLVED

Removing license from user, what gets removed and how quickly (returing staff member)

Iron Contributor

Hi,

 

Just after some clarification, hopefully from someone that has gone through the process. 

 

Example, a staff member leaves the company and their account has it's O365 license removed as part of the leaver process.  Then for some reason they come back to the company.  When a license applied back to their old account everything should be active again. My question is does any data get deleted at the license removal stage or is it preserved to 30 days? assuming the staff member came back within 30 days would they see any data loss (SPO, ODB, mail etc) or will it appear as it was.

 

Cheers

Rob

28 Replies

It's 30 days according to this and as long as the respective licence is restored within that timeframe, the data should remain intact:

 

Remove and delete the Office 365 license from a former employe

 

"When you remove the license, all that user's data is held for 30 days. You can access the data, or restore the account if the user comes back. After 30 days, all the user's data (except for documents stored on SharePoint Online) is deleted permanently from Office 365 and can't be recovered."

Thank for the info Cain, I've seen that and not that I am suspecious of MS documentation but it would be good to hear if someone has gone through the process......not that I am paranoid or anything! :)

No problem, I have certainly seen this in the past, licences removed sometimes accidentally and then restored days later and the data was intact. 

There are some caveats with Exchange Online scenarios, especially if in a hybrid config (in which case, you'd likely need to use New-MailboxRestoreRequest to recover the mailbox). Here's some additional light reading: https://blogs.technet.microsoft.com/exchange/2016/10/31/change-in-behavior-for-delicensed-exchange-o.... It probably goes without saying that it'd be a good idea to provision a few test mailboxes and update your SOPs.

If you think someone will return, you should put their account on hold before you remove the license. As long as the hold remains in place, the data will stay inside Office 365 as the workloads do not remove information when a hold exists. The Exchange mailbox will be an "inactive mailbox" during this time. This approach is often used by companies to keep information for extended periods while they figure out a) if they need any of the data owned by a "leaver" account or b) if someone should take over the old resources.

 

TR

We disable an account for 30 days after an employee leaves. Only then do we remove any licenses.

This also gives extra time for staff to ask for items out of their mailbox or OneDrive.

By saying "put their account on hold before you remove the license", what operation we should do exactly? There's no such operation called "put ... on hold", right?

In my tests i have seen old mailbox being preserved a month or so after a license removal for an old users. But when i tried to create a fresh AD user  synced it, assigned a license, sent a few emails to it, then removed the license, in that case mailbox disappeared very quickly and assigning a license again resulted in a fresh mailbox. It was a year or so ago. I advice to do testing no matter what docs are saying. We also keep license assigned for a few weeks after the leave. 

A mailbox is put on hold by applying a legal or in-place hold to the mailbox. You can do this with an Exchange hold or an Office 365 hold. Either works.

I have found litigation in-place hold option (either via EAC or in Office 365 admin center > Mail settings). So, if i apply such hold and remove a license it still should be there? Actually in my case we only need for the automatic reply to work for 2 weeks after leave. Wonder if it will work during such hold and if license is removed.

If you apply a hold (litigation or retention) to a mailbox and remove the license from the account, Exchange will then try to remove the mailbox because it's now unlicensed. It will discover that a hold is in place and will therefore make the mailbox inactive. If you remove the hold, the mailbox will be removed. The autoreply won't work for an inactive mailbox (it is inactive), AFAIK.

 Thanks Tony! May I confirm if this feature applies to O365 E1? Or it requires higher level E3/5?

best response confirmed by Tony Redmond (MVP)
Solution

Well, you've got to be able to place a hold on a mailbox before it can become inactive, so that means E3 or better.

Good to know that. Guess that's why I can't find a place to "hold" a mailbox in my E1 subscription. Thanks Tony.

@Tony Redmond In my experience this isn't what happens. If a mailbox is placed on lit-hold then the license is removed, after 30 days the mailbox remains in an active state and does not become inactive. In this scenario, the mailbox only becomes inactive if the remove-mailbox cmd is run or in the case of a synced user, remove-remotemailbox. Unfortunately both commands remove the AD/AAD account and the user cannot be reinstated. The question is, what limitations does this apply on the mailbox if it has no license assigned, lit-hold enabled but is still an active mailbox i.e. not flagged inactive?

Some more details.

 

You have a mailbox with litigation hold enabled.

You remove the license from the mailbox. The mailbox now becomes a candidate to be an inactive mailbox once its account is removed from Office 365.

Because the account is now unlicensed, Office 365 gives the tenant a 30-day grace period to license it. During this time, the mailbox is active and can receive email.

When the 30-day period elapses, background processes kick in and will find the unlicensed mailbox.  At this point, the mailbox is either permanently removed or moved to an inactive state, depending on if holds exist.

You can force the process along by explicitly removing mailboxes or accounts. The grace period exists to allow tenants to recover from admin errors.

Once the mailbox is inactive, it can be recovered or restored.

But what if you need to keep the account in Office 365, (and in case of Hybrid, retain the AD account) so that the leaver can be restored if they return, which is common in most JML processes. Assuming lit-hold is enabled, If you do not remove the account, but remove the license, then after 30 days the mailbox is not flagged as inactive and remains in its current state.

@robshin If the mailbox is inactive, it can be restored or recovered.

 

Re. Assuming lit-hold is enabled, If you do not remove the account, but remove the license, then after 30 days the mailbox is not flagged as inactive and remains in its current state.

 

Eventually EXO will detect the lack of license and move the mailbox to an inactive state to respect the hold. The 30 days period is not exact as the background processes run when service load permits. It might be 30 days; then again it might be longer.

1 best response

Accepted Solutions
best response confirmed by Tony Redmond (MVP)
Solution

Well, you've got to be able to place a hold on a mailbox before it can become inactive, so that means E3 or better.

View solution in original post