In an enterprise deployment of Office 365 Wave 14, one of the recurring pain points was how to handle mailbox data retention once a user left the business and the data is required for compliance purposes. There were a number of options available to handle this:

  • Leave the mailbox in-situ and disable the user account
  • Change the license SKU to Kiosk Plan 2 as it’s a cheaper license cost and disable the user account
  • Migrate the departed user mailbox back to the on-premises hybrid Exchange platform
  • Use a 3rd party cloud archive solution

While all of these will work, on an enterprise scale they’re quite clunky and even with an identity management solution in place, they’re not particularly practical or cost effective. Aside from the high administrative overhead, there’s a high cost to license most of these options or maintain on-premises infrastructure. And if you’re going to these lengths to preserve this data, you want it to be searchable through eDiscovery, in which case it should stay where the bulk of the mail already is: in the cloud.

With Office 365 Wave 15 and Exchange 2013, the Legal Hold functionality (now called In-Place Hold) has been enhanced to include the “inactive mailboxes” feature to cover a departed user scenario. When a user leaves the business, it is now possible to place the mailbox into In-Place Hold, then delete the corresponding user account. The mailbox will then be available to eDiscovery indefinitely and the mailbox license can be released back into the pool.

Once the retention requirements have been met, it is possible to remove the In-Place Hold and allow the mailbox to be deleted in accordance with the default deleted mailbox retention policy. Inactive mailboxes do not require any Office 365 or Exchange Online licensing.

The benefits of using the Inactive Mailbox feature are:

  • Visible in eDiscovery searches
  • Preserves the mailbox indefinitely
  • Hidden from users so no longer available in the GAL
  • Cannot send or receive email
  • No Active Directory / Office 365 account required
  • No license required

How to Create an Inactive Mailbox

  1. In-Place Hold
    When a mailbox is placed in In-Place hold, the content is preserved as is and cannot be changed. The mailbox can be on hold for a specified time or indefinitely. The mailbox is still subject to the standard Exchange Online deleted mailbox retention policy of 30 days, meaning that if the mailbox has been inactive for over 30 days and is taken out of In-Place Hold, it will be deleted permanently

    To create a new In-Place Hold that will be active for seven years, execute the following PowerShell command

    New-MailboxSearch “Joel-Test-Hold” –SourceMailboxes “joel.neff@showcase.kloud.com.au” –InPlaceHoldEnabled $True –ItemHoldPeriod 2557
  2. Delete Source Account
    With In-Place Hold activated on the mailbox, the associated account can be deleted from Active Directory or from Office 365. Once the seven year period has expired, the mailbox will be automatically deleted.

Accessing an Inactive Mailbox

As the associated account has been deleted, the mailbox cannot be opened in Outlook or OWA. The only way to access the content of the mailbox is to use the eDiscovery console from with the Exchange Admin Centre. The contents of the entire mailbox can be shown, or specific items related to a search query. All results can be exported to a PST file.

To run an eDiscovery search from PowerShell, I’m going to search for all email items in a particular mailbox that contain either the word “Kloud” or “Office 365” between the 1st of January and today:

New-MailboxSearch “Test-Search” -StartDate “1/1/2013” -EndDate “20/6/2013” -SourceMailboxes “Joel-Test-Hold” -TargetMailbox “Discovery Search Mailbox” -SearchQuery “Kloud” AND “Office 365” -MessageTypes Email -IncludeUnsearchableItems -LogLevel Basic

Manually Remove an Inactive Mailbox

Once the compliance requirements have been met, or the mailbox is no longer needed, it is possible to remove the hold placed on the mailbox and allow it to delete. As mentioned earlier, if the mailbox has been on hold for over 30 days, it will be permanently deleted once the hold is removed. If it has been on hold for less than 30 days the mailbox will be available for the remainder of the 30 day period since the hold was activated.

Set-MailboxSearch “Joel-Test-Hold” –InPlaceHoldEnabled $False
Remove-MailboxSearch “Joel-Test-Hold”

A complete list of the available Set-MailboxSearch parameters can be found at http://technet.microsoft.com/en-us/library/dd298064(v=exchg.150).aspx

Category:
Exchange, Office 365
Tags:
, , ,

Join the conversation! 5 Comments

  1. Great article, but how do you handle a user that returns to work after they have been put on hold and the AD account has been deleted.

    • The inactive mailbox feature is designed for compliance and discovery purposes rather than as a recovery tool to reinstate a mailbox after a user has long since departed. You could run an eDiscovery search and export the mail to PST for the user to manually re-import, however it will just be a flat export of mail items and not contain the original folder structure.

      • I understand, I am just curious what’s the proper way to handle a returning user that has been put on hold and the AD account has been deleted. I am not interested in recovering the email for the returning user. I Believe you will run into duplicate SMTP addresses issue if the returning user gets the same email address again. Just wondering how to handle this on a large scale, I have seen some recommendations on renaming the account before it is put on hold and AD account deleted, just not sure that is the correct way.

  2. How do we handle email forwarding of an employee who has left the company? Can we forward emails of an office365 inactive mailbox to another active user/mailbox?
    We want to remove all licenses from mailbox, disable/delete user, put litigation hold but we want to forward emails to another user say for 6 months. Is it possible at all?

    • Hi Sameer,
      In this instance you’d simply add the SMTP address from the deleted mailbox as an email alias to an active account. You could continue to receive mail in this configuration indefinitely.
      Cheers,
      Joel

Comments are closed.