When an Exchange Online mailbox is created in Office 365 it has all of the mailbox features and protocols enabled by default. This makes sense for the average Office 365 customer who doesn’t want to fiddle with settings to get basic functionality like email on mobile devices to work. But it is less suited for enterprises that have specific requirements for mailbox features that their users should have access to. For example, a business might decide that POP and IMAP access to mailboxes should be disabled by default, and only enabled for specific cases.

For some time we’ve had access to configure mailbox plans for Exchange Online mailboxes. Each tenant has a pre-configured set of mailbox plans that you can see by connecting to Exchange Online with PowerShell and running the Get-MailboxPlan cmdlet.

PS C:\> Get-MailboxPlan | Select Name,IsDefault

Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00               False
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3       False
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97      True
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff     False

There’s been cases in the past where modifying mailbox plans was necessary to take advantage of new Office 365 capabilities. For example, two years ago Microsoft increased the maximum email message size for Exchange Online to 150MB, but kept the default maximum message size set to 35MB. To increase the maximum message size for your existing mailboxes you needed to run a Set-Mailbox command. To increase the maximum message size for newly created mailboxes you needed to modify the mailbox plan.

Now Microsoft is rolling out further enhancements to mailbox plans, per the Office 365 road map.

Controlling Exchange Online Mailbox Features with Mailbox Plans

A limited set of configuration options are available for modifying mailbox plans, which we can see by looking at the parameters for the Set-MailboxPlan cmdlet.

PS C:\> (get-command set-mailboxplan).Parameters

Key                      Value
---                      -----
ErrorAction              System.Management.Automation.ParameterMetadata
IssueWarningQuota        System.Management.Automation.ParameterMetadata
Force                    System.Management.Automation.ParameterMetadata
MaxSendSize              System.Management.Automation.ParameterMetadata
RoleAssignmentPolicy     System.Management.Automation.ParameterMetadata
OutVariable              System.Management.Automation.ParameterMetadata
WhatIf                   System.Management.Automation.ParameterMetadata
Verbose                  System.Management.Automation.ParameterMetadata
RetentionPolicy          System.Management.Automation.ParameterMetadata
WarningVariable          System.Management.Automation.ParameterMetadata
Debug                    System.Management.Automation.ParameterMetadata
Confirm                  System.Management.Automation.ParameterMetadata
ProhibitSendQuota        System.Management.Automation.ParameterMetadata
OutBuffer                System.Management.Automation.ParameterMetadata
ErrorVariable            System.Management.Automation.ParameterMetadata
Identity                 System.Management.Automation.ParameterMetadata
RetainDeletedItemsFor    System.Management.Automation.ParameterMetadata
ProhibitSendReceiveQuota System.Management.Automation.ParameterMetadata
WarningAction            System.Management.Automation.ParameterMetadata
MaxReceiveSize           System.Management.Automation.ParameterMetadata
IsDefault                System.Management.Automation.ParameterMetadata
AsJob                    System.Management.Automation.ParameterMetadata

Stripping out the non-generic parameters from the output above, we see that Set-MailboxPlan can be used to configure these settings for newly created mailboxes:

  • IssueWarningQuota
  • ProhibitSendReceiveQuota
  • ProhibitSendQuota
  • MaxSendSize
  • MaxReceiveSize
  • RoleAssignmentPolicy
  • RetentionPolicy
  • RetainDeletedItemsFor

There’s quite a few more parameters listed on the Set-MailboxPlan documentation on TechNet, but most of them a reserved for internal Microsoft use. Whether more of them become available to customers in future is unknown.

Another cmdlet, Set-CASMailboxPlan, can also be used to pre-configure mailbox properties. While Set-MailboxPlan manages settings that are otherwise configured by the Set-Mailbox cmdlet, the Set-CASMailboxPlan cmdlet manages settings that are otherwise configured by Set-CASMailbox. This basically includes mailbox access options, such as whether specific mailbox protocols are enabled or not.

