Permanently disable a mailbox in Office 365

One of the differences between on-premises Exchange and Exchange Online is the way user mailbox objects are provisioned, or de-provisioned. In the on-premises world, this is of course dependent on the underlying AD, but as long as you have the necessary permissions you can provision a new user, along with a mailbox, directly via the EAC or the EMS. Alternatively, you can first create the user object in AD and “mailbox-enable” it later on.

In Office 365 however, user objects are authored in Azure AD and there are no Exchange endpoints that allow you to provision a user. Instead, you need to provision the user object in Azure AD first, and the process of enabling a mailbox for this user is governed by the licensing workflow. You grant the user any of the Exchange Online plans, he gets a mailbox. You remove the license, the mailbox is gone. Simple enough.

Well technically this is only true for user mailboxes. Shared mailboxes for example do have a corresponding user object in Azure AD, yet we can provision them directly via the Exchange tools, such as the New-Mailbox cmdlet. And there are other “edge cases” too, for example using the –MicrosoftOnlineServicesID parameter, which allows you to provision a user mailbox directly, but the general rule is that you should govern the user mailbox creation and removal process via the licensing workflow.

We can summarize the mailbox deprovisioning process by simply stating that the Disable-Mailbox cmdlet is not available in Exchange Online. OK, it is actually available, but only worked against Archive mailboxes until recently. That is, if you tried to use the cmdlet against any mailbox, you had to specify the –Archive parameter, otherwise an error was thrown:

Get-Mailbox testuser | Disable-Mailbox
The following error occurred during validation in agent 'Archive ParameterSet Enforcement Agent': 'This operation only works with archive parameters.'

So while the cmdlet was useful for disabling Archive mailboxes for users, it didn’t work against the primary mailbox. Until recently that is, as now, with the addition of the –PermanentlyDisable switch, we can use it to (permanently!) disable the primary mailbox as well. Here’s an example:

Disable-Mailbox BrianJ -PermanentlyDisable

Confirm
Are you sure you want to perform this action?
Disabling mailbox "BrianJ" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote archive,
the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

First of all, make sure to read the warning above. As stated, execution of this cmdlet will remove any Exchange properties from the user object, rendering it “unknown” to Exchange Online. Moreover, as the switch name suggest, this is a *permanent* and *immediate* action, once you run the cmdlet any data in the mailbox is gone for good.

There are two other catches worth mentioning. First, the user must be unlicensed for you to be able to run the cmdlet, otherwise an error will be thrown:

Disable-Mailbox IrvinS -PermanentlyDisable
Cannot Disable-Mailbox for 'IrvinS' because this user has a valid license.

For such licensed mailboxes, the standard “remove license” workflow applies, so you can complete the process via the Office 365 portal or Azure AD PowerShell. The second catch is around mailboxes put on hold. As long as any type of hold is configured and still acting on a given mailbox, Exchange will prevent you from shooting yourself in the foot and will not allow you to remove the mailbox until the hold is removed, or you have explicitly specified that you want to override this behavior via the -IgnoreLegalHold switch:

C:\> Get-Mailbox test222 | select RecipientTypeDetails,SKUAssigned,LitigationHoldEnabled

RecipientTypeDetails SKUAssigned LitigationHoldEnabled
-------------------- ----------- ---------------------
UserMailbox                                       True

C:\> Disable-Mailbox test222 -PermanentlyDisable
Exchange cant disable the mailbox "Test2" because it is on litigation hold.

C:\> Disable-Mailbox test222 -PermanentlyDisable -IgnoreLegalHold

Confirm
Are you sure you want to perform this action?
Disabling mailbox "test222" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote
archive, the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y

So in summary, we can now use the Disable-Mailbox cmdlet to immediately and permanently disable the mailbox for a given user. This should only be used in scenarios where a specific need to trigger this immediate and permanent removal exists, otherwise you should continue using the “standard” removal process, governed by the licensing workflow. For situations where you want to remove the user object as well, you can use the Remove-Mailbox cmdlet or any of the Office 365 admin tools. Lastly, don’t forget the recent addition we got to the Set-User cmdlet, allowing us to clean up migration-related attributes: Permanently Clear Previous Mailbox Info.

This entry was posted in Exchange Online, Office 365, PowerShell. Bookmark the permalink.

9 Responses to Permanently disable a mailbox in Office 365

  1. Dmitry B says:

    Hi Vasil,

    Do you know if the -IgnoreLegalHold applies to mailboxes that are under retention (hold) policy?

  2. Harsha Perera says:

    Hi Vasil,

    I still can see few mailboxes in my Exchange Online under mailboxes even user is disabled from AD and license is removed. And tried Disable-Mailbox User1 -IgnoreLegalHold -PermanentlyDisable and receiving error as “Cannot Disable-Mailbox for ‘User1’ because this user has a valid license.

    User is under retention policy created in SCC.

    Any idea about this behavior?

    • Vasil Michev says:

      Removing the license from a mailbox put on hold is not supported/in violation of the license agreement, thus such scenarios are not covered by this cmdlet. If you want to remove such mailbox, remove the hold first.

  3. Harsha Perera says:

    Hi Vasil,

    Thank you for the prompt response.

    But what if I want to keep the mailbox as an Inactive Mailbox? Excluding the mailbox from SCC retention policy will remove the mailbox right?

    • Vasil Michev says:

      To make the mailbox inactive, you have to delete the user object, that’s the only supported method.

      • Harsha Perera says:

        Hi Vasil,

        Thank you for the reply. My concern is even the license is removed from the user, mailbox is still showing up in Exchange Online EAC.

        • Vasil Michev says:

          It’s showing in the EAC because it’s on hold – removing the license doesn’t remove the hold. Just places you in a license violation scenario. Again, the correct (and only supported) way to make a mailbox inactive is to delete the user object. Read the documentation for more details.

Leave a Reply to Dmitry B Cancel reply

Your email address will not be published. Required fields are marked *