Office 365 Mailbox Life Cycle Management

Most organizations have a consistent process for setting up new users. But quite often the process for handling user departure is not very clear.

When an Office 365 user leaves your organization you should have processes to ensure you’re protected from data leakage and data loss. Your process should include the following:

  • Cutting off the user’s access to organizational data and services
  • Preserving and reassigning data associated with the user’s Office 365 account
  • Ensuring that workflows involving the user are redirected
  • Properly releasing the user’s Office 365 account license for reuse

These topics should be considered in a broad sense, but this article will focus on the handling of the Office 365 mailbox.

Cut Off Access

To cut off the user’s access to the organization you have a few options. Selecting the right one depends on the “urgency” of the departure and your setup.

For non-urgent access blocking in a hybrid environment you can simply disable the on-prem user account. The corresponding Office 365 account will have sign in blocked on the next replication cycle from Azure AD Connect. Be aware that existing user connections to email and other Office 365 services will not be terminated.

In case you have a more urgent need to immediately stop any activity from the user account you can require the user to renew the access token.  When done after disabling the account this is of course not possible. It therefore equals an effective and immediate lock out from Office 365 services. The configuration is performed using the Revoke-AzureADUserAllRefreshToken command. You must install the Azure AD PowerShell module to use this command:

PS C:\WINDOWS\system32> Get-AzureADUser -All $True | ? {$_.DisplayName -eq 'Tycho Brahe'} | ft DisplayName,RefreshTokensValidFromDateTime

DisplayName RefreshTokensValidFromDateTime
----------- ------------------------------
Tycho Brahe 4/18/2019 9:54:45 AM

PS C:\WINDOWS\system32> Get-Date

Monday, July 15, 2019 5:36:43 PM

PS C:\WINDOWS\system32> Get-AzureADUser | ? {$_.DisplayName -eq 'Tycho Brahe'} | Revoke-AzureADUserAllRefreshToken
PS C:\WINDOWS\system32> Get-AzureADUser | ? {$_.DisplayName -eq 'Tycho Brahe'} | ft DisplayName,RefreshTokensValidFromDateTime

DisplayName RefreshTokensValidFromDateTime
----------- ------------------------------
Tycho Brahe 7/15/2019 3:37:18 PM

In the above example the user’s RefreshTokensValidFromDateTime was set when the user’s latest Office 365 session was started (9:50:51 AM). Using the Revoke-AzureADUserAllRefreshToken the RefreshTokensValidFromDateTime attribute is set to the current time (9:54:45 AM) which means tokens older than 9:54:45 AM are now required to renew. This leads to Office 365 services to require a new login from the user. If we disabled the user account prior to this the user is effectively locked out of all Office 365 services.

Preserve and Reassign Data

Preserving and reassigning data means that you need to take control of the user’s data and make it available to relevant people. This may include the user’s mailbox, OneDrive data and data held in the user’s personal folders and local devices. The following steps should be considered:

  • Ensuring that data is not prematurely deleted
  • Preserving data for future access when necessary
  • Moving or reassigning data to a new owner or group
  • Redirecting incoming data to a new owner

Mailbox preservation can be performed while a user’s Office 365 license is still active, or up to 30 days after it is deleted. One option is to convert the user mailbox to inactive status. This preserves the mailbox’s data indefinitely for eDiscovery and archiving and will allow you to remove the on-prem and Office 365 user accounts. The steps involved in converting the mailbox to inactive are detailed here. However, In general I don’t recommend this approach – at least not until the mailbox contents are “dead” (no longer in demand). Granting access to the contents of an inactive mailbox to a replacement user is not a very friendly procedure.

A better option is to simply convert the mailbox type from user to shared. Shared mailboxes can keep up to 50GB of data without having an Office 365 license. This will not allow you to get rid of the user object from on-prem or Office 365 but the user account can stay disabled and the on-prem account can be moved to a dedicated OU for departed users. You should also remove the mailbox from the GAL. A great advantage of this approach is the ease of providing a manager or replacement user with access to the departed employees mailbox. This can be done following these steps (always consider legal matters prior to delegating access to personal mailboxes or data).

Be aware: Legal immutability requirements may compromise the easy solution of using the shared mailbox approach. Also, using mail archiving on the departed user may affect your decision as archiving is not supported on an unlicensed shared mailbox. But using the shared mailbox approach for left users is undoubtedly the most flexible approach for most smaller and midsized companies.

Handling Redirection of Workflows

Existing mailbox data is now available to relevant employees. What about new inbound emails? One way to handle this is to set up forwarding on the old mailbox. This ensures that appropriate action is taken on new emails sent to the exited user. If you convert the mailbox to an inactive mailbox, you’ll need to move the mail alias to another recipient manually. If you convert the mailbox to a shared mailbox, the forwarding configuration is straightforward.

Also, you should consider setting up an auto-reply to inform senders that the user has left the company and to provide the new email address(es) to use to communicate with your organization.

Depending on your needs, you may want to keep forwarding, auto-reply, and delegated access in place for 3 to 6 months after the user leaves. After this time, most communication should have moved to the new communication channels in your organization.

Forwarding and auto-reply are only available if you have converted the user mailbox to a shared mailbox. If your approach is the inactive mailbox, you’re in for a big increase in complexity to achieve the same goals. So this is another reason to opt for the shared mailbox approach instead of the inactive mailbox.

Releasing Office 365 Licenses

Finally, it’s time to ensure the costly Office 365 license is released and returned to your license pool. Removing the license from the user account can be done via the Office 365 Admin Center. When the license has been removed from the user, you can assign it to a new user. Strictly speaking, Microsoft online services terms state that organizations may not reassign a license within 90 days of the last assignment. However, this is not enforced in any way.

Wrapping It Up – With Easy365Manager

(Warning: Biased praise of our own software coming up)

If you have a hybrid scenario, like most organizations using Office 365, the above steps involve a lot of cycling back and forth between your on-prem management tool Active Directory Users & Computers and the Office 365 Admin Portal.

Easy365Manager allows you to manage everything inside the native Active Directory Users & Computers tool with several advantages:

  • Everything is managed in one place.
  • You ensure consistency between your on-prem environment and your Office 365 environment.
  • You have the option to immediately replicate your on-prem changes to Office 365.

In relation to retiring a user account with an Office 365 mailbox, Easy365Manager allows you to perform the following steps inside Active Directory Users & Computers with no need to visit the Office 365 Admin Portal:

  • Disable the on-prem user account with immediate replication to Office 365
  • Convert the user mailbox to a shared mailbox.
  • Hide the mailbox from address lists.
  • Grant access to the shared mailbox to relevant employees.
  • Set up forwarding to a relevant employee.
  • Remove the Office 365 Exchange license from the account.

Effectively, this means a 10 – 15 minute task can be done in less than a minute. Just watch:

Similarly, Easy365Manager will also enhance your user provisioning.

Download a fully functional 30-day trial here.

Installation can be done in a couple of minutes and requires no infrastructure changes.