Is there a way to release the license of an user that left the company, but in the same time, to keep the mailbox?
All started with the following question: Is there a way to release the license of an user that left the company, but in the same time, to keep the mailbox?
Below you can find the steps that you should take, if you have the same question as above.
Scenario:
User1 is a cloud-only user. I’ve assigned to User1 an Office 365 Enterprise E5 license. User1 leaves the company, so, I’ll need to remove his account, but I still need to have access to his emails.
Actions to take:
# 1. Put the mailbox (which will place also the Archive), in a Litigation Hold:
Set-Mailbox User1 -LitigationHoldEnabled $True -LitigationHoldDuration Unlimited
# WARNING: The hold setting may take up to 60 minutes to take effect.
# 2. Ensure the mailbox has Litigation Hold enabled:
Get-Mailbox User1 | fl PrimarySMTPAddress, Identity, LitigationHoldEnabled, LitigationHoldDuration, MailboxPlan, PersistedCapabilities, SKUAssigned
# The results should be similar to:
# PrimarySmtpAddress : User1@contoso.com
# Identity : User1
# LitigationHoldEnabled : True
# LitigationHoldDuration : Unlimited
# MailboxPlan : ExchangeOnlineEnterprise-0527a260-bea3-46a3-9f4f-215fdd24f4d9
# PersistedCapabilities : {BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}
# SKUAssigned : True
# 3. Check the number of licenses you have in total/assigned:
Get-MsolAccountSku | fl AccountSkuId, ActiveUnits, ConsumedUnits
# The results should be similar to:
# AccountSkuId : contoso:ENTERPRISEPREMIUM
# ActiveUnits : 25
# ConsumedUnits : 3
# 4. Remove the mailbox and delete the Azure AD user associated to this mailbox:
Remove-Mailbox User1
# 5. Check if the mailbox was deleted, and if the Litigation Hold is still present:
Get-Mailbox User1 -InactiveMailboxOnly | fl PrimarySMTPAddress, Identity, IsSoftDeletedByRemove, WhenSoftDeleted, LitigationHoldEnabled, LitigationHoldDuration, MailboxPlan, PersistedCapabilities, SKUAssigned
# The results should be similar to:
# PrimarySmtpAddress : User1@contoso.com
# Identity : Soft Deleted Objects\User1
# IsSoftDeletedByRemove : True
# WhenSoftDeleted : 11/2/2016 9:35:11 PM
# LitigationHoldEnabled : True
# LitigationHoldDuration : Unlimited
# MailboxPlan : ExchangeOnlineEnterprise-0527a260-bea3-46a3-9f4f-215fdd24f4d9
# PersistedCapabilities : {BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}
# SKUAssigned : True
# 6. Check if the Azure AD user was deleted (can be seen in the list of Deleted users, or with a command similar to the one below):
Get-MsolUser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "User1@contoso.com"} | fl UserPrincipalName, IsLicensed, Licenses
# The results should be similar to:
# UserPrincipalName : ExRemoved-a43d7c1ef772473fac59b37a49ce50f2@contoso.com
# IsLicensed : True
# Licenses : {contoso:ENTERPRISEPREMIUM}
# 7. Wait for 30 days to have the Azure AD user deleted from the Deleted Users list, or run a command similar with the below one in order to free up the license assigned to the user:
Get-MsolUser -ReturnDeletedUsers | where {$_.ProxyAddresses -match "User1@contoso.com"} | Remove-MsolUser -RemoveFromRecycleBin
# 8. Check if the user still exists in the Active Users, or in Deleted Users (for both commands no results should be returned):
Get-MsolUser -All | where {$_.ProxyAddresses -match "User1@contoso.com"}<br>Get-MsolUser -ReturnDeletedUsers -All | where {$_.ProxyAddresses -match "User1@contoso.com"}
# 9. Verify if the mailbox is still in the inactive state, and the Litigation Hold is still enabled (it might take up to 3 hours for Azure AD to complete the sync with Exchange Online):
Get-Mailbox User1 -InactiveMailboxOnly | fl PrimarySMTPAddress, Identity, IsSoftDeletedByRemove, WhenSoftDeleted, LitigationHoldEnabled, LitigationHoldDuration, MailboxPlan, PersistedCapabilities, SKUAssigned
