Managing Ex-Employee Mailboxes in Microsoft’s Office 365

Managing Ex-Employee Mailboxes in Microsoft’s Office 365

One common request that I routinely encounter is to manage the ex-employee mailboxes of employees who have left the company. In these situations, it is common to have the ex-employee’s mailbox configured to forward email, allow other users to access the mailbox, and eventually delete the mailbox or block incoming mail to the mailbox.

Although there are a few different ways to accomplish these tasks in Office 365, I’m going to focus on using PowerShell to make changes to the Exchange environment. There will still be instances where it is necessary to log in to the Admin portal, but working in PowerShell gives you more options for configuration.

Please note:

  • For instructions on connecting PowerShell to Office 365 see http://help.outlook.com/en-us/140/cc952755.aspx
  • Whenever you see something within <> in a command it should be replaced with the object referenced, without the <>. For example, <user> might be replaced with jsmith.

Recent posts:

Converting ex-employee mailboxes to shared mailboxes

Office 365 allows you have any number of shared mailboxes. These mailboxes do not require a license. The mailboxes have all the same functions of a regular mailbox, with a few caveats:

  1. There is no username or password associated with the mailbox – you won’t be able to log in to the account
  2. The mailbox cannot have an Online Archive
  3. The mailbox has a 5GB 10GB limit

You can use the following command to convert a mailbox to a shared mailbox:

Set-Mailbox <user> -Type shared

Once the mailbox is converted to a shared mailbox you can log in to the Admin portal and remove the license from the account, freeing up the license for use with another user.

Forwarding email to another user

This can be easily accomplished in PowerShell with the following command:

Set-Mailbox <user>  -DeliverToMailboxAndForward $false -ForwardingAddress “[email protected]

The DeliverToMailboxAndForward flag determines whether the email will just be forwarded or be forwarded as well as delivered to the ex-employee’s mailbox.

The command to disable forwarding is:

Set-Mailbox <user> -ForwardingAddress $null

Allowing other users to access the shared ex-employee mailboxes

The most straightforward way of doing this is to provide full access rights to a user. The command for doing this is:

Add-MailboxPermission <ex-user> -User <user> -AccessRights FullAccess  -Automapping $false

The Automapping flag determines whether the account will automatically appear in Outlook (version 2007 or newer).

Personally, I don’t care for giving one-off FullAccess rights, as I find it difficult to manage in the long run. Rather, I prefer to create a security group that has full access to the mailbox, and then add users to that security group. This allows for a much more sustainable management of the server. Furthermore, it gives you the option of setting a user as the owner of the security group, allowing them to provide or revoke access to the mailbox through Outlook or OWA.

The commands for this are:

New-DistributionGroup -Name “SG_<name>” -Type “Security” -PrimarySMTPAddress “SG_<name>@domain.com” | Set-DistributionGroup -HiddenFromAddressListsEnabled $true

This command creates a security group called SG_<name> with the email address SG_<name>@domain.com and hides the group from the Global Address Book.

Add-MailboxPermission <ex-user>  -User “SG_<name>” -AccessRights FullAccess -Automapping $false

This command gives the security group full access to the mailbox.

Add-RecipientPermission <ex-user>  -Trustee “SG_<name>” -AccessRights SendAs -Confirm:$False

The final command is optional and allows members of the security group SG_name to send email as the ex-employee.

Once the security group is in place users can be added and the mailbox can be opened in Outlook.

Blocking incoming mail for the ex-employee

Eventually, the user who is currently receiving email to a shared mailbox won’t want to receive it anymore. At this point, if it is no longer necessary to keep an archive of the email, the mailbox should be exported to PST for long-term backup and deleted from the Office 365 environment.

However, in some circumstances, it might be necessary to keep the mailbox for archival purposes but prevent email from being delivered to it. This can be accomplished in a couple of ways.

