Permanently disable a mailbox in Office 365

One of the differences between on-premises Exchange and Exchange Online is the way user mailbox objects are provisioned, or de-provisioned. In the on-premises world, this is of course dependent on the underlying AD, but as long as you have the necessary permissions you can provision a new user, along with a mailbox, directly via the EAC or the EMS. Alternatively, you can first create the user object in AD and “mailbox-enable” it later on.

In Office 365 however, user objects are authored in Azure AD and there are no Exchange endpoints that allow you to provision a user. Instead, you need to provision the user object in Azure AD first, and the process of enabling a mailbox for this user is governed by the licensing workflow. You grant the user any of the Exchange Online plans, he gets a mailbox. You remove the license, the mailbox is gone. Simple enough.

Well technically this is only true for user mailboxes. Shared mailboxes for example do have a corresponding user object in Azure AD, yet we can provision them directly via the Exchange tools, such as the New-Mailbox cmdlet. And there are other “edge cases” too, for example using the –MicrosoftOnlineServicesID parameter, which allows you to provision a user mailbox directly, but the general rule is that you should govern the user mailbox creation and removal process via the licensing workflow.

We can summarize the mailbox deprovisioning process by simply stating that the Disable-Mailbox cmdlet is not available in Exchange Online. OK, it is actually available, but only worked against Archive mailboxes until recently. That is, if you tried to use the cmdlet against any mailbox, you had to specify the –Archive parameter, otherwise an error was thrown:

Get-Mailbox testuser | Disable-Mailbox
The following error occurred during validation in agent 'Archive ParameterSet Enforcement Agent': 'This operation only works with archive parameters.'

So while the cmdlet was useful for disabling Archive mailboxes for users, it didn’t work against the primary mailbox. Until recently that is, as now, with the addition of the –PermanentlyDisable switch, we can use it to (permanently!) disable the primary mailbox as well. Here’s an example:

Disable-Mailbox BrianJ -PermanentlyDisable

Confirm
Are you sure you want to perform this action?
Disabling mailbox "BrianJ" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote archive,
the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

First of all, make sure to read the warning above. As stated, execution of this cmdlet will remove any Exchange properties from the user object, rendering it “unknown” to Exchange Online. Moreover, as the switch name suggest, this is a *permanent* and *immediate* action, once you run the cmdlet any data in the mailbox is gone for good.

There are two other catches worth mentioning. First, the user must be unlicensed for you to be able to run the cmdlet, otherwise an error will be thrown:

Disable-Mailbox IrvinS -PermanentlyDisable
Cannot Disable-Mailbox for 'IrvinS' because this user has a valid license.

For such licensed mailboxes, the standard “remove license” workflow applies, so you can complete the process via the Office 365 portal or Azure AD PowerShell. The second catch is around mailboxes put on hold. As long as any type of hold is configured and still acting on a given mailbox, Exchange will prevent you from shooting yourself in the foot and will not allow you to remove the mailbox until the hold is removed, or you have explicitly specified that you want to override this behavior via the -IgnoreLegalHold switch:

C:\> Get-Mailbox test222 | select RecipientTypeDetails,SKUAssigned,LitigationHoldEnabled

RecipientTypeDetails SKUAssigned LitigationHoldEnabled
-------------------- ----------- ---------------------
UserMailbox                                       True

C:\> Disable-Mailbox test222 -PermanentlyDisable
Exchange cant disable the mailbox "Test2" because it is on litigation hold.

C:\> Disable-Mailbox test222 -PermanentlyDisable -IgnoreLegalHold

Confirm
Are you sure you want to perform this action?
Disabling mailbox "test222" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote
archive, the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

So in summary, we can now use the Disable-Mailbox cmdlet to immediately and permanently disable the mailbox for a given user. This should only be used in scenarios where a specific need to trigger this immediate and permanent removal exists, otherwise you should continue using the “standard” removal process, governed by the licensing workflow. For situations where you want to remove the user object as well, you can use the Remove-Mailbox cmdlet or any of the Office 365 admin tools. Lastly, don’t forget the recent addition we got to the Set-User cmdlet, allowing us to clean up migration-related attributes: Permanently Clear Previous Mailbox Info.

29 thoughts on “Permanently disable a mailbox in Office 365

  1. Jeremy McCourt says:

    Hi All, I recently came across this post, and wanted to provide some details of what has and has not worked for me.. I had an incident where a users’ mailbox became full, and we believe there were some holds in place that were preventing us from deleting some emails to get the box down to a usable size (to be able to send emails).
    As many who are looking for a solution have found that -Microsoft is deprecating Search-Mailbox and the legacy eDiscovery experience in July 2020- So this method no longer works..
    Funnily enough, 2021 and MS engineers are still telling people to use that easy one-liner to delete content.

