How to work with Inactive Mailboxes in a Hybrid Environment

Tuesday, January 29, 2019
Earlier today the Exchange team posted an article on the EHLO Blog explaining how to manage inactive mailboxes in Exchange Online. That blog post is geared mainly toward cloud-only tenants. This article gives information about the differences between inactive users and shared mailboxes and how to configure them both in a hybrid environment.

Inactive vs Shared Mailboxes

Most customers are interested in a way to remove the Office 365 license from terminated users to reduce costs, while maintaining access to their email. There are two ways to do this.

Inactive mailboxes are mailboxes that have been put on litigation hold and the Office 365 licenses have been removed from the user account in Azure AD. Normally when you remove an Exchange Online license from a user account, the mailbox becomes disconnected and will eventually be purged from EXO (30 days by default). However, if the mailbox is placed on litigation hold before the user account is deleted or unlicensed, EXO is unable to delete the mailbox until the lit hold is removed.

Shared mailboxes are mailboxes that multiple users can access to read and send e-mail messages. Shared mailboxes allow a group of users to view and send e-mail from a common mailbox. This type of mailbox also does not require an EXO license, but has some limits placed on it to prevent abuse.

I put together a table that lists some of the important differences between Inactive and Shared mailboxes that may help you chose which one to use. Neither require an EXO license.

Inactive Mailbox
Shared Mailbox
Requires an EXO license
Accessed by
Only by users with Discovery Management role
Any user with Full Access rights or with Discovery Management role
Can receive new emails
Can send new emails
Mailbox size limit
100 GB
50 GB
Supports online archive mailboxes
Yes, but requires a license
Messages can be changed or deleted

Note: There are other limits and requirements, as well. See Exchange Online Limits for the complete list.

Inactive mailboxes are just that -- inactive. The mailbox contents are in stasis and cannot be changed. No new emails can be sent or received by an inactive mailbox. The original user cannot access the mailbox because the account has been deleted or the Office 365 license(s) have been removed. Only users with the Discovery Management role can access the historical mailbox contents. If a user was granted full access to that mailbox prior to removing the license(s), the mailbox may still show in Outlook, but the contents will be inaccessible.

Some organizations chose to convert mailboxes for terminated users into shared mailboxes instead and assign full access to the user's manager or another team member or group. That way, emails sent to the shared mailbox don't bounce with an NDR and the user with full access can respond for the termed employee. Just keep in mind the size and archive limits listed above. See Correcting Shared Mailbox provisioning and sizing for more details.

How to Configure an Inactive Mailbox in a Hybrid Environment

Normally in a hybrid environment all user and mailbox management is done on-premises and the configuration changes sync to the cloud. However, configuring litigation hold for an inactive mailbox is performed directly in Exchange Online.

Follow the first two steps listed in the EHLO Blog article. These are performed in the Microsoft Exchange Online Powershell Module.

1. Put the mailbox on a hold (which will also place the Archive on the hold, if it is present). For this scenario I’ve used LitigationHold, but, any hold from Exchange Online, or Security and Compliance can be used:
Set-Mailbox David -LitigationHoldEnabled $True -LitigationHoldDuration Unlimited
Note: The hold setting may take up to 60 minutes to take effect.

2. Ensure the mailbox has Litigation Hold enabled:
Get-Mailbox David | fl PrimarySMTPAddress, Identity, LitigationHoldEnabled, LitigationHoldDuration, MailboxPlan, PersistedCapabilities, SKUAssigned
User properties should now show:

PrimarySmtpAddress :
Identity : David
LitigationHoldEnabled : True
LitigationHoldDuration : Unlimited
MailboxPlan : ExchangeOnlineEnterprise-0527a260-bea3-46a3-9f4f-215fdd24f4d9
PersistedCapabilities : {BPOS_S_O365PAM, BPOS_S_ThreatIntelligenceAddOn, BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}
SKUAssigned : True

3. Wait for Azure AD Connect to replicate the change back to on-premises or you can force AAD replication using the following command on your AAD Connect server:
Start-ADSyncSyncCycle -PolicyType delta
4. Now you can either delete the user's AD account from on-premises, which will sync to ADD and remove the user account there. The inactive mailbox will not be deleted because it's on indefinite litigation hold. Use the procedures here to access the inactive mailbox.

How to Configure a Shared Mailbox in a Hybrid Environment

First, it's important to know that it's recommended that you do not convert a mailbox that was migrated to Exchange Online to a shared mailbox. The mailbox should be moved back to on-prem, converted to a shared mailbox, and remigrated to Office 365 again. The reason is that AAD Connect doesn't sync the correct attributes back to on-premises. See Convert a user's mailbox in a hybrid environment for more details.

That said, it is possible to convert a migrated user mailbox to a shared mailbox by updating AD on-premises manually. Jetze Mellema blogged about it here. Just follow these steps:

1. Sign-in to the Exchange Online Admin Center and navigate to Recipients > Mailboxes.

2. Select the user account you wish to convert and select Convert to Shared Mailbox on the right-side pane. The mailbox will now show under Shared mailboxes in the Exchange Admin Center in Exchange Online.

3. In AD on premises, change the following two attributes for the user account. This can be done using ADSIEdit or the Advanced view of AD Users and Computers on the Attributes tab.
msExchRemoteRecipientType: 100
msExchRecipientTypeDetails: 34359738368
4. Remove the Office 365 licenses from the Shared mailbox.

5. Disable the user account in AD on-prem and Windows will manage its password. The mailbox will now show under Shared mailboxes in the Exchange Admin Center on premises.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.