The parameters that are currently available for Set-CASMailboxPlan are:

PS C:\> (get-command set-casmailboxplan).Parameters

Key               Value
---               -----
ErrorAction       System.Management.Automation.ParameterMetadata
ImapEnabled       System.Management.Automation.ParameterMetadata
Verbose           System.Management.Automation.ParameterMetadata
OwaMailboxPolicy  System.Management.Automation.ParameterMetadata
OutVariable       System.Management.Automation.ParameterMetadata
WarningVariable   System.Management.Automation.ParameterMetadata
Debug             System.Management.Automation.ParameterMetadata
Confirm           System.Management.Automation.ParameterMetadata
ErrorVariable     System.Management.Automation.ParameterMetadata
Identity          System.Management.Automation.ParameterMetadata
OutBuffer         System.Management.Automation.ParameterMetadata
WarningAction     System.Management.Automation.ParameterMetadata
PopEnabled        System.Management.Automation.ParameterMetadata
ActiveSyncEnabled System.Management.Automation.ParameterMetadata
WhatIf            System.Management.Automation.ParameterMetadata
AsJob             System.Management.Automation.ParameterMetadata

Again, stripping out the generic PowerShell parameters leaves us with these options:

  • IMAPEnabled
  • OWAMailboxPolicy
  • POPEnabled
  • ActiveSyncEnabled

Many more parameters of Set-CASMailboxPlan are reserved for internal Microsoft use, including useful parameters like setting EWS block lists.

As with mailbox plans, each tenant is pre-configured with a set of CAS mailbox plans that you can view by running Get-CASMailboxPlan.

PS C:\> Get-CASMailboxPlan | Select Name,IsDefault

Name                                                          IsDefault
----                                                          ---------
ExchangeOnline-095c913d-92fa-42bf-8943-48439432cd00
ExchangeOnlineDeskless-bbae14c5-e979-420b-988b-7105d6efa9f3
ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97
ExchangeOnlineEssentials-a5e5ae5a-e03e-400b-8f1d-aa723a5902ff

There is no IsDefault property for CAS mailbox plans, unlike mailbox plans. However the names and GUIDs match, and I assume that when a mailbox plan is assigned to a mailbox that the matching CAS mailbox plan is also applied. There is little sense in de-coupling the two.

As with mailbox plans, CAS mailbox plans take effect for newly created mailboxes, not for existing mailboxes. For example, let’s take a look at the IMAP protocol status for the existing mailbox user Jane Tulley.

PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*


ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

The IMAP protocol is enabled for Jane’s mailbox. If we then set the CAS mailbox plan to disable IMAP, it has no effect on Jane as an existing mailbox user.

PS C:\> set-CASMailboxPlan ExchangeOnlineEnterprise-d9a554dc-79a1-41a9-a238-fc3f27ee8f97 -ImapEnabled:$false

PS C:\> Get-CASMailbox Jane.Tulley | Select Imap*


ImapEnabled                             : True
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

For a mailbox created after the CAS mailbox plan was modified, the IMAP protocol is disabled.

PS C:\> Get-CASMailbox TestUser10 | Select Imap*


ImapEnabled                             : False
ImapUseProtocolDefaults                 : True
ImapMessagesRetrievalMimeFormat         : BestBodyFormat
ImapEnableExactRFC822Size               : False
ImapSuppressReadReceipt                 : False
ImapForceICalForCalendarRetrievalOption : False

What this means is that you can use mailbox plans and CAS mailbox plans to control how your newly created mailboxes are configured, at least for a limited set of options. However you can’t use mailbox plans to roll out broad changes to mailbox configurations. For that you will need to write your own PowerShell commands or scripts to make the changes to existing mailboxes. Also, mailbox plans can’t be relied upon to re-enforce mailbox configurations to ensure they remain compliant with your organization’s policies. For that you will need to write your own scripts to scan and remediate any mailbox configurations that drift away from your desired settings.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. tobias schrade

    Hi Paul,
    even this is quite an “old” article i’m struggling with MailboxPlans in relation to shared mailboxes or even contact objects.
    Do the mailbox plans also apply for newly created shared mailboxes and/or contact objects ?
    How to control which plan is applied since shared mailboxes or contact objects don’t require a license ?
    Unfortunately, i was not able to find anything across the internet related to this question :/

    Thanks very much in advance.