    Back to the story, every time efforts were made to delete some of the tens of thousands of emails, we where having issues where the next day it would jump back up to 100%.
    The method of creating a content-search, and deleting 10 messages at a time works, but it’s really slow. It would take 45-60 seconds to delete 10 messages. This was added to a loop, but it was still painful.
    We also went through and tried mass deleting messages from the client, and it would churn for hours.. Still no luck.

    When looking at a Get-MailboxFolderStatistics |select Name,FolderSize,ItemsinFolder
    we saw things like this:
    Deleted Items 11.85 GB (12,722,309,153 bytes) 35265
    Inbox 1.553 GB (1,667,467,761 bytes) 5607
    Junk Email 86.52 GB (92,903,926,008 bytes) 92203

    Get-Mailbox -Identity | Get-MailboxStatistics |select *
    TotalDeletedItemSize : 104.8 GB (112,484,026,963 bytes)
    TotalItemSize : 100 GB (107,375,432,709 bytes)

    After days and days of working with Microsoft, they were no help, and we were about to pull out the rough process of completely deleting the user (AD and all) and re-provision a full new laptop due to the employee being remote. So we wanted to just completely delete the email and start over.
    Spoiler alert – WE WERE SUCCESSFUL!

    Here is the process.
    #1) Check for holds and archives (We had some of these as true, which may have been some of our root cause)
    Get-Mailbox |fl compl*,delay*,inplace*,*archive*
    We removed these holds with the following commands
    Set-Mailbox -identity -RemoveDelayHoldApplied
    Set-Mailbox -Identity -RemoveDelayReleaseHoldApplied

    #2) Set the mailbox to a shared mailbox (This is needed to get around an issue of being able to remove a mailbox without a license)
    Set-Mailbox -Identity -type shared

    #3) Remove the O365 Licenses for the user
    – Done on the azure or o365 admin portal.

    #4) Disable the mailbox (if there are any errors here, you may need to lookup cause of those errors, mailbox has to be a shared box here, or it can’t be found when the user license is removed).
    Disable-Mailbox -Identity -PermanentlyDisable

    #5 (We are using on-prem AD syncing to Azure) – Move the user into an OU that is not synchronised to AzureAD.
    We moved our user to the Lost+Found OU.
    Then run a sync command (or wait till it next sync’s). We validated that the user was no longer in AzureAD

    #6) Once the user disappears out of the AzureAD list, put the user back in the original OU, and perform another sync. – Check that the user appears.

    #7) ClearPrevious mailboxes from the user. (Not sure this actually does anything, but it’s what I used in our walkthrough).
    Set-User -Identity -PermanentlyClearPreviousMailboxInfo

    #8) Add the o365 licenses to the user account, and wait for the mailbox to be built.

    I checked with
    Get-MailboxFolderStatistics |select Name,FolderSize,ItemsinFolder

    Name FolderSize ItemsInFolder
    —- ———- ————-
    Top of Information Store 0 B (0 bytes) 0
    Inbox 747.5 KB (765,440 bytes) 12
    Junk Email 0 B (0 bytes) 0
    Sent Items 0 B (0 bytes) 0
    Recoverable Items 0 B (0 bytes) 0

    Success!!!
    I hope this process helps someone out there.

    Reply
  2. B Wolz says:

    Great article! I’m a bit stuck on “user has a valid license”. I’ve been able to remove all holds, delayed holds, etc. But cannot disable-mailbox because “user has a valid license”. There is no license for the user in the Azure AD console, but get-mailbox | fl *hold*,*sku* results in the following. How can I get the SKUAssigned = False?

    SKUAssigned : True
    LitigationHoldEnabled : False
    RetentionHoldEnabled : False
    EndDateForRetentionHold :
    StartDateForRetentionHold :
    LitigationHoldDate :
    LitigationHoldOwner :
    ComplianceTagHoldApplied : False
    DelayHoldApplied : False
    DelayReleaseHoldApplied : False
    LitigationHoldDuration : Unlimited

    Reply
  3. Ric says:

    Hi,

    The easiest way I see is
    1. create an OU on-prem and exclude it from AAD sync.
    2. If using dynamic assignment, remove the attribute to revoke the license and let sync
    3. Move user to new OU on-prem
    4. Delete user on AAD or run Remove-MsolUser -UserPrincipalName -RemoveFromRecyclebin on Azure PowerShell
    5. Move user back to original OU and do not add a license, the user should sync to AAD again

    This should work without having to wait for 30 days for the mailbox to go

    Reply
  4. spyvou says:

    Hi everyone,

    How can I delete an Exchange Online mailbox without deleting associated user account in Azure AD?

