Table of Contents
Sometimes You Want to Get Rid of Inactive Mailboxes
Updated 17 April 2023
Sometimes Microsoft doesn’t communicate changes made to PowerShell cmdlets that introduce interesting new functionality. There’s so much change in the service that they could be forgiven for an occasional slip-up, unless of course you need to use the specific feature that is undocumented.
New Parameters for Set-Mailbox
Which brings me to the well-known Set-Mailbox cmdlet, which boasts two parameters called ExcludeFromOrgHolds and ExcludeFromAllOrgHolds, a fact highlighted by MVP Vasil Michev in his ongoing crusade to discover what’s hidden in the corners of Office 365.
These parameters allow administrators to exclude some or all org-wide retention holds from inactive mailboxes. Remember that an inactive mailbox is one belonging to an Azure AD account that has been deleted but is kept because a hold exists on the mailbox. The hold can be any form of hold supported by Exchange Online, including litigation holds and those set by Office 365 retention policies. Retention holds come in two flavors, org-wide and non-org-wide (in other words, holds that apply to all mailboxes and those that apply to selected mailboxes).
Excluding an org-wide hold means that when Exchange evaluates whether to keep an inactive mailbox, it ignores that hold. If all org-wide holds are ignored, the inactive mailbox will only be kept if a specific non org-wide hold exists.
Controlling Org-Wide Holds on Inactive Mailboxes
Why do these parameters exist? Well, Microsoft introduced inactive mailboxes several years ago as a way for organizations to keep mailboxes around for compliance purposes without having to pay for Office 365 licenses. The most common use case is when mailboxes are kept for ex-employees. The idea is that a tenant will apply a hold to keep the mailboxes inactive for the desired period and then release the hold when the mailboxes are no longer needed.
Org-wide holds apply to both active and inactive mailboxes. Over time, it’s possible that a tenant will add new org-wide holds. The effect is that the set of inactive mailboxes is likely to grow because any mailbox that is deleted will become inactive because one or more org-wide holds exist.
Keeping inactive mailboxes is good if intended. It’s not so good if you don’t want or need those mailboxes. One of the principles of data governance in Office 365 is that tenants should be able to decide what data to keep and what to remove, and keeping inactive mailboxes longer than they should be goes against that principle. I imagine that Microsoft introduced these cmdlets to give tenants the ability to decide what org-wide holds should apply to inactive mailboxes.
Discovering Org-Wide Holds
Org-wide holds are registered in the Exchange Online organization configuration. To see the set, run the PowerShell command:
# Retrieve org-wide holds for the Exchange Online Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds mbx15382841af9f497c83f9efe73e51888d:1 mbx9696959111f74ecda8a40aef97edd2c2:1 mbx703105e3b8804a1093bb5cb777638ea8:1 grp703105e3b8804a1093bb5cb777638ea8:1 mbxc1e2d6f1785d4bf8a7746a26e58e5f66:1 grpc1e2d6f1785d4bf8a7746a26e58e5f66:1 mbxf6a1654abdba4712a43c354e28a4d56c:2 grpf6a1654abdba4712a43c354e28a4d56c:2
The holds we’re interested in start with mbx. Those starting with grp apply to Office 365 Groups. The values following are GUIDs that point to the retention policies defining the holds. If you’re interested in understanding how to resolve the GUID to find the retention policy, see the Compliance chapter in the Office 365 for IT Pros eBook.
Excluding Org-Wide Holds from Inactive Mailboxes
To exclude specific org-wide holds from a mailbox, run the Set-Mailbox cmdlet and pass the GUIDs for the holds you want to exclude in a comma-separated list for the ExcludeFromOrgHolds parameter. Use the same format for the GUIDs as reported by Get-OrganizationConfig. When you run the command, Exchange updates the InPlaceHolds property for the mailbox to note the excluded holds.
