Should Mailboxes Be Shared or Inactive?

When people leave the company, change roles, or departments get closed, oftentimes you’ll need to keep the messages and mailbox contents that accumulated while those accounts were in service. To do this used to be fairly simple for organizations that were running Exchange Server on premises deployments—you converted the mailbox in question to a shared mailbox, redirected the inbound e-mail address to another user or group to preserve incoming mail, gave access to the remaining employees and contractors that needed to look at the messages and items within the mailbox, and that was the end of it.

But now that many organizations are moving to some form of hybrid cloud deployment or using Exchange Online and Office 365 exclusively for email services, you have to account for mailbox licenses and the fact that you do not control the underlying system. What’s the answer here? What are the considerations?

Essentially, it boils down to a combination of litigation hold and soft-delete. Let me explain this.

Why Not a Shared Mailbox

The main problem with the shared mailbox solution with Office 365 is that the mailbox itself, even when converted from individual to shared, remains inextricably linked with the user object. If you are only running and using Exchange Online, then that might not be a problem, but if your user is also consuming other services like SharePoint Online or OneDrive for Business, then converting the mailbox to a shared mailbox, while saving on the Exchange license cost, also removes access from these other online services—and so you lose the data that user has stored within each respective service.

Then there is a concern about whether the data should be changed or not. When your organization isn’t under any legal or regulatory restrictions, then changing, deleting, or otherwise modifying the content generated in the previous employee’s mailbox might not be that big of a deal. However, employees don’t always wait to leave until legal cases are fully resolved or discovery orders are cancelled. So you may face the situation when you need to add litigation hold to a mailbox to ensure data retention—but unfortunately, you need to have Exchange licenses to add this litigation hold, so you can’t convert to a shared mailbox in these situations.

The archive functionality presents another issue. If you have deployed personal archives such that older mail that passes a retention period is automatically transferred into an archive mailbox, then those archive mailboxes are tied to user licenses—and are lost if you convert the user mailbox into a shared mailbox. So you’ll either forget to make the transfer (be honest; this happens!) or you will need to manually move data from the archive mailbox into the regular mailbox before it is converted into a shared mailbox.

Sounds messy, right? By the way, don’t miss our free how-to that provides script for monitoring shared mailbox access.

Inactive Mailbox

The solution to most of these issues is to use inactive mailboxes, a concept that exists only within Office 365 and has no real counterpart in the on-premises world. Setting a mailbox to inactive requires two steps—first, you enable an “in-place hold” on the mailbox, to preserve the data in both the regular mailbox and any associated archive mailbox; and next, you delete the user. One PowerShell command sets up the in-place hold with an unlimited duration:

Set-Mailbox -Identity username -LitigationHoldEnabled $True

What’s nice about this solution is that it preserves data without cluttering up users in your address list and directory. The data remains there, but since the user account is gone, you can recycle e-mail addresses, users aren’t confused still seeing a departed employee in the global address list, and your group permissions and life cycling can continue to treat the employee as no longer part of the organization. Also, it removes the license, so you don’t have to keep paying each month for the now-departed employee. Microsoft currently does not charge for inactive mailboxes.

You access the data from the inactive mailbox through an eDiscovery search, integrated right within Exchange Online. You can use freeware to find inactive users faster.  Then you copy the results of the search into a discovery mailbox and grant current employees access to that mailbox to grab any data that they need without affecting the original copy of the data. This also limits the access to the inactive mailbox to only those with permissions to run eDiscovery searches, improving security posture.

What   doesn’t this address? Since the user object is deleted, data in OneDrive for Business and other services is also deleted. You will need to have some process or method to retain this data prior to the user object being deleted, but chances are those procedures are already in place as part of your user lifecycle management program.

Need more Exchange tips? Read the best practices from Danny Murphy published in our blog in April.

Author, consultant, and speaker on a variety of IT topics. Jonathan has written books on Windows Server and related products and has spoken worldwide on topics ranging from networking and security to Windows administration.