When an Exchange Online mailbox is created in Office 365 it has all of the mailbox features and protocols enabled by default. This makes sense for the average Office 365 customer who doesn’t want to fiddle with settings to get basic functionality like email on mobile devices to work. But it is less suited for enterprises that have specific requirements for mailbox features that their users should have access to. For example, a business might decide that POP and IMAP access to mailboxes should be disabled by default, and only enabled for specific cases.
For some time we’ve had access to configure mailbox plans for Exchange Online mailboxes. Each tenant has a pre-configured set of mailbox plans that you can see by connecting to Exchange Online with PowerShell and running the Get-MailboxPlan cmdlet.
1 2 3 4 5 6 7 8 | PS C:\> Get-MailboxPlan | Select Name,IsDefault Name IsDefault ---- --------- ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00 False ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3 False ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97 True ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff False |
There’s been cases in the past where modifying mailbox plans was necessary to take advantage of new Office 365 capabilities. For example, two years ago Microsoft increased the maximum email message size for Exchange Online to 150MB, but kept the default maximum message size set to 35MB. To increase the maximum message size for your existing mailboxes you needed to run a Set-Mailbox command. To increase the maximum message size for newly created mailboxes you needed to modify the mailbox plan.
Now Microsoft is rolling out further enhancements to mailbox plans, per the Office 365 road map.
A limited set of configuration options are available for modifying mailbox plans, which we can see by looking at the parameters for the Set-MailboxPlan cmdlet.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | PS C:\> (get-command set-mailboxplan).Parameters Key Value --- ----- ErrorAction System.Management.Automation.ParameterMetadata IssueWarningQuota System.Management.Automation.ParameterMetadata Force System.Management.Automation.ParameterMetadata MaxSendSize System.Management.Automation.ParameterMetadata RoleAssignmentPolicy System.Management.Automation.ParameterMetadata OutVariable System.Management.Automation.ParameterMetadata WhatIf System.Management.Automation.ParameterMetadata Verbose System.Management.Automation.ParameterMetadata RetentionPolicy System.Management.Automation.ParameterMetadata WarningVariable System.Management.Automation.ParameterMetadata Debug System.Management.Automation.ParameterMetadata Confirm System.Management.Automation.ParameterMetadata ProhibitSendQuota System.Management.Automation.ParameterMetadata OutBuffer System.Management.Automation.ParameterMetadata ErrorVariable System.Management.Automation.ParameterMetadata Identity System.Management.Automation.ParameterMetadata RetainDeletedItemsFor System.Management.Automation.ParameterMetadata ProhibitSendReceiveQuota System.Management.Automation.ParameterMetadata WarningAction System.Management.Automation.ParameterMetadata MaxReceiveSize System.Management.Automation.ParameterMetadata IsDefault System.Management.Automation.ParameterMetadata AsJob System.Management.Automation.ParameterMetadata |
Stripping out the non-generic parameters from the output above, we see that Set-MailboxPlan can be used to configure these settings for newly created mailboxes:
- IssueWarningQuota
- ProhibitSendReceiveQuota
- ProhibitSendQuota
- MaxSendSize
- MaxReceiveSize
- RoleAssignmentPolicy
- RetentionPolicy
- RetainDeletedItemsFor
There’s quite a few more parameters listed on the Set-MailboxPlan documentation on TechNet, but most of them a reserved for internal Microsoft use. Whether more of them become available to customers in future is unknown.
Another cmdlet, Set-CASMailboxPlan, can also be used to pre-configure mailbox properties. While Set-MailboxPlan manages settings that are otherwise configured by the Set-Mailbox cmdlet, the Set-CASMailboxPlan cmdlet manages settings that are otherwise configured by Set-CASMailbox. This basically includes mailbox access options, such as whether specific mailbox protocols are enabled or not.