First, you can change the email address of the account to something random using the following command:

Set-Mailbox <user> -EmailAddresses SMTP:[email protected]

This command will replace all existing email addresses associated with the account, including aliases, with the one address entered. If you do this, I would recommend hiding the mailbox from the Global Address Book, which can be done with the following command:

Set-Mailbox <user> -HiddenFromAddressListsEnabled $true

The other option is to use Forefront Online Protection for Exchange (FOPE), which is included as part of Office 365, to block incoming emails sent to the ex-employee’s email address. Personally, I think this is a better option, as it allows you to retain the email address associated with the mailbox, while still blocking incoming email for that mailbox.

To create a policy rule to block email sent to a specific address, do the following:

  1. Log in to the FOPE admin console
  2. Click the Administration tab, then select Policy Rules
  3. Create a new policy rule
  4. Make sure the domain scope is for all domains, the traffic scope is for inbound messages, and the action is reject.
  5. Add a description to the rule
  6. Under the Recipient match enter the email address. If you have multiple email addresses, add them separated with commas, but no spaces.
  7. If you want the sender to receive a rejection notification, check the Notify sender option and fill in the notification details.
  8. Save the policy.

To Recap

Hopefully, this post gives you the tools to better manage the mailboxes of ex-employees in Office 365.

To recap what we’ve covered:

  • Convert the mailbox to a shared mailbox (if it’s under 5GB 10GB), and free up a license
  • Forward the email to another user via PowerShell
  • Provide users access to the mailbox using a security group
  • And eventually, delete the mailbox or block email to the account

14 Comments

  1. It’s worth noting that none of the power shell commands dealing with exchange attribute modifications work under ADFS federated O365 environment. There the only possible approach is to enforce delivery rules if one needs to block an account yet keep its contents.

  2. Are you sure about the comment that “Once the mailbox is converted to a shared mailbox you can log in to the Admin portal and remove the license from the account, freeing up the license for use with another user” ??

    I just converted the mailbox for an ex-employee to Shared, and then went to un-assign the Exchange license but encountered a warning indicating that removing the Exchange license would delete the mailbox entirely.

    • Yes, Microsoft shows that warning even though the data is safe. You can see in the following KB article’s introduction that Microsoft confirms mailboxes converted from user to shared in Office 365 do not require a license.

      http://support.microsoft.com/kb/2800174

      I’ve personally done this for a number of mailboxes and have never had an issue.

  3. Thanks Jonathan. This is yet the the most lucid explanation on the subject I have come across. One question though.Once you converted a mailbox into a shared mailbox; taken off the Offce365 license from it and done all the forwarding and the rest. what if you decide to resuscitate the account again. Does allocating the license back return the account with all the emails, calendar and the rest? Thanks

    • Giving it a license again will allow someone to log into that account – but the mailbox will still be a shared mailbox in Exchange. Shared mailboxes have a limit of 10GB and cannot have an online archive. If you want to convert a shared mailbox to a user mailbox you can run the following command:

      Set-Mailbox jsmith -Type user

  4. Another option assuming the account has a P2 or E3 plan or higher – enable litigation hold for the mailbox then remove the account. The mailbox is no longer listed but you can run discovery against the mailbox and export to PST via the Discovery functions. This frees up the license and retains the data.

    • This is a great suggestion. The mailbox must have an E3 licence before the hold is put in place, then you must wait for the hold to complete indexing the mailbox before you remove the license and delete the mailbox.

      However, users won’t be able to access the data themselves (unless you export to PST and make that file available).

  5. Hi Jonathan, interesting reading. The way we normally do this is to backup the data to pst file, free up the E3 license, delete the account and then create a Distribution Group called EX_employeename with the old email address. We then add the staff members who are dealing with the incoming mail to the Group. After a while, we then delete the Distribution Group.

  6. I tried this method with a Small Business Premium account and it did not free up the license.

    • The license isn’t freed up automatically. Once a mailbox is converted to a shared mailbox you can remove the license without the data being deleted.

  7. Hi Jonathan,

    Great write up, I’ve been wondering about converting user mailboxes to shared but MS advised this wasn’t supported – they pointed me in the ‘inactive mailbox’ direction which is not ideal if supervisors need to reference emails and mount the mailbox.

    Have you done this recently?

    • We are still actively using this method for converting mailboxes. I haven’t heard that MS isn’t supporting it. Honestly, until MS removes the command powershell I’d say keep on using it.

Comments are closed.