# The results should be similar to (you might see empty entries for MailboxPlan, PersistedCapabilities, SKUAssigned):
# PrimarySmtpAddress : User1@contoso.com
# Identity : Soft Deleted Objects\User1
# IsSoftDeletedByRemove : True
# WhenSoftDeleted : 11/2/2016 9:35:11 PM
# LitigationHoldEnabled : True
# LitigationHoldDuration : Unlimited
# MailboxPlan : ExchangeOnlineEnterprise-0527a260-bea3-46a3-9f4f-215fdd24f4d9
# PersistedCapabilities : {BPOS_S_EquivioAnalytics, BPOS_S_CustomerLockbox, BPOS_S_Analytics, BPOS_S_Enterprise}
# SKUAssigned : True
# 10. Check again the number of licenses you have in total/assigned (the license should be released):
Get-MsolAccountSku | fl AccountSkuId, ActiveUnits, ConsumedUnits
# The results should be similar to:
# AccountSkuId : contoso:ENTERPRISEPREMIUM
# ActiveUnits : 25
# ConsumedUnits : 2
References:
More details about Litigation/In-Place Holds: https://technet.microsoft.com/en-us/library/ff637980(v=exchg.150).aspx
When you place a mailbox on In-Place Hold or Litigation Hold, the hold is placed on both the primary and the archive mailbox. If you place an on-premises primary mailbox on hold in an Exchange hybrid deployment, the cloud-based archive mailbox (if enabled) is also placed on hold.
More details about In-Place Archive: https://technet.microsoft.com/en-us/library/exchange-online-archiving-service-description.aspx
A user’s archive mailbox is intended for just that user. Microsoft reserves the right to deny unlimited archiving in instances where a user’s archive mailbox is used to store archive data for other users.
More details about Inactive Mailboxes: https://technet.microsoft.com/en-us/library/dn798632(v=exchg.150).aspx
Your organization may need to preserve former employees’ email after they leave the organization. Depending on your organization’s retention requirements, you may need to preserve mailbox content for a few months or years after employment ends, or you may need to preserve mailbox content indefinitely. Regardless of how long you need to retain email, you can archive former employees’ mailboxes in Exchange Online using inactive mailboxes, without incurring a monthly subscription cost for the mailbox.
When an employee leaves the organization, you can remove their Office 365 account. The employees’ mailbox data is preserved for 30 days after the account is removed. During this period, you can still recover the user’s data by undeleting the account. After 30 days, the data is removed permanently.
But if your organization needs to archive mailbox content for departed employees, you can turn the mailbox into an inactive mailbox by placing it on In-Place Hold or Litigation Hold and then removing the corresponding Office 365 account. The contents of an inactive mailbox are preserved for the duration of the hold that was placed on the mailbox before it was made inactive. You can still recover the corresponding user account for 30-day period. However, after 30 days, the inactive mailbox is preserved in Exchange Online until the hold is removed.
To make a mailbox inactive, it must be assigned an Exchange Online (Plan 2) license so that an In-Place Hold or a Litigation Hold can be placed on the mailbox before it's deleted. After the mailbox is deleted, the license that was associated with it will be available to assign to a new user. Inactive mailboxes don’t require ongoing licenses.
The inactive mailbox can still be searched using eDiscovery, its contents can be restored to another mailbox, or it can be recovered or deleted at a later date.
More details about how to Remove a hold from an Inactive Mailboxes: https://technet.microsoft.com/en-us/library/dn890381(v=exchg.150).aspx
An inactive mailbox is used to preserve a former employee's email after he or she leaves your organization.