The parameters that are currently available for Set-CASMailboxPlan are:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | PS C:\> (get-command set-casmailboxplan).Parameters Key Value --- ----- ErrorAction System.Management.Automation.ParameterMetadata ImapEnabled System.Management.Automation.ParameterMetadata Verbose System.Management.Automation.ParameterMetadata OwaMailboxPolicy System.Management.Automation.ParameterMetadata OutVariable System.Management.Automation.ParameterMetadata WarningVariable System.Management.Automation.ParameterMetadata Debug System.Management.Automation.ParameterMetadata Confirm System.Management.Automation.ParameterMetadata ErrorVariable System.Management.Automation.ParameterMetadata Identity System.Management.Automation.ParameterMetadata OutBuffer System.Management.Automation.ParameterMetadata WarningAction System.Management.Automation.ParameterMetadata PopEnabled System.Management.Automation.ParameterMetadata ActiveSyncEnabled System.Management.Automation.ParameterMetadata WhatIf System.Management.Automation.ParameterMetadata AsJob System.Management.Automation.ParameterMetadata |
Again, stripping out the generic PowerShell parameters leaves us with these options:
- IMAPEnabled
- OWAMailboxPolicy
- POPEnabled
- ActiveSyncEnabled
Many more parameters of Set-CASMailboxPlan are reserved for internal Microsoft use, including useful parameters like setting EWS block lists.
As with mailbox plans, each tenant is pre-configured with a set of CAS mailbox plans that you can view by running Get-CASMailboxPlan.
1 2 3 4 5 6 7 8 | PS C:\> Get-CASMailboxPlan | Select Name,IsDefault Name IsDefault ---- --------- ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00 ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3 ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97 ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff |
There is no IsDefault property for CAS mailbox plans, unlike mailbox plans. However the names and GUIDs match, and I assume that when a mailbox plan is assigned to a mailbox that the matching CAS mailbox plan is also applied. There is little sense in de-coupling the two.
As with mailbox plans, CAS mailbox plans take effect for newly created mailboxes, not for existing mailboxes. For example, let’s take a look at the IMAP protocol status for the existing mailbox user Jane Tulley.
1 2 3 4 5 6 7 8 9 | PS C:\> Get-CASMailbox Jane.Tulley | Select Imap* ImapEnabled : True ImapUseProtocolDefaults : True ImapMessagesRetrievalMimeFormat : BestBodyFormat ImapEnableExactRFC822Size : False ImapSuppressReadReceipt : False ImapForceICalForCalendarRetrievalOption : False |
The IMAP protocol is enabled for Jane’s mailbox. If we then set the CAS mailbox plan to disable IMAP, it has no effect on Jane as an existing mailbox user.
1 2 3 4 5 6 7 8 9 10 11 | PS C:\> set-CASMailboxPlan ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97 -ImapEnabled:$false PS C:\> Get-CASMailbox Jane.Tulley | Select Imap* ImapEnabled : True ImapUseProtocolDefaults : True ImapMessagesRetrievalMimeFormat : BestBodyFormat ImapEnableExactRFC822Size : False ImapSuppressReadReceipt : False ImapForceICalForCalendarRetrievalOption : False |
For a mailbox created after the CAS mailbox plan was modified, the IMAP protocol is disabled.
1 2 3 4 5 6 7 8 9 | PS C:\> Get-CASMailbox TestUser10 | Select Imap* ImapEnabled : False ImapUseProtocolDefaults : True ImapMessagesRetrievalMimeFormat : BestBodyFormat ImapEnableExactRFC822Size : False ImapSuppressReadReceipt : False ImapForceICalForCalendarRetrievalOption : False |
What this means is that you can use mailbox plans and CAS mailbox plans to control how your newly created mailboxes are configured, at least for a limited set of options. However you can’t use mailbox plans to roll out broad changes to mailbox configurations. For that you will need to write your own PowerShell commands or scripts to make the changes to existing mailboxes. Also, mailbox plans can’t be relied upon to re-enforce mailbox configurations to ensure they remain compliant with your organization’s policies. For that you will need to write your own scripts to scan and remediate any mailbox configurations that drift away from your desired settings.
