Mailbox Retention Options in Office 365 with AAD Sync

One of the most commonly asked questions I receive from customers when the are thinking of, or already moving to Exchange Online is how to manage the off-boarding of users and the retention of their mailboxes.

It may seem obvious to say, but there is no perfect answer to this question, there are many options depending on your Exchange license plan, business requirements and scale, but I have outlined below the high level options I usually put in front of customers when they as this question.

  1. The first option is to delicense the user. This will free up the license for another user and leave the account in the Office 365 portal with sign in privileges. The user will be able to sign in to the Office 365 portal but not have access to any services (The user could also be deleted as per option 2 to prevent sign in). The mailbox will be soft-deleted and will remain in the recycle bin for 30 days, at which point all of the content will be deleted. While in this state and mail sent to the user will NDR unless their email address is attached to another mailbox. If the user is re-licensed within this 30 day period the mailbox and its content will be recovered to the point when the user was de-licensed.
  1. Another option is to disable the user account in Active Directory, which will set the user’s sign-in status in Office 365 to “Not Allowed”. The user’s mailbox, licenses and other data (OneDrive etc) will remain completely untouched. A user can remain in this state indefinitely and the mailbox will continue to receive mail and be accessible to other users with the appropriate permission. The down-side to this solution is the license remains consumed and cannot be used by any new users.
  1. If the user has an E3 license assigned, the best option would be to place the mailbox on litigation hold using the Exchange Online compliance tools. Once the mailbox is on hold (the duration/rules you can specify) you can remove the user/mailbox and free up the license but the contents of the mailbox will remain searchable from the portal for as long as you specify. This is the best option as it allows you to free up the E3 license and keep your Active Directory tidy.
  1. Lastly, you could convert the user mailbox to a shared mailbox, and then remove the license. You would need to keep a user object in Office 365 to represent the Shared Mailbox, but you would again free up your license and the mail sent to that user would still be received and accessible to other users with the appropriate permissions.

You can obviously combine these options where appropriate to build a solution that fits your business. If you need any more details please let me know.

How do you manage leavers in Office 365? Does this raise any questions for your organisation? Get in touch – Twittter @MikeParker365, Email

2 thoughts on “Mailbox Retention Options in Office 365 with AAD Sync

  1. We have recently got a tool that can automatically assign and revoke licences in Office 365. It’s called Adaxes and I believe it is worth mentioning. It can do even more with Exchange as it practically manages on-prem mailboxes and cloud ones in a very similar way. This means you can include archiving the mailbox, revoking the licence in O365 and anything else you want to do in a workflow, so that everything would happen automatically once you hit the deprovision button.


    1. Hi Sam, Thanks for the comment. I was focussing on the native functionality within Office 365/AAD Sync to manage users, but you are absolutely right there are several third party tools on the market that can help you better manage/automate the new user/leaver process with O365/Exchange Online.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s