• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint Online
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Videos
    • Interview Videos
    • How To Guide Videos
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Online / Controlling Exchange Online Mailbox Features with Mailbox Plans

Controlling Exchange Online Mailbox Features with Mailbox Plans

May 9, 2017 by Paul Cunningham 20 Comments

When an Exchange Online mailbox is created in Office 365 it has all of the mailbox features and protocols enabled by default. This makes sense for the average Office 365 customer who doesn’t want to fiddle with settings to get basic functionality like email on mobile devices to work. But it is less suited for enterprises that have specific requirements for mailbox features that their users should have access to. For example, a business might decide that POP and IMAP access to mailboxes should be disabled by default, and only enabled for specific cases.

For some time we’ve had access to configure mailbox plans for Exchange Online mailboxes. Each tenant has a pre-configured set of mailbox plans that you can see by connecting to Exchange Online with PowerShell and running the Get-MailboxPlan cmdlet.

1
2
3
4
5
6
7
8
PS C:\> Get-MailboxPlan | Select Name,IsDefault
 
Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00               False
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3       False
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97      True
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff     False


There’s been cases in the past where modifying mailbox plans was necessary to take advantage of new Office 365 capabilities. For example, two years ago Microsoft increased the maximum email message size for Exchange Online to 150MB, but kept the default maximum message size set to 35MB. To increase the maximum message size for your existing mailboxes you needed to run a Set-Mailbox command. To increase the maximum message size for newly created mailboxes you needed to modify the mailbox plan.

Now Microsoft is rolling out further enhancements to mailbox plans, per the Office 365 road map.

Controlling Exchange Online Mailbox Features with Mailbox Plans

A limited set of configuration options are available for modifying mailbox plans, which we can see by looking at the parameters for the Set-MailboxPlan cmdlet.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
PS C:\> (get-command set-mailboxplan).Parameters
 
Key                      Value
---                      -----
ErrorAction              System.Management.Automation.ParameterMetadata
IssueWarningQuota        System.Management.Automation.ParameterMetadata
Force                    System.Management.Automation.ParameterMetadata
MaxSendSize              System.Management.Automation.ParameterMetadata
RoleAssignmentPolicy     System.Management.Automation.ParameterMetadata
OutVariable              System.Management.Automation.ParameterMetadata
WhatIf                   System.Management.Automation.ParameterMetadata
Verbose                  System.Management.Automation.ParameterMetadata
RetentionPolicy          System.Management.Automation.ParameterMetadata
WarningVariable          System.Management.Automation.ParameterMetadata
Debug                    System.Management.Automation.ParameterMetadata
Confirm                  System.Management.Automation.ParameterMetadata
ProhibitSendQuota        System.Management.Automation.ParameterMetadata
OutBuffer                System.Management.Automation.ParameterMetadata
ErrorVariable            System.Management.Automation.ParameterMetadata
Identity                 System.Management.Automation.ParameterMetadata
RetainDeletedItemsFor    System.Management.Automation.ParameterMetadata
ProhibitSendReceiveQuota System.Management.Automation.ParameterMetadata
WarningAction            System.Management.Automation.ParameterMetadata
MaxReceiveSize           System.Management.Automation.ParameterMetadata
IsDefault                System.Management.Automation.ParameterMetadata
AsJob                    System.Management.Automation.ParameterMetadata


Stripping out the non-generic parameters from the output above, we see that Set-MailboxPlan can be used to configure these settings for newly created mailboxes:

  • IssueWarningQuota
  • ProhibitSendReceiveQuota
  • ProhibitSendQuota
  • MaxSendSize
  • MaxReceiveSize
  • RoleAssignmentPolicy
  • RetentionPolicy
  • RetainDeletedItemsFor

There’s quite a few more parameters listed on the Set-MailboxPlan documentation on TechNet, but most of them a reserved for internal Microsoft use. Whether more of them become available to customers in future is unknown.

Another cmdlet, Set-CASMailboxPlan, can also be used to pre-configure mailbox properties. While Set-MailboxPlan manages settings that are otherwise configured by the Set-Mailbox cmdlet, the Set-CASMailboxPlan cmdlet manages settings that are otherwise configured by Set-CASMailbox. This basically includes mailbox access options, such as whether specific mailbox protocols are enabled or not.

