Change in behavior for delicensed Exchange Online users


Several weeks ago, we enabled a new Office 365 feature to some tenants where the removal of the Exchange License didn’t immediately mail disable the user and disconnected the mailbox. The new behavior then required to manually (via RPS - remote PowerShell) go and run through EXO RPS the Disable-Mailbox -PermanentlyDelete cmdlet to achieve the same result we previously had – a permanent deletion of the disconnected mailbox.

Due to extensive feedback from customers we are rolling back this feature to the original behavior in order to improve the feature before we release it again in an easier format (and with better documentation).

As of today (10/31/2016) going forward until feature is re-introduced in the future:

The removal of Exchange license from a user will trigger a mail disable operation in Exchange Online as it did before. The user’s mailbox will then be disconnected and will enter a tombstone state. This is not a soft deletion operation; if you want to preserve the mailbox for later recovery please use the Soft Deletion feature or Inactive mailboxes with in-place or litigation hold.

Adding the license back to this user within 30 days will result in a ‘best effort’ reconnect with the old content of the mailbox. This is the behavior we had before the change, we are just reverting to it.

Note: we have already started the rollback of this feature but it might take about 24 hours until all of our customers see changed behavior. To be safe, please assume that behavior has changed already starting right now.

What happens to the users whose license was removed within the time frame of the feature being enabled?

We are grand-fathering in these users. The mailbox and user will remain connected and mail enabled for an indefinite amount of time. You have some options for these users:

How to find them?

Users in this state can be found through EXO remote PowerShell using Get-Mailbox and looking for the SKUAssigned flag in EXO being set to “False”.

Sample user with removed license during feature being on:

image

What do I do with them?

You have 4 options (since a mailbox without a license has access blocked within 30 days of creation):

  • Soft Deletion: Retention for a short period in case mailbox needs to be recovered. Mailboxes in this state are removed from Exchange after 30 days, at which time they can no longer be recovered. By default, a mailbox is soft-deleted if the user’s Office 365 account is removed.

The entire object (including the UPN and identity) are in a soft deletion state across the service. This allows for full data recovery and full re-use of any and all properties of the user in soft deletion state in a new user.

  • Permanent removal (hard-deletion). In this case, the mailbox can no longer be recovered. You can permanently purge a mailbox from Exchange Online by running the Disable-Mailbox cmdlet (UI to come)
    • [PS] C:\> Disable-Mailbox -Identity <User> -PermanentlyDelete

The user object also loses Exchange properties in this case; that frees all email/proxy addresses and allows the object to be stamped with External Email address a new. The process requires for you to remove the license, then run the above command and then update the necessary attributes.

  • Retained indefinitely (inactive mailbox). A mailbox becomes inactive if it is under a litigation or in-place hold for compliance or regulatory purposes and is then deleted. Exchange recognizes that the hold exists and retains the mailbox for as long as the hold applies. During this time, the mailbox can be recovered or restored. When the hold is removed, the mailbox is permanently deleted.
  • Add a license back to the user this will restore access and the mailbox will become fully active.

We apologize for the back and forth on this, and realize that we have to do better when releasing features to the service, which the team is committed to doing when we release this feature again.

Mario Trigueros Solorio

Comments (10)
  1. John says:

    We constantly move users between licenses (E3 -> E1 etc.) What impact will this now have on the operation? (to script the move you must first remove the license before re-enabling it, essentially unlicensing the user for a split second) We much prefer the new way, where removing a license did not mean we wanted to delete or orphan a mailbox. Please re-consider your re-consideration and leave it as it is today.

  2. Hopefully, the commitment is supposed to be for all upcoming new features and not for this feature only. The service deserves a better handling when new features are introduced.
    Cheers,
    Thomas

  3. Do we need to comment on how poorly this was handled? Both in code and communication. Same goes for the 200 aliases limit you started enforcing few weeks back, etc. O365 has been in GA for 5 years now, one would think such issues should have long disappeared…

    We’ll have fun chats next week at the Summit for sure :)

  4. Gulab Prasad says:

    Good to see at least Microsoft is listing to the customers. I wonder what is wrong with you all!

  5. Mitchell says:

    Wow, I spend a couple of hours yesterday trying to figure out why a de-licensed user still had a mailbox. Time I’ll never get back, but at least wont waste anymore!

  6. Mihail says:

    Hello,

    Just to inform you, that as expected the command Remove-Mailbox –Identity “First Last” returns the error for the scope and the on-premises. Also according to this article, executing the command:

    Disable-Mailbox -Identity “First Last” –PermanentlyDelete

    returns the following error:

    A parameter cannot be found that matches parameter name ‘PermanentlyDelete’.
    + CategoryInfo : InvalidArgument: (:) [Disable-Mailbox], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Disable-Mailbox
    + PSComputerName : outlook.office365.com

    So, I have managed to check that in your article there is error. There is no switch –PermanentlyDelete. The correct one is –PermanentlyDisable. I think, that someone should correct it. By entering the following command:

    Disable-Mailbox -Identity “First Last” -PermanentlyDisable

    I get the confirmation prompt:

    Confirm
    Are you sure you want to perform this action?
    Disabling mailbox “First Last” will remove the Exchange properties from the Active Directory user object and mark
    the mailbox in the database for removal. If the mailbox has an archive or remote archive, the archive will also be
    marked for removal. In the case of remote archives, this action is permanent. You can’t reconnect this user to the
    remote archive again.
    [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is “Y”): yes

    And after confirming with y or yes, the mailbox is successfully removed.

  7. Radu says:

    Hi,

    It would seem the cmdlet Disable-Mailbox -Identity -PermanentlyDelete does not work, because:
    “A parameter cannot be found that matches parameter name ‘PermanentlyDelete’.

    + CategoryInfo : InvalidArgument: (:) [Disable-Mailbox], ParameterBindingException

    + FullyQualifiedErrorId : NamedParameterNotFound,Disable-Mailbox”

    However, it does work with:

    Disable-Mailbox -Identity “user” -PermanentlyDisable

  8. Kostyantyn says:

    How are you’re going to communicate that re-introduction of this (and may be other) “feature” in the future?
    Do you plan to make customers aware in advance or “post-mortum” as usual?

  9. Harold says:

    It *can* happen that the wrong user is de-licenced. Having the user re-licenced and the old mailbox restored is the correct way to handle this aspect as it is a fail safe. The 30-day limit seems a reasonable time for retrieval.

  10. Gerard says:

    This does not seem to have been rolled back. I have a user where the license was removed 10-11-2016. if you run get-mailbox it shows SKUAssigned : False. They cannot access their mailbox but it’s still available for discovery which is good.
    I have a user where the license was removed 11-30-2016 yet SKUAssigned still says True. This is the case for all users changed after November. They can still access their email which is not a good thing.

Comments are closed.

Skip to main content