# Exclude specific org-wide holds from a mailbox Set-Mailbox -Identity Kim.Akers -ExcludeFromOrgHolds "mbx9696959111f74ecda8a40aef97edd2c2:1", "mbx19200b9af08442529be070dae2fd54d3:1"
Microsoft recommends that you use the distinguished name or ExchangeGUID property to identify the mailbox. This is to be absolutely sure that a unique value is passed because if you exclude the holds for the wrong inactive mailboxes, you run the risk that Exchange will remove these mailboxes permanently when it evaluates the holds that exist on them.
To remove all org-wide holds from a mailbox, run Set-Mailbox and pass the ExcludeFromAllOrgHolds parameter. Because you’re now removing all org-wide holds, it’s even more important to be certain that you’re processing the right mailboxes.
#Exclude all org-wide holds from the target mailbox Set-Mailbox -Identity $Mbx.DistinguishedName -ExcludeFromAllOrgHold
The Effect of Exclusion
I wrote a script to exclude all org-wide holds from the inactive mailboxes in my tenant. Here’s the relevant code to retrieve org-wide holds from the Exchange Online configuration and exclude inactive mailboxes from the mailbox holds. Figure 1 shows the script running.
[array]$InPlaceHolds = Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds
$InPlaceHoldsMbx = $InPlaceHolds | Where-Object {$_ -like "*mbx*"}
[array]$InactiveMbx = Get-ExoMailbox -InactiveMailboxOnly -ResultSize Unlimited | Select-Object -ExpandProperty Alias
ForEach ($Mbx in $InactiveMbx) {
Write-Host ("Excluding inactive mailbox {0} from org-wide holds" -f $Mbx)
$Status = Set-Mailbox -Identity $Mbx -ExcludeFromOrgHolds $InPlaceHoldsMbx }
Immediately Set-Mailbox processes a mailbox, Exchange evaluated the holds to decide whether to remove the mailbox. After the script finished, the number of inactive mailboxes reduced from 39 to 17. This proves that you need to be ultra-careful when you exclude any org-wide hold from an inactive mailbox.
For more information about managing Exchange Online mailboxes, read Chapter 6 in the Office 365 for IT Pros eBook to discover even more valuable tips and techniques.
Thanks for posting this, where can I get the script? “I wrote a script to exclude all org-wide holds from the inactive mailboxes in my tenant”
The post is from 2019. I don’t think I have the script any more, so I recreated the basic steps and input that code in the article.
Thanks for sharing this.
I have one question: the inactive mailboxes excluded from the organization hold will be then deleted from MS side ?
Regards.
Yes.
‘Microsoft doesn’t communicate changes made to PowerShell cmdlets’ your not kidding….
After battling Exchange RBAC scopes for Administrative Units the PG found the switch -RecipientAdministrativeUnitScope for me…. Maybe I missed the memo again or was I sleeping. Likely the later!
https://learn.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps#-recipientadministrativeunitscope
oh… As you stated I would target distinguished name or ExchangeGUID instead of Alias.
[array]$InactiveMbx = Get-ExoMailbox -InactiveMailboxOnly -ResultSize Unlimited | Select-Object -ExpandProperty Alias
Below is a scenario that I am struggling to get an answer. When a user is applied with litigation hold for 10 years and he leaves the organization, will we be able to use the mail address for another user ?
When we do a search for the user, will we get content of both accounts if they are with same mail address ?
You can reuse the same email address because Microsoft 365 removes these addresses when it deletes an account. Searches are conducted using the user principal name. These are prefixed with a dot “.” for deleted accounts. However, just to avoid confusion, I would change the display name and UPN for an account you want to keep for such a long time before you remove the account. Add a (Deleted) suffix, for instance.
Hi Tony
i have a test mailbox that i;m trying to remove all the holds from, but powershell throws an error about not finding the mailbox.
Tried with Exchange Admin as well as with Global Admin, using EXO 3
Get-Mailbox ‘Robert.2016mbx’ | fl ExchangeGuid
ExchangeGuid : 2d27cb23-a05e-41fe-83b4-09a119a16171
Set-Mailbox ‘2d27cb23-a05e-41fe-83b4-09a119a16171’ -ExcludeFromOrgHolds ‘mbx86ae8c52c35645ed929ac5ed276694f3:1’, ‘mbx343da58dffc0466a8af7f4a917765acb:2’
or
Set-Mailbox ‘2d27cb23-a05e-41fe-83b4-09a119a16171’ -ExcludeFromAllOrgHolds
Write-ErrorMessage : Ex6F9304|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|The operation couldn’t be performed because object
‘2d27cb23-a05e-41fe-83b4-09a119a16171’ couldn’t be found on ‘YT3PR01A12DC001.CANPR01A012.PROD.OUTLOOK.COM’.
At C:\Users\Administrator\AppData\Local\Temp\1\tmpEXO_dlztvnqy.ub2\tmpEXO_dlztvnqy.ub2.psm1:1178 char:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=YTBPR01MB3535,RequestId=eff12325-b180-055f-e75e-ff0e0cbf7421,TimeStamp=Sun, 20 Aug 2023 21:02:05 GMT],Write-ErrorMessage
not sure what;s going on, as the mailbox is up and running….
thank you
Try using the distinguishedName to identify the mailbox
same results
Set-Mailbox ‘CN=robert 2016mbx,OU=tenant1.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=CANPR01A012,DC=PROD,DC=OUTLOOK,DC=COM’ -ExcludeFromOrgHolds ‘mbx86ae8c52c35645ed929ac5ed276694f3:1’, ‘mbx343da58dffc0466a8af7f4a917765acb:2’
Write-ErrorMessage : Ex6F9304|Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException|The operation couldn’t be performed because object
‘CANPR01A012.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/tenant1.onmicrosoft.com/robert 2016mbx’ couldn’t be found on
‘YT3PR01A12DC001.CANPR01A012.PROD.OUTLOOK.COM’.
At C:\Users\Administrator\AppData\Local\Temp\1\tmpEXO_dlztvnqy.ub2\tmpEXO_dlztvnqy.ub2.psm1:1178 char:13
+ Write-ErrorMessage $ErrorObject
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=YTBPR01MB3535,RequestId=11c5175b-a898-ec23-afc1-b032dc5ad806,TimeStamp=Sun, 20 Aug 2023 21:26:11 GMT],Write-ErrorMessage
all im trying to do is to remove archive mailbox from the primary mailbox.
there is not lithold, no holds, on inplace hold, no retension policies.
this is driving me insane …
Microsoft ‘new’ and not so ‘improved’ Exchange Admin only shows this
Mailbox arching failed, error Error executing command.
that;s all you get when trying to disable archive mailbox
There might be other holds that are preventing you disabling the archive. For instance, if a message with a retention tag is in the archive, it is deemed to be a hold that will prevent the removal of the mailbox.
hmmm so if a have hundreds of items in the archive mailbox, how would i go about searching for it?
oh well, thank you for responding to my questions
also as per this article
https://learn.microsoft.com/en-us/purview/ediscovery-identify-a-hold-on-an-exchange-online-mailbox
it appears that you have to be in the new PurrView to be able to remove any holds on a given mailbox, so maybe Set-Mailbox no longer works in this case.
At the very bottom of the article it states:
Next steps
After you identify the holds that are applied to a mailbox, you can perform tasks such as changing the duration of the hold, temporarily or permanently removing the hold, or excluding an inactive mailbox from a Microsoft Purview retention policy. For more information about performing tasks related to holds, see one of the following articles:
Run the Set-RetentionCompliancePolicy -Identity -AddExchangeLocationException command in Security & Compliance PowerShell to exclude a mailbox from an organization-wide Microsoft Purview retention policy. This command can only be used for retention policies where the value for the ExchangeLocation property equals All.
thank you
Those directions won’t do anything if you have items with retention labels or tags in the archive.
I now have deleted every single message, calendar item from the archive mailbox and still it won;t let me remove archive mailbox.