In an enterprise deployment of Office 365 Wave 14, one of the recurring pain points was how to handle mailbox data retention once a user left the business and the data is required for compliance purposes. There were a number of options available to handle this:
- Leave the mailbox in-situ and disable the user account
- Change the license SKU to Kiosk Plan 2 as it’s a cheaper license cost and disable the user account
- Migrate the departed user mailbox back to the on-premises hybrid Exchange platform
- Use a 3rd party cloud archive solution
While all of these will work, on an enterprise scale they’re quite clunky and even with an identity management solution in place, they’re not particularly practical or cost effective. Aside from the high administrative overhead, there’s a high cost to license most of these options or maintain on-premises infrastructure. And if you’re going to these lengths to preserve this data, you want it to be searchable through eDiscovery, in which case it should stay where the bulk of the mail already is: in the cloud.
With Office 365 Wave 15 and Exchange 2013, the Legal Hold functionality (now called In-Place Hold) has been enhanced to include the “inactive mailboxes” feature to cover a departed user scenario. When a user leaves the business, it is now possible to place the mailbox into In-Place Hold, then delete the corresponding user account. The mailbox will then be available to eDiscovery indefinitely and the mailbox license can be released back into the pool.
Once the retention requirements have been met, it is possible to remove the In-Place Hold and allow the mailbox to be deleted in accordance with the default deleted mailbox retention policy. Inactive mailboxes do not require any Office 365 or Exchange Online licensing.
The benefits of using the Inactive Mailbox feature are:
- Visible in eDiscovery searches
- Preserves the mailbox indefinitely
- Hidden from users so no longer available in the GAL
- Cannot send or receive email
- No Active Directory / Office 365 account required
- No license required
How to Create an Inactive Mailbox
- In-Place Hold
When a mailbox is placed in In-Place hold, the content is preserved as is and cannot be changed. The mailbox can be on hold for a specified time or indefinitely. The mailbox is still subject to the standard Exchange Online deleted mailbox retention policy of 30 days, meaning that if the mailbox has been inactive for over 30 days and is taken out of In-Place Hold, it will be deleted permanently
To create a new In-Place Hold that will be active for seven years, execute the following PowerShell command
New-MailboxSearch “Joel-Test-Hold” –SourceMailboxes “firstname.lastname@example.org” –InPlaceHoldEnabled $True –ItemHoldPeriod 2557
- Delete Source Account
With In-Place Hold activated on the mailbox, the associated account can be deleted from Active Directory or from Office 365. Once the seven year period has expired, the mailbox will be automatically deleted.
Accessing an Inactive Mailbox
As the associated account has been deleted, the mailbox cannot be opened in Outlook or OWA. The only way to access the content of the mailbox is to use the eDiscovery console from with the Exchange Admin Centre. The contents of the entire mailbox can be shown, or specific items related to a search query. All results can be exported to a PST file.
To run an eDiscovery search from PowerShell, I’m going to search for all email items in a particular mailbox that contain either the word “Kloud” or “Office 365” between the 1st of January and today:
New-MailboxSearch “Test-Search” -StartDate “1/1/2013” -EndDate “20/6/2013” -SourceMailboxes “Joel-Test-Hold” -TargetMailbox “Discovery Search Mailbox” -SearchQuery “Kloud” AND “Office 365” -MessageTypes Email -IncludeUnsearchableItems -LogLevel Basic
Manually Remove an Inactive Mailbox
Once the compliance requirements have been met, or the mailbox is no longer needed, it is possible to remove the hold placed on the mailbox and allow it to delete. As mentioned earlier, if the mailbox has been on hold for over 30 days, it will be permanently deleted once the hold is removed. If it has been on hold for less than 30 days the mailbox will be available for the remainder of the 30 day period since the hold was activated.
Set-MailboxSearch “Joel-Test-Hold” –InPlaceHoldEnabled $False
A complete list of the available Set-MailboxSearch parameters can be found at http://technet.microsoft.com/en-us/library/dd298064(v=exchg.150).aspx
- Delete Source Account