Permanently disable a mailbox in Office 365

One of the differences between on-premises Exchange and Exchange Online is the way user mailbox objects are provisioned, or de-provisioned. In the on-premises world, this is of course dependent on the underlying AD, but as long as you have the necessary permissions you can provision a new user, along with a mailbox, directly via the EAC or the EMS. Alternatively, you can first create the user object in AD and “mailbox-enable” it later on.

In Office 365 however, user objects are authored in Azure AD and there are no Exchange endpoints that allow you to provision a user. Instead, you need to provision the user object in Azure AD first, and the process of enabling a mailbox for this user is governed by the licensing workflow. You grant the user any of the Exchange Online plans, he gets a mailbox. You remove the license, the mailbox is gone. Simple enough.

Well technically this is only true for user mailboxes. Shared mailboxes for example do have a corresponding user object in Azure AD, yet we can provision them directly via the Exchange tools, such as the New-Mailbox cmdlet. And there are other “edge cases” too, for example using the –MicrosoftOnlineServicesID parameter, which allows you to provision a user mailbox directly, but the general rule is that you should govern the user mailbox creation and removal process via the licensing workflow.

We can summarize the mailbox deprovisioning process by simply stating that the Disable-Mailbox cmdlet is not available in Exchange Online. OK, it is actually available, but only worked against Archive mailboxes until recently. That is, if you tried to use the cmdlet against any mailbox, you had to specify the –Archive parameter, otherwise an error was thrown:

Get-Mailbox testuser | Disable-Mailbox
The following error occurred during validation in agent 'Archive ParameterSet Enforcement Agent': 'This operation only works with archive parameters.'

So while the cmdlet was useful for disabling Archive mailboxes for users, it didn’t work against the primary mailbox. Until recently that is, as now, with the addition of the –PermanentlyDisable switch, we can use it to (permanently!) disable the primary mailbox as well. Here’s an example:

Disable-Mailbox BrianJ -PermanentlyDisable

Confirm
Are you sure you want to perform this action?
Disabling mailbox "BrianJ" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote archive,
the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

First of all, make sure to read the warning above. As stated, execution of this cmdlet will remove any Exchange properties from the user object, rendering it “unknown” to Exchange Online. Moreover, as the switch name suggest, this is a *permanent* and *immediate* action, once you run the cmdlet any data in the mailbox is gone for good.

There are two other catches worth mentioning. First, the user must be unlicensed for you to be able to run the cmdlet, otherwise an error will be thrown:

Disable-Mailbox IrvinS -PermanentlyDisable
Cannot Disable-Mailbox for 'IrvinS' because this user has a valid license.

For such licensed mailboxes, the standard “remove license” workflow applies, so you can complete the process via the Office 365 portal or Azure AD PowerShell. The second catch is around mailboxes put on hold. As long as any type of hold is configured and still acting on a given mailbox, Exchange will prevent you from shooting yourself in the foot and will not allow you to remove the mailbox until the hold is removed, or you have explicitly specified that you want to override this behavior via the -IgnoreLegalHold switch:

C:\> Get-Mailbox test222 | select RecipientTypeDetails,SKUAssigned,LitigationHoldEnabled

RecipientTypeDetails SKUAssigned LitigationHoldEnabled
-------------------- ----------- ---------------------
UserMailbox                                       True

C:\> Disable-Mailbox test222 -PermanentlyDisable
Exchange cant disable the mailbox "Test2" because it is on litigation hold.

C:\> Disable-Mailbox test222 -PermanentlyDisable -IgnoreLegalHold

Confirm
Are you sure you want to perform this action?
Disabling mailbox "test222" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote
archive, the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

So in summary, we can now use the Disable-Mailbox cmdlet to immediately and permanently disable the mailbox for a given user. This should only be used in scenarios where a specific need to trigger this immediate and permanent removal exists, otherwise you should continue using the “standard” removal process, governed by the licensing workflow. For situations where you want to remove the user object as well, you can use the Remove-Mailbox cmdlet or any of the Office 365 admin tools. Lastly, don’t forget the recent addition we got to the Set-User cmdlet, allowing us to clean up migration-related attributes: Permanently Clear Previous Mailbox Info.