Hi Paul,
even this is quite an “old” article i’m struggling with MailboxPlans in relation to shared mailboxes or even contact objects.
Do the mailbox plans also apply for newly created shared mailboxes and/or contact objects ?
How to control which plan is applied since shared mailboxes or contact objects don’t require a license ?
Unfortunately, i was not able to find anything across the internet related to this question :/
Thanks very much in advance.
Thank you. I was wondering how to disable for new accounts. With your help, I decided to run:
Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false
Oddly enough, the MailboxPlan that isDefault $true is not the mailboxplan that existing or even new accounts in my tenant are using. So I recommend setting the values in all the plans just to cover yourself.
For those looking to disable POP, IMAP, and Authenticated SMTP in one fell swoop…
Disable POP/IMAP/ASMTP on existing mailboxes:
Get-CasMailbox | set-CasMailbox -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true
Disable ASMTP org-wide (this handles it dynamically for new mailboxes):
Set-TransportConfig -SmtpClientAuthenticationDisabled $true
Disable POP/IMAP dynamically for new mailboxes:
Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false
It should be that easy… and I’m not sure why Microsoft hasn’t seemed to have documented all of this in the same spot… of course make sure this is what you really want to do before you run those commands. Based on the compromised credential attacks (and attempts using passwords similar to those compromised in the past), we had to disable these legacy protocols once and for all in our tenant.
hi
is there any way to pre-configure some features for new mailbox users like timezone or other thing, when i am adding new user mailbox i have to set it .
and is there any way to take picture profile from a folder or file automatically?
Is there any way to force the values in a mailbox plan to update on a new mailbox. I have new mailboxes that have the correct mailbox plan applied, but the retention policy in the plan still hasn’t been applied. I need to import pst files to those mailboxes, but first want to change the retention policy to the default so nothing will be deleted. First though I need the retention policy that is in the mailbox plan to apply to the mailboxes so I can change it back to the default.
Hey Paul,
So it appears the correct way to change the default MRM policy is then to just use the get/set mailboxplan cmdlets, which would only affect newly created mailboxs. The reason i am asking is because the tech net documentation says you change the Default MRM policy.
https://docs.microsoft.com/en-us/exchange/security-and-compliance/messaging-records-management/default-retention-policy
Thanks,
Robert
Is there a reason why the audit settings can’t be adjusted within a MailboxPlan?
Either they haven’t gotten around to it adding that capability yet, or they don’t plan to.
Do you guys have a script to disable IMAP/POP for existing users?
You wouldn’t need a script, just a one-liner would do it. Something like “Get-CASMailbox | Set-CASMailbox -ImapEnabled:$false”
(don’t just run that without testing and making sure you understand what it’s doing)
We have several tenancies that we look after. In one of these we have -RetentionPolicy available set through Set-MailboxPlan but this is not available in the other. Do you have an idea why this might be?
Thanks
Kerrie
Features roll out slowly across Office 365, so it might just be that some of your tenants will be waiting longer before they see it.
Would it be possible to have “-SmtpClientAuthenticationDisabled $true” by default in the set-casmailboxplan ?
Set-CasMailboxPlan doesn’t have a parameter for setting that option at this time, so no.
Which mailbox plan is used during the migration of a mailbox from on-prem?
I there an option to build a own mailbox plan? For example I would like to use powershell to create users. During creation I would like to vie VIP user the VIP Plan and my normal users the restricted plan (with 5GB mailfile).
Currently I need to use two powershell commands… i need to create the mailbox, wait until it is created then I need to set the quota. This is quite time consuming and IĀ“m searching for a better option.
Not at this time. If you have repetitive tasks like that you can make life a little easier by scripting/automating the steps.
Paul,
Thanks for the post.I have been looking for “How to enabled Archive by default for new users?”. If you could write and publish an article on that. That would be much helpful.
I was wondering lately if it is also possible to set Archiving to be enabled by default. This would be very nice š
Enabled by default, no. But you can add it to your provisioning scripts pretty easily.