  2. Vince K.

    Thank you. I was wondering how to disable for new accounts. With your help, I decided to run:
    Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

    Oddly enough, the MailboxPlan that isDefault $true is not the mailboxplan that existing or even new accounts in my tenant are using. So I recommend setting the values in all the plans just to cover yourself.

    For those looking to disable POP, IMAP, and Authenticated SMTP in one fell swoop…

    Disable POP/IMAP/ASMTP on existing mailboxes:
    Get-CasMailbox | set-CasMailbox -ImapEnabled $false -PopEnabled $false -SmtpClientAuthenticationDisabled $true

    Disable ASMTP org-wide (this handles it dynamically for new mailboxes):
    Set-TransportConfig -SmtpClientAuthenticationDisabled $true

    Disable POP/IMAP dynamically for new mailboxes:
    Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

    It should be that easy… and I’m not sure why Microsoft hasn’t seemed to have documented all of this in the same spot… of course make sure this is what you really want to do before you run those commands. Based on the compromised credential attacks (and attempts using passwords similar to those compromised in the past), we had to disable these legacy protocols once and for all in our tenant.

  3. ngs

    hi
    is there any way to pre-configure some features for new mailbox users like timezone or other thing, when i am adding new user mailbox i have to set it .
    and is there any way to take picture profile from a folder or file automatically?

  4. Holly Williams

    Is there any way to force the values in a mailbox plan to update on a new mailbox. I have new mailboxes that have the correct mailbox plan applied, but the retention policy in the plan still hasn’t been applied. I need to import pst files to those mailboxes, but first want to change the retention policy to the default so nothing will be deleted. First though I need the retention policy that is in the mailbox plan to apply to the mailboxes so I can change it back to the default.

  5. Juergen Wittmann

    Is there a reason why the audit settings can’t be adjusted within a MailboxPlan?

    1. Avatar photo
      Paul Cunningham

      Either they haven’t gotten around to it adding that capability yet, or they don’t plan to.

  6. Double Eye

    Do you guys have a script to disable IMAP/POP for existing users?

    1. Avatar photo
      Paul Cunningham

      You wouldn’t need a script, just a one-liner would do it. Something like “Get-CASMailbox | Set-CASMailbox -ImapEnabled:$false”

      (don’t just run that without testing and making sure you understand what it’s doing)

  7. Kerrie Stevenson

    We have several tenancies that we look after. In one of these we have -RetentionPolicy available set through Set-MailboxPlan but this is not available in the other. Do you have an idea why this might be?

    Thanks
    Kerrie

    1. Avatar photo
      Paul Cunningham

      Features roll out slowly across Office 365, so it might just be that some of your tenants will be waiting longer before they see it.

  8. Dan

    Would it be possible to have “-SmtpClientAuthenticationDisabled $true” by default in the set-casmailboxplan ?

    1. Avatar photo
      Paul Cunningham

      Set-CasMailboxPlan doesn’t have a parameter for setting that option at this time, so no.

  9. Jeff Taylor

    Which mailbox plan is used during the migration of a mailbox from on-prem?

  10. Bernd Webster

    I there an option to build a own mailbox plan? For example I would like to use powershell to create users. During creation I would like to vie VIP user the VIP Plan and my normal users the restricted plan (with 5GB mailfile).

    Currently I need to use two powershell commands… i need to create the mailbox, wait until it is created then I need to set the quota. This is quite time consuming and I´m searching for a better option.

    1. Avatar photo
      Paul Cunningham

      Not at this time. If you have repetitive tasks like that you can make life a little easier by scripting/automating the steps.

  11. Vemaiah Bandi

    Paul,
    Thanks for the post.I have been looking for “How to enabled Archive by default for new users?”. If you could write and publish an article on that. That would be much helpful.

  12. Martin

    I was wondering lately if it is also possible to set Archiving to be enabled by default. This would be very nice 🙂

    1. Avatar photo
      Paul Cunningham

      Enabled by default, no. But you can add it to your provisioning scripts pretty easily.

Leave a Reply