    Mailboxes were already present before hybrid setup and soft matching keeps “restoring” Exchange Online’s mailboxes for users who have an on-premises mailbox.

    If I delete the Azure AD user account, then, obviously, mailbox is removed, but i dont want to do that since users will lose all onedrive and teams data.

    If I remove the exchange online licence, mailbox is gone, but if i enable the license again online mailbox is recreated.
    I cant run “Disable-Mailbox -PermanentlyDelete”, cause user has active license, so I convert mailbox to shared, remove license, run “Disable-Mailbox -PermanentlyDelete” and “Set-User -Identity ….. -PermanentlyClearPreviousMailboxInfo”, mailbox is gone, but when i assign license again the mailbox is once again created.

    Thanks a lot!

    Reply
    1. Sanka says:

      Hi Spyvou,

      I’m in the same boat. Have you come across with a solution to disable the account without removing the Exchange license?

      Regards,

      Reply
  5. Sandy says:

    Hi,
    I have similar issue and getting error while disabling mailbox:

    Disable-Mailbox user@domain.com
    Exchange can’t disable the mailbox “user” because it is on In-Place Hold.
    ComplianceTagHoldApplied: false, DelayHoldApplied: false, DelayReleaseHoldApplied: false, OrganizationPolicies Applied:
    mbx4a5b5406687f424190646c8037e6a87e:2, UserPolicies Applied: , restrictivePolicies Applied: . For more information, please
    see the PowerShell cmdlets, Get-OrganizationConfig |fl inplace*, and Get-Mailbox |fl compl*,delay*,inplace*
    + CategoryInfo : NotSpecified: (Khalid M. Al Ma… Refining – HQ):ADObjectId) [Disable-Mailbox], RecipientTaskE
    xception
    + FullyQualifiedErrorId : [Server=DXXP273MB0205,RequestId=55bdf147-c2e1-4e29-a7a7-203e76bf1654,TimeStamp=9/1/2020 3:19:0
    6 PM] [FailureCategory=Cmdlet-RecipientTaskException] 7ED6F6D4,Microsoft.Exchange.Management.RecipientTasks.DisableMailb
    ox
    + PSComputerName : outlook.office365.com

    Reply
    1. Vasil Michev says:

      As the error message shows, you have an org-wide hold enabled

      Reply
  6. Michael Russo says:

    Heh.. I also have a mailbox from EO I’d like to remove without deleting the entire user and screwing up all their Teams and SharePoint stuff.. but I get that IgnoreLegalHold isn’t even a parameter!!

    PS C:\Users\Mike.STARDATECOMPUTE> Disable-Mailbox myuser@mydomain.com
    Exchange can’t disable the mailbox “The User Name” because it is on In-Place Hold. ComplianceTagHoldApplied: false,
    DelayHoldApplied: false, DelayReleaseHoldApplied: false, OrganizationPolicies Applied:
    mbxc27c6e8ac5574a319077ce328e6579f5:2, UserPolicies Applied: , restrictivePolicies Applied: . For more information,
    please see the PowerShell cmdlets, Get-OrganizationConfig |fl inplace*, and Get-Mailbox |fl compl*,delay*,inplace*
    + CategoryInfo : NotSpecified: (The User Name:ADObjectId) [Disable-Mailbox], RecipientTaskException
    + FullyQualifiedErrorId : [Server=MN2PR13MB3926,RequestId=f538bbaf-ea9b-4169-9e51-d4552b5e1357,TimeStamp=8/31/2020
    5:23:32 PM] [FailureCategory=Cmdlet-RecipientTaskException] 10A77BA9,Microsoft.Exchange.Management.RecipientTasks
    .DisableMailbox
    + PSComputerName : outlook.office365.com

    PS C:\Users\Mike.STARDATECOMPUTE> Disable-Mailbox myuser@mydomain.com -IgnoreLegalHold
    A parameter cannot be found that matches parameter name ‘IgnoreLegalHold’.
    + CategoryInfo : InvalidArgument: (:) [Disable-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Disable-Mailbox
    + PSComputerName : outlook.office365.com

    I think a surgical approach by the backend team is necessary, but Microsoft just seems to hate providing support for a product we all pay a lot of money for.

    Reply
    1. Vasil Michev says:

      It doesn’t look like it’s available anymore, I’ve pinged few folks for more info…

      Reply
  7. Chad S says:

    Has something changed with mailbox visibility after removing a license? When I try to walk through this scenario, it fails because Disable-Mailbox can’t even find the mailbox.

    1. Remove license.
    2. Wait for back-end sync. Once this completes, Get-Mailbox fails with “object couldn’t be found…”
    3. Try Disable-Mailbox, which also fails with “object couldn’t be found…”

    If I run Disable-Mailbox before the sync, I get the “user has a valid license error.” If I run it after the sync, I get the “object couldn’t be found…” error. Either way, I get an error.

    Reply
    1. Vasil Michev says:

      This method will not work for such scenarios. Removing the license triggers a different flow, it’s all explained in the documentation. Disable-mailbox is supposed to be used in some corner cases only.

      Reply
      1. Chad S says:

        I guess you’re drawing a distinction between unlicensed and removing a license (to get into an unlicensed state). My goal is to recreate a mailbox for a user without deleting the user. Is this even possible? I know I can remove the user’s license and wait 30 days, but I don’t have 30 days. I need that purge to occur immediately.

        Reply
        1. Douglas C says:

          I had the same problem – was able to solve it by converting the mailbox to shared before disabling it.
          -License user for Exchange Online
          -Run ‘Set-Mailbox -Identity -Type Shared’
          -Remove user’s Exchange Online license
          -You can now run ‘Disable-Mailbox -Identity -IgnoreLegalHold -PermanentlyDisable’

        2. Douglas C says:

          Next steps:
          -Set-User -Identity ….. -PermanentlyClearPreviousMailboxInfo
          -Reassign Exchange Online License

          All of the above commands are run from Exchange Online powershell.

        3. Taoph says:

          Hi Douglas C,
          I have followed your steps.
          But when i reassign Exchange Online License, mailbox has been created again.

        4. spyros says:

          Hello to all,

          same thing happened to me as Taoph says, when i reassign Exchange Online License, mailbox has been created again. Is there a way to assign a license without the mailbox to be reappeared. We want this so we can migrate the actual mailbox of the user to the cloud (hybrid exchange)

  8. Kim Nilsson says:

    I wanted to let one user have access to the Exchange Online Calendar, but not the Mailbox, but it seems that isn’t possible? The reason is that it’s a SAML-integrated user from G Suite, so it has a proper mailbox in Gmail (which receives all other senders’ emails from outside of our O365), and shouldn’t receive any email to the Exchange Inbox, but it does. Apparently, there’s no way to force Exchange to send emails externally when the user’s identity exist in O365 and has an Exchange licence. 🙁

    Reply
      1. Alessandro Lo Valvo says:

        No, this don’t help if the mailbox is present in exchange.
        Exchange try to send always internally even though you setup a connector.

        Reply
  9. Harsha Perera says:

    Hi Vasil,

    Thank you for the prompt response.

    But what if I want to keep the mailbox as an Inactive Mailbox? Excluding the mailbox from SCC retention policy will remove the mailbox right?

    Reply
    1. Vasil Michev says:

      To make the mailbox inactive, you have to delete the user object, that’s the only supported method.

      Reply
      1. Harsha Perera says:

        Hi Vasil,

        Thank you for the reply. My concern is even the license is removed from the user, mailbox is still showing up in Exchange Online EAC.

        Reply
        1. Vasil Michev says:

          It’s showing in the EAC because it’s on hold – removing the license doesn’t remove the hold. Just places you in a license violation scenario. Again, the correct (and only supported) way to make a mailbox inactive is to delete the user object. Read the documentation for more details.

  10. Harsha Perera says:

    Hi Vasil,

    I still can see few mailboxes in my Exchange Online under mailboxes even user is disabled from AD and license is removed. And tried Disable-Mailbox User1 -IgnoreLegalHold -PermanentlyDisable and receiving error as “Cannot Disable-Mailbox for ‘User1’ because this user has a valid license.

    User is under retention policy created in SCC.

    Any idea about this behavior?

    Reply
    1. Vasil Michev says:

      Removing the license from a mailbox put on hold is not supported/in violation of the license agreement, thus such scenarios are not covered by this cmdlet. If you want to remove such mailbox, remove the hold first.

      Reply
  11. Dmitry B says:

    Hi Vasil,

    Do you know if the -IgnoreLegalHold applies to mailboxes that are under retention (hold) policy?

    Reply
    1. Vasil Michev says:

      Haven’t tested it, but retention hold shouldn’t matter.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.