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

26 Responses to Permanently disable a mailbox in Office 365

  1. Ric says:

    Hi,

    The easiest way I see is
    1. create an OU on-prem and exclude it from AAD sync.
    2. If using dynamic assignment, remove the attribute to revoke the license and let sync
    3. Move user to new OU on-prem
    4. Delete user on AAD or run Remove-MsolUser -UserPrincipalName -RemoveFromRecyclebin on Azure PowerShell
    5. Move user back to original OU and do not add a license, the user should sync to AAD again

    This should work without having to wait for 30 days for the mailbox to go

  2. spyvou says:

    Hi everyone,

    How can I delete an Exchange Online mailbox without deleting associated user account in Azure AD?

    Mailboxes were already present before hybrid setup and soft matching keeps “restoring” Exchange Online’s mailboxes for users who have an on-premises mailbox.

    If I delete the Azure AD user account, then, obviously, mailbox is removed, but i dont want to do that since users will lose all onedrive and teams data.

    If I remove the exchange online licence, mailbox is gone, but if i enable the license again online mailbox is recreated.
    I cant run “Disable-Mailbox -PermanentlyDelete”, cause user has active license, so I convert mailbox to shared, remove license, run “Disable-Mailbox -PermanentlyDelete” and “Set-User -Identity ….. -PermanentlyClearPreviousMailboxInfo”, mailbox is gone, but when i assign license again the mailbox is once again created.

    Thanks a lot!

  3. Sandy says:

    Hi,
    I have similar issue and getting error while disabling mailbox:

    Disable-Mailbox user@domain.com
    Exchange can’t disable the mailbox “user” because it is on In-Place Hold.
    ComplianceTagHoldApplied: false, DelayHoldApplied: false, DelayReleaseHoldApplied: false, OrganizationPolicies Applied:
    mbx4a5b5406687f424190646c8037e6a87e:2, UserPolicies Applied: , restrictivePolicies Applied: . For more information, please
    see the PowerShell cmdlets, Get-OrganizationConfig |fl inplace*, and Get-Mailbox |fl compl*,delay*,inplace*
    + CategoryInfo : NotSpecified: (Khalid M. Al Ma… Refining – HQ):ADObjectId) [Disable-Mailbox], RecipientTaskE
    xception
    + FullyQualifiedErrorId : [Server=DXXP273MB0205,RequestId=55bdf147-c2e1-4e29-a7a7-203e76bf1654,TimeStamp=9/1/2020 3:19:0
    6 PM] [FailureCategory=Cmdlet-RecipientTaskException] 7ED6F6D4,Microsoft.Exchange.Management.RecipientTasks.DisableMailb
    ox
    + PSComputerName : outlook.office365.com

  4. Michael Russo says:

    Heh.. I also have a mailbox from EO I’d like to remove without deleting the entire user and screwing up all their Teams and SharePoint stuff.. but I get that IgnoreLegalHold isn’t even a parameter!!

    PS C:\Users\Mike.STARDATECOMPUTE> Disable-Mailbox myuser@mydomain.com
    Exchange can’t disable the mailbox “The User Name” because it is on In-Place Hold. ComplianceTagHoldApplied: false,
    DelayHoldApplied: false, DelayReleaseHoldApplied: false, OrganizationPolicies Applied:
    mbxc27c6e8ac5574a319077ce328e6579f5:2, UserPolicies Applied: , restrictivePolicies Applied: . For more information,
    please see the PowerShell cmdlets, Get-OrganizationConfig |fl inplace*, and Get-Mailbox |fl compl*,delay*,inplace*
    + CategoryInfo : NotSpecified: (The User Name:ADObjectId) [Disable-Mailbox], RecipientTaskException
    + FullyQualifiedErrorId : [Server=MN2PR13MB3926,RequestId=f538bbaf-ea9b-4169-9e51-d4552b5e1357,TimeStamp=8/31/2020
    5:23:32 PM] [FailureCategory=Cmdlet-RecipientTaskException] 10A77BA9,Microsoft.Exchange.Management.RecipientTasks
    .DisableMailbox
    + PSComputerName : outlook.office365.com

    PS C:\Users\Mike.STARDATECOMPUTE> Disable-Mailbox myuser@mydomain.com -IgnoreLegalHold
    A parameter cannot be found that matches parameter name ‘IgnoreLegalHold’.
    + CategoryInfo : InvalidArgument: (:) [Disable-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Disable-Mailbox
    + PSComputerName : outlook.office365.com

    I think a surgical approach by the backend team is necessary, but Microsoft just seems to hate providing support for a product we all pay a lot of money for.

  5. Chad S says:

    Has something changed with mailbox visibility after removing a license? When I try to walk through this scenario, it fails because Disable-Mailbox can’t even find the mailbox.

    1. Remove license.
    2. Wait for back-end sync. Once this completes, Get-Mailbox fails with “object couldn’t be found…”
    3. Try Disable-Mailbox, which also fails with “object couldn’t be found…”

    If I run Disable-Mailbox before the sync, I get the “user has a valid license error.” If I run it after the sync, I get the “object couldn’t be found…” error. Either way, I get an error.

    • Vasil Michev says:

      This method will not work for such scenarios. Removing the license triggers a different flow, it’s all explained in the documentation. Disable-mailbox is supposed to be used in some corner cases only.

      • Chad S says:

        I guess you’re drawing a distinction between unlicensed and removing a license (to get into an unlicensed state). My goal is to recreate a mailbox for a user without deleting the user. Is this even possible? I know I can remove the user’s license and wait 30 days, but I don’t have 30 days. I need that purge to occur immediately.

        • Douglas C says:

          I had the same problem – was able to solve it by converting the mailbox to shared before disabling it.
          -License user for Exchange Online
          -Run ‘Set-Mailbox -Identity -Type Shared’
          -Remove user’s Exchange Online license
          -You can now run ‘Disable-Mailbox -Identity -IgnoreLegalHold -PermanentlyDisable’

        • Douglas C says:

          Next steps:
          -Set-User -Identity ….. -PermanentlyClearPreviousMailboxInfo
          -Reassign Exchange Online License

          All of the above commands are run from Exchange Online powershell.

        • Taoph says:

          Hi Douglas C,
          I have followed your steps.
          But when i reassign Exchange Online License, mailbox has been created again.

        • spyros says:

          Hello to all,

          same thing happened to me as Taoph says, when i reassign Exchange Online License, mailbox has been created again. Is there a way to assign a license without the mailbox to be reappeared. We want this so we can migrate the actual mailbox of the user to the cloud (hybrid exchange)

  6. Kim Nilsson says:

    I wanted to let one user have access to the Exchange Online Calendar, but not the Mailbox, but it seems that isn’t possible? The reason is that it’s a SAML-integrated user from G Suite, so it has a proper mailbox in Gmail (which receives all other senders’ emails from outside of our O365), and shouldn’t receive any email to the Exchange Inbox, but it does. Apparently, there’s no way to force Exchange to send emails externally when the user’s identity exist in O365 and has an Exchange licence. 🙁

  7. Harsha Perera says:

    Hi Vasil,

    Thank you for the prompt response.

    But what if I want to keep the mailbox as an Inactive Mailbox? Excluding the mailbox from SCC retention policy will remove the mailbox right?

    • Vasil Michev says:

      To make the mailbox inactive, you have to delete the user object, that’s the only supported method.

      • Harsha Perera says:

        Hi Vasil,

        Thank you for the reply. My concern is even the license is removed from the user, mailbox is still showing up in Exchange Online EAC.

        • Vasil Michev says:

          It’s showing in the EAC because it’s on hold – removing the license doesn’t remove the hold. Just places you in a license violation scenario. Again, the correct (and only supported) way to make a mailbox inactive is to delete the user object. Read the documentation for more details.

        • Harsha Perera says:

          Noted with thanks.

  8. Harsha Perera says:

    Hi Vasil,

    I still can see few mailboxes in my Exchange Online under mailboxes even user is disabled from AD and license is removed. And tried Disable-Mailbox User1 -IgnoreLegalHold -PermanentlyDisable and receiving error as “Cannot Disable-Mailbox for ‘User1’ because this user has a valid license.

    User is under retention policy created in SCC.

    Any idea about this behavior?

    • Vasil Michev says:

      Removing the license from a mailbox put on hold is not supported/in violation of the license agreement, thus such scenarios are not covered by this cmdlet. If you want to remove such mailbox, remove the hold first.

  9. Dmitry B says:

    Hi Vasil,

    Do you know if the -IgnoreLegalHold applies to mailboxes that are under retention (hold) policy?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.