The parameters that are currently available for Set-CASMailboxPlan are:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\> (get-command set-casmailboxplan).Parameters
 
Key               Value
---               -----
ErrorAction       System.Management.Automation.ParameterMetadata
ImapEnabled       System.Management.Automation.ParameterMetadata
Verbose           System.Management.Automation.ParameterMetadata
OwaMailboxPolicy  System.Management.Automation.ParameterMetadata
OutVariable       System.Management.Automation.ParameterMetadata
WarningVariable   System.Management.Automation.ParameterMetadata
Debug             System.Management.Automation.ParameterMetadata
Confirm           System.Management.Automation.ParameterMetadata
ErrorVariable     System.Management.Automation.ParameterMetadata
Identity          System.Management.Automation.ParameterMetadata
OutBuffer         System.Management.Automation.ParameterMetadata
WarningAction     System.Management.Automation.ParameterMetadata
PopEnabled        System.Management.Automation.ParameterMetadata
ActiveSyncEnabled System.Management.Automation.ParameterMetadata
WhatIf            System.Management.Automation.ParameterMetadata
AsJob             System.Management.Automation.ParameterMetadata


Again, stripping out the generic PowerShell parameters leaves us with these options:

  • IMAPEnabled
  • OWAMailboxPolicy
  • POPEnabled
  • ActiveSyncEnabled

Many more parameters of Set-CASMailboxPlan are reserved for internal Microsoft use, including useful parameters like setting EWS block lists.

As with mailbox plans, each tenant is pre-configured with a set of CAS mailbox plans that you can view by running Get-CASMailboxPlan.

1
2
3
4
5
6
7
8
PS C:\> Get-CASMailboxPlan | Select Name,IsDefault
 
Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff


There is no IsDefault property for CAS mailbox plans, unlike mailbox plans. However the names and GUIDs match, and I assume that when a mailbox plan is assigned to a mailbox that the matching CAS mailbox plan is also applied. There is little sense in de-coupling the two.

As with mailbox plans, CAS mailbox plans take effect for newly created mailboxes, not for existing mailboxes. For example, let’s take a look at the IMAP protocol status for the existing mailbox user Jane Tulley.

1
2
3
4
5
6
7
8
9
PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*
 
 
ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False


The IMAP protocol is enabled for Jane’s mailbox. If we then set the CAS mailbox plan to disable IMAP, it has no effect on Jane as an existing mailbox user.

1
2
3
4
5
6
7
8
9
10
11
PS C:\> set-CASMailboxPlan ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97 -ImapEnabled:$false
 
PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*
 
 
ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False


For a mailbox created after the CAS mailbox plan was modified, the IMAP protocol is disabled.

1
2
3
4
5
6
7
8
9
PS C:\> Get-CASMailbox TestUser10 | Select Imap*
 
 
ImapEnabled                             : False
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False


What this means is that you can use mailbox plans and CAS mailbox plans to control how your newly created mailboxes are configured, at least for a limited set of options. However you can’t use mailbox plans to roll out broad changes to mailbox configurations. For that you will need to write your own PowerShell commands or scripts to make the changes to existing mailboxes. Also, mailbox plans can’t be relied upon to re-enforce mailbox configurations to ensure they remain compliant with your organization’s policies. For that you will need to write your own scripts to scan and remediate any mailbox configurations that drift away from your desired settings.

Exchange Online Mailbox Plans

Comments

  1. tobias schrade says

    April 29, 2020 at 9:59 pm

    Hi Paul,
    even this is quite an “old” article i’m struggling with MailboxPlans in relation to shared mailboxes or even contact objects.
    Do the mailbox plans also apply for newly created shared mailboxes and/or contact objects ?
    How to control which plan is applied since shared mailboxes or contact objects don’t require a license ?
    Unfortunately, i was not able to find anything across the internet related to this question :/

    Thanks very much in advance.

    Reply
  2. Vince K. says

    January 24, 2020 at 5:51 am

    Thank you. I was wondering how to disable for new accounts. With your help, I decided to run:
    Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

    Oddly enough, the MailboxPlan that isDefault $true is not the mailboxplan that existing or even new accounts in my tenant are using. So I recommend setting the values in all the plans just to cover yourself.

    For those looking to disable POP, IMAP, and Authenticated SMTP in one fell swoop…

    Disable POP/IMAP/ASMTP on existing mailboxes:
    Get-CasMailbox | set-CasMailbox -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true

    Disable ASMTP org-wide (this handles it dynamically for new mailboxes):
    Set-TransportConfig -SmtpClientAuthenticationDisabled $true

    Disable POP/IMAP dynamically for new mailboxes:
    Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

    It should be that easy… and I’m not sure why Microsoft hasn’t seemed to have documented all of this in the same spot… of course make sure this is what you really want to do before you run those commands. Based on the compromised credential attacks (and attempts using passwords similar to those compromised in the past), we had to disable these legacy protocols once and for all in our tenant.

