Why Permanent Removal of an Exchange Online Mailbox Can Take Real Effort

Removing a Mailbox Seems Easy But Retention Can Cause Difficulties

A reader asked what’s the best way to permanently remove an Exchange Online mailbox. On the surface, the answer is easy: delete the mailbox to put it into a soft-deleted state, and then delete the mailbox permanently. At least, that’s the theory. As it turns out, Microsoft 365 Purview compliance policies can make the process more complicated, as we will explore here.

Before starting, let me make the point that removing a mailbox while compliance policies are in force is not something to do without authorization. There’s a reason why organizations use compliance policies, and if you go ahead and permanently remove a mailbox, you remove the content from that mailbox from search indexes and make the items invisible for eDiscovery. Make sure that the paperwork is in place before you remove anything that the organization retains for compliance purposes.

Remove the Azure AD account

The usual starting point for removing an Exchange Online mailbox is to delete the owner’s Azure AD account. This action places the account in the Azure AD recycle bin and puts the mailbox into a soft-deleted state. The account remains in the recycle bin for 30 days, after which Azure AD permanently removes the account. It is not possible to remove a soft-deleted mailbox while its Azure AD account still exists, so the first step in the removal process is the permanent removal of the Azure AD account. You can either wait for the 30 days to lapse or force the removal.

During this period, the mailbox is in a soft-deleted state. To allow recovery of the account and its mailbox, the mailbox remains connected to the deleted Azure AD account (the account’s identifier is present in the mailbox’s ExternalDirectoryObjectId property).

This code snippet uses a Graph request to find the set of soft-deleted user accounts and return the display name and identifier for each account.

$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user"
[array]$DeletedUsers = Invoke-MgGraphRequest -Uri $Uri -Method Get

$DeletedUsers.Value.Foreach({Write-Host $_.DisplayName, $_.id})
Business Queries 423069fa-1b1c-4d99-994e-c46f4877c510
Ståle Hansen (Office 365 for IT Pros) 8aa1261a-b63e-4d5e-8acb-174879fc007a

This article covers a more sophisticated method of listing soft-deleted accounts. The important thing is to know the identifier of the account you want to force-delete. In this instance, we’ll delete the Ståle Hansen account (identifier 8aa1261a-b63e-4d5e-8acb-174879fc007a). This PowerShell command does the trick:

Remove-MgDirectoryDeletedItem -DirectoryObjectId 8aa1261a-b63e-4d5e-8acb-174879fc007a

Warning: when you permanently remove an Azure AD account, you eliminate any chance of recovering the account. It is gone to the great byte bucket in the clouds.

Removing the Mailbox

Depending on if some form of retention exists on the soft-deleted mailbox, removing the Azure AD account that owns a mailbox either:

• If no hold exists on the mailbox, allows Exchange Online to permanently remove the mailbox. This might not happen immediately as the exact time when the removal happens depends on when background jobs process the mailbox.
• If any hold or retention policy exists on the mailbox, Exchange Online places the mailbox into an inactive state. The mailbox remains in this state until the last hold or retention policy (or label) governing any content in the mailbox is removed. When this happens, the mailbox leaves the inactive state and becomes a normal soft-deleted mailbox, and a countdown toward the final deletion starts. Note: in message center notification MC411428 (August 8. 2022), Microsoft announced that they will move the recovery period for inactive mailboxes from 183 days to 30 days following the removal of the last hold. The change will take effect by the end of September 2022.

Inactive mailboxes exist to make sure that Exchange Online never removes any information required for retention purposes. You do not need to license inactive mailboxes and they can remain in place for as long as necessary (obviously, the mailboxes had licenses when they were active). Some of the inactive mailboxes in my tenant go back to 2015.

You can force Exchange Online to remove a soft-deleted mailbox using the Remove-Mailbox cmdlet. If no holds are in place for the mailbox, Remove-Mailbox terminates the countdown for permanent removal and deletes the mailbox. However, if any kind of hold exists on the mailbox, Remove-Mailbox won’t work, as we see here:

$Mbx = Get-Mailbox -Identity Stale.Hansen -SoftDeletedMailbox
Remove-Mailbox -PermanentlyDelete -Identity $Mbx.DistinguishedName

Confirm
Are you sure you want to perform this action?
Removing the mailbox Identity:"Soft Deleted Objects\Stale.Hansen" will mark the mailbox and the archive, if present, for deletion. The associated Windows Live ID "Stale.Hansen@office365itpros.com" will also be deleted and will not be available for any other Windows Live service.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
Error on proxy command 'Remove-Mailbox -PermanentlyDelete:$True -Identity:'Soft Deleted Objects\Stale,Hansen
-Confirm:$False' to server AM9PR04MB8938.eurprd04.prod.outlook.com: Server version 15.20.5395.0000, Proxy method PSWS:
Cmdlet error with following error message:
Microsoft.