One of the differences between on-premises Exchange and Exchange Online is the way user mailbox objects are provisioned, or de-provisioned. In the on-premises world, this is of course dependent on the underlying AD, but as long as you have the necessary permissions you can provision a new user, along with a mailbox, directly via the EAC or the EMS. Alternatively, you can first create the user object in AD and “mailbox-enable” it later on.
In Office 365 however, user objects are authored in Azure AD and there are no Exchange endpoints that allow you to provision a user. Instead, you need to provision the user object in Azure AD first, and the process of enabling a mailbox for this user is governed by the licensing workflow. You grant the user any of the Exchange Online plans, he gets a mailbox. You remove the license, the mailbox is gone. Simple enough.
Well technically this is only true for user mailboxes. Shared mailboxes for example do have a corresponding user object in Azure AD, yet we can provision them directly via the Exchange tools, such as the New-Mailbox cmdlet. And there are other “edge cases” too, for example using the –MicrosoftOnlineServicesID parameter, which allows you to provision a user mailbox directly, but the general rule is that you should govern the user mailbox creation and removal process via the licensing workflow.
We can summarize the mailbox deprovisioning process by simply stating that the Disable-Mailbox cmdlet is not available in Exchange Online. OK, it is actually available, but only worked against Archive mailboxes until recently. That is, if you tried to use the cmdlet against any mailbox, you had to specify the –Archive parameter, otherwise an error was thrown:
Get-Mailbox testuser | Disable-Mailbox The following error occurred during validation in agent 'Archive ParameterSet Enforcement Agent': 'This operation only works with archive parameters.'
So while the cmdlet was useful for disabling Archive mailboxes for users, it didn’t work against the primary mailbox. Until recently that is, as now, with the addition of the –PermanentlyDisable switch, we can use it to (permanently!) disable the primary mailbox as well. Here’s an example:
Disable-Mailbox BrianJ -PermanentlyDisable Confirm Are you sure you want to perform this action? Disabling mailbox "BrianJ" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote archive, the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again. [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
First of all, make sure to read the warning above. As stated, execution of this cmdlet will remove any Exchange properties from the user object, rendering it “unknown” to Exchange Online. Moreover, as the switch name suggest, this is a *permanent* and *immediate* action, once you run the cmdlet any data in the mailbox is gone for good.
There are two other catches worth mentioning. First, the user must be unlicensed for you to be able to run the cmdlet, otherwise an error will be thrown:
Disable-Mailbox IrvinS -PermanentlyDisable Cannot Disable-Mailbox for 'IrvinS' because this user has a valid license.
For such licensed mailboxes, the standard “remove license” workflow applies, so you can complete the process via the Office 365 portal or Azure AD PowerShell. The second catch is around mailboxes put on hold. As long as any type of hold is configured and still acting on a given mailbox, Exchange will prevent you from shooting yourself in the foot and will not allow you to remove the mailbox until the hold is removed, or you have explicitly specified that you want to override this behavior via the -IgnoreLegalHold switch:
C:\> Get-Mailbox test222 | select RecipientTypeDetails,SKUAssigned,LitigationHoldEnabled RecipientTypeDetails SKUAssigned LitigationHoldEnabled -------------------- ----------- --------------------- UserMailbox True C:\> Disable-Mailbox test222 -PermanentlyDisable Exchange cant disable the mailbox "Test2" because it is on litigation hold. C:\> Disable-Mailbox test222 -PermanentlyDisable -IgnoreLegalHold Confirm Are you sure you want to perform this action? Disabling mailbox "test222" will remove the Exchange properties from the Active Directory user object and mark the mailbox in the database for removal. If the mailbox has an archive or remote archive, the archive will also be marked for removal. In the case of remote archives, this action is permanent. You can't reconnect this user to the remote archive again. [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): y
So in summary, we can now use the Disable-Mailbox cmdlet to immediately and permanently disable the mailbox for a given user. This should only be used in scenarios where a specific need to trigger this immediate and permanent removal exists, otherwise you should continue using the “standard” removal process, governed by the licensing workflow. For situations where you want to remove the user object as well, you can use the Remove-Mailbox cmdlet or any of the Office 365 admin tools. Lastly, don’t forget the recent addition we got to the Set-User cmdlet, allowing us to clean up migration-related attributes: Permanently Clear Previous Mailbox Info.