One common request that I routinely encounter is to manage the mailboxes of employees that are leaving, or have left, a company. In these situations it is common to have the ex-employee’s mailbox configured to forward email, allow other users to access the mailbox, and eventually delete the mailbox or block incoming mail to the mailbox.

Although there are a few different ways to accomplish these tasks in Office 365, I’m going to focus on using PowerShell to make changes to the Exchange environment. There will still be instances where it is necessary to log in to the Admin portal, but working in PowerShell gives you more options for configuration.

Please note:

  • For instruction on connecting PowerShell to Office 365 see
  • Whenever you see something within <> in a command it should be replaced with the object referenced, without the <>. For example, <user> might be replaced with jsmith.

Converting to a shared mailbox

Office 365 allows you have any number of shared mailboxes. These mailboxes do not require a license. The mailboxes have all the same functions of a regular mailbox, with a few caveats:

  1. There is no username or password associated with the mailbox – you won’t be able to log in to the account
  2. The mailbox cannot have an Online Archive
  3. The mailbox has a 5GB 10GB limit

You can use the following command to convert a mailbox to a shared mailbox:

Set-Mailbox <user> -Type shared

Once the mailbox is converted to a shared mailbox you can log in to the Admin portal and remove the license from the account, freeing up the license for use with another user.

Forwarding email to another user

This can be easily accomplished in PowerShell with the following command:

Set-Mailbox <user>  -DeliverToMailboxAndForward $false -ForwardingAddress “[email protected]

The DeliverToMailboxAndForward flag determines whether email will just be forwarded or be forwarded as well as delivered to the ex-employee’s mailbox.

The command to disable forwarding is:

Set-Mailbox <user> -ForwardingAddress $null

Allowing other users to access the shared mailbox

The most straight-forward way of doing this is to provide full access rights to a user. The command for doing this is:

Add-MailboxPermission <ex-user> -User <user> -AccessRights FullAccess  -Automapping $false

The Automapping flag determine whether the account will automatically appear in Outlook (version 2007 or newer).

Personally, I don’t care for giving one-off FullAccess rights, as I find it difficult to manage in the long run. Rather, I prefer to create a security group that has full access to the mailbox, then add users to that security group. This allows for a much more sustainable management of the server. Furthermore, it gives you the option of setting a user as the owner of the security group, allowing them to provide or revoke access to the mailbox through Outlook or OWA.

The commands for this are:

New-DistributionGroup -Name “SG_<name>” -Type “Security” -PrimarySMTPAddress “SG_<name>” | Set-DistributionGroup -HiddenFromAddressListsEnabled $true

This command creates a security group called SG_<name> with the email address SG_<name> and hides the group from the Global Address Book.

Add-MailboxPermission <ex-user>  -User “SG_<name>” -AccessRights FullAccess -Automapping $false

This command gives the security group full access to the mailbox.

Add-RecipientPermission <ex-user>  -Trustee “SG_<name>” -AccessRights SendAs -Confirm:$False

The final command is optional and allows members of the security group SG_name to send email as the ex-employee.

Once the security group is in place users can be added and the mailbox can be opened in Outlook.

Blocking incoming mail for the ex-employee

Eventually the user who is currently receiving email to a shared mailbox won’t want to receive it anymore. At this point, if it is no longer necessary to keep an archive of the email, the mailbox should be exported to PST for long-term backup and deleted from the Office 365 environment.

However, in some circumstances it might be necessary to keep the mailbox for archival purposes, but prevent email from being delivered to it. This can be accomplished in a couple of ways.

First, you can change the email address of the account to something random using the following command:

Set-Mailbox <user> -EmailAddresses SMTP:[email protected]

This command will replace all existing email addresses associated with the account, including aliases, with the one address entered. If you do this, I would recommend hiding the mailbox from the Global Address Book, which can be done with the following command:

Set-Mailbox <user> -HiddenFromAddressListsEnabled $true

The other option is to use Forefront Online Protection for Exchange (FOPE), which is included as part of Office 365, to block incoming email sent to the ex-employee’s email address. Personally, I think this is a better option, as it allows you to retain the email address associated with the mailbox, while still blocking incoming email for that mailbox.

To create a policy rule to block email sent to a specific address, do the following:

  1. Log in to the FOPE admin console
  2. Click the Administration tab, then select Policy Rules
  3. Create a new policy rule
  4. Make sure the domain scope is for all domains, the traffic scope is for inbound messages, and the action is reject.
  5. Add a description to the rule
  6. Under the Recipient match enter the email address. If you have multiple email addresses, add them separated with commas, but no spaces.
  7. If you want the sender to receive a rejection notification, check the Notify sender option and fill in the notification details.
  8. Save the policy.

To Recap

Hopefully this post gives you the tools to better manage the mailboxes of ex-employees in Office 365.

To recap what we’ve covered:

  • Convert the mailbox to a shared mailbox (if it’s under 5GB 10GB), and free up a license
  • Forward the email to another user via PowerShell
  • Provide users access to the mailbox using a security group
  • And eventually delete the mailbox or block email to the account