    Reply
  3. ngs says

    July 5, 2019 at 8:40 am

    hi
    is there any way to pre-configure some features for new mailbox users like timezone or other thing, when i am adding new user mailbox i have to set it .
    and is there any way to take picture profile from a folder or file automatically?

    Reply
  4. Holly Williams says

    September 29, 2018 at 1:28 am

    Is there any way to force the values in a mailbox plan to update on a new mailbox. I have new mailboxes that have the correct mailbox plan applied, but the retention policy in the plan still hasn’t been applied. I need to import pst files to those mailboxes, but first want to change the retention policy to the default so nothing will be deleted. First though I need the retention policy that is in the mailbox plan to apply to the mailboxes so I can change it back to the default.

    Reply
  5. Robert Bollinger says

    July 12, 2018 at 12:15 am

    Hey Paul,

    So it appears the correct way to change the default MRM policy is then to just use the get/set mailboxplan cmdlets, which would only affect newly created mailboxs. The reason i am asking is because the tech net documentation says you change the Default MRM policy.

    https://docs.microsoft.com/en-us/exchange/security-and-compliance/messaging-records-management/default-retention-policy

    Thanks,

    Robert

    Reply
  6. Juergen Wittmann says

    June 21, 2018 at 4:29 pm

    Is there a reason why the audit settings can’t be adjusted within a MailboxPlan?

    Reply
    • Paul Cunningham says

      June 21, 2018 at 9:47 pm

      Either they haven’t gotten around to it adding that capability yet, or they don’t plan to.

      Reply
  7. Double Eye says

    May 26, 2018 at 2:24 am

    Do you guys have a script to disable IMAP/POP for existing users?

    Reply
    • Paul Cunningham says

      May 26, 2018 at 3:55 pm

      You wouldn’t need a script, just a one-liner would do it. Something like “Get-CASMailbox | Set-CASMailbox -ImapEnabled:$false”

      (don’t just run that without testing and making sure you understand what it’s doing)

      Reply
  8. Kerrie Stevenson says

    May 14, 2018 at 1:48 pm

    We have several tenancies that we look after. In one of these we have -RetentionPolicy available set through Set-MailboxPlan but this is not available in the other. Do you have an idea why this might be?

    Thanks
    Kerrie

    Reply
    • Paul Cunningham says

      May 14, 2018 at 2:22 pm

      Features roll out slowly across Office 365, so it might just be that some of your tenants will be waiting longer before they see it.

      Reply
  9. Dan says

    May 4, 2018 at 2:36 am

    Would it be possible to have “-SmtpClientAuthenticationDisabled $true” by default in the set-casmailboxplan ?

    Reply
    • Paul Cunningham says

      May 4, 2018 at 10:01 am

      Set-CasMailboxPlan doesn’t have a parameter for setting that option at this time, so no.

      Reply
  10. Jeff Taylor says

    February 27, 2018 at 2:12 am

    Which mailbox plan is used during the migration of a mailbox from on-prem?

    Reply
  11. Bernd Webster says

    February 23, 2018 at 12:42 am

    I there an option to build a own mailbox plan? For example I would like to use powershell to create users. During creation I would like to vie VIP user the VIP Plan and my normal users the restricted plan (with 5GB mailfile).

    Currently I need to use two powershell commands… i need to create the mailbox, wait until it is created then I need to set the quota. This is quite time consuming and IĀ“m searching for a better option.

    Reply
    • Paul Cunningham says

      February 23, 2018 at 6:27 am

      Not at this time. If you have repetitive tasks like that you can make life a little easier by scripting/automating the steps.

      Reply
  12. Vemaiah Bandi says

    September 25, 2017 at 8:08 pm

    Paul,
    Thanks for the post.I have been looking for “How to enabled Archive by default for new users?”. If you could write and publish an article on that. That would be much helpful.

    Reply
  13. Martin says

    August 19, 2017 at 6:17 pm

    I was wondering lately if it is also possible to set Archiving to be enabled by default. This would be very nice šŸ™‚

    Reply
    • Paul Cunningham says

      August 21, 2017 at 1:00 pm

      Enabled by default, no. But you can add it to your provisioning scripts pretty easily.

      Reply

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • Microsoft Launches Group Ownership Governance Policy
  • Making the Case for Identity GovernanceĀ in Azure Active Directory
  • Prepare an Office 365 migration plan assessment using PowerShell
  • Microsoft Releases May 2022 Exchange Server Security Updates
  • New Future of Work for Microsoft 365, IOT and more: Practical 365 Podcast S3 Ep. 2

Copyright © 2022 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland