Wednesday, March 20, 2013

Exchange Online Inactive Mailboxes

In Office 365 “Wave 14”, you could not discover content in disabled mailboxes (which were removed after 30 days). In order to keep content discoverable, you had to leave the mailboxes enabled, which meant they would take up licenses.
 
In the new Office 365 “Wave 15”, Microsoft introduced the concept of Inactive Mailboxes, which allows you to place a mailbox in In-Place Hold and then delete the corresponding Office 365 user account. This makes it possible to preserve the contents of deleted mailboxes indefinitely and still be able to search its content using eDiscovery!
 
The advantages/characteristics of inactive mailboxes are:
• Inactive mailboxes are not removed as long as they are placed on hold;
• After a mailbox is made inactive (by placing it on hold and then removing it), you can search content in the mailbox using In-Place eDiscovery;
• Inactive mailboxes do not require a license;
• Inactive mailboxes cannot send/receive messages and will not show up in GAL;
• They do show up in In-Place Hold and In-Place eDiscovery interfaces.
 
Important: If a hold isn't placed on a mailbox before it's deleted, the contents of the mailbox will not be preserved or discoverable. The mailbox can be recovered within 30 days of deletion, but the mailbox and its contents will be permanently deleted after 30 days if it isn't recovered.


“Creating” an Inactive Mailbox
As mentioned before, creating an inactive mailbox involves two steps: first placing the mailbox on In-Place Hold and then deleting the mailbox or corresponding Office 365 user account. After the inactive mailbox is created, its contents are preserved until the In-Place Hold is removed.

Place a mailbox on In-Place Hold
Placing a mailbox on In-Place Hold preserves all contents that were in the mailbox before it was deleted. You can place the mailbox on indefinite hold or on a time-based hold.
In an indefinite hold, the inactive mailbox and all its contents will be preserved until the hold is removed. After the hold is removed (assuming that the mailbox was deleted more than 30 days ago), the inactive mailbox will be permanently deleted and the contents of the mailbox will no longer be preserved or discoverable.
In a time-based hold, you specify the duration of the hold. This duration is on a per-item basis and is calculated from the date a mailbox item was received or created. After the hold expires for a mailbox item, the item is permanently deleted from the inactive mailbox.

To use the Shell to put a mailbox on In-Place Hold, you can use the following cmdlet:
New-MailboxSearch “Hold-Nuno” -SourceMailboxes “nuno@letsexchange.com” -InPlaceHoldEnabled $True

If you don’t specify additional search parameters for an In-Place Hold, all items in the specified source mailboxes are placed on hold. If you don’t specify the ItemHoldPeriod parameter, items are placed on hold indefinitely or until the mailbox is either removed from hold or the hold is deleted.


Delete the mailbox
After the mailbox is placed on In-Place Hold to preserve its contents, it can be deleted. The best way to delete a mailbox is to delete the corresponding Office 365 user account in the Office 365 admin center. You can also delete the mailbox by using the Remove-Mailbox cmdlet through the Shell.


Access the contents of an inactive mailbox
After you enable an inactive mailbox by placing the mailbox on In-Place Hold and then deleting the corresponding Office 365 user account, you can access the contents of the inactive mailbox by using In-Place eDiscovery in the Exchange admin center (EAC). When you search an inactive mailbox, you can create a keyword search query to search for specific items or you can return the entire contents of the inactive mailbox. You can preview the search results, copy the search results to a discovery mailbox, or export the search results to an Outlook Data (PST) file. For step-by-step procedures for searching mailboxes, see Create an In-Place eDiscovery Search.

To run an eDiscovery search you can use the EAC, the SharePoint eDiscovery Center or the Shell. This example creates an In-Place eDiscovery search called “Discovery-Nuno” for items containing the keywords LetsExchange and ProjectX that also meet the following criteria:
• Start date: 1/1/2010
• End date: 12/31/2012
• Source mailbox: Nuno
• Target mailbox: Discovery Search Mailbox
• Message types: Email
• Log level: Full

New-MailboxSearch "Discovery-Nuno" -StartDate "1/1/2010" -EndDate "12/31/2012" -SourceMailboxes "Nuno" -TargetMailbox "Discovery Search Mailbox" -SearchQuery '"LetsExchange" AND "Project X"' -MessageTypes Email -IncludeUnsearchableItems -LogLevel Full

Important: If you don’t specify additional search parameters when running an In-Place eDiscovery search, all items in the specified source mailboxes are returned in the results. If you don’t specify mailboxes to search, all mailboxes are searched.


Permanently delete an inactive mailbox
If you no longer need to preserve the contents of an inactive mailbox, you can permanently delete the inactive mailbox by removing the In-Place Hold. If the mailbox was deleted more than 30 days ago, the mailbox will be permanently deleted after you remove the In-Place Hold, and mailbox items will become non-recoverable. If the mailbox was deleted within the last 30 days, you can still restore the mailbox after removing the hold.

Set-MailboxSearch "Hold-Nuno" -InPlaceHoldEnabled $false

Remove-MailboxSearch "Hold-Nuno"


What about On-Prem?
Well, if you think about it, licensing and costs is what mainly drove this change. With Exchange on-premise you are not paying a monthly subscription cost so this is not as relevant. If a user leaves, you can easily disable the AD account, hide the mailbox from the GAL, stop mailflow, etc., and basically get the same behavior.

To keep its content discoverable, all you need to do is keep the mailbox. As long as the mailbox is not accessed by the user, you do not require a license for it (just like resource, shared and journaling mailboxes).

Also, note that in on-premises you cannot remove mailboxes that are placed on hold.

2 comments:

  1. How is the users online archive handled? is that stored as part of the mailbox hold, or is that removed when the users account and/or license is removed.

    ReplyDelete
    Replies
    1. Hi moonblink,

      It is the same as the primary mailbox: the archive is placed under In-Place Hold and, therefore, kept even after you delete the entire mailbox. When you run an eDiscovery, it will search both the primary and the archive mailboxes :)

      Best regards,
      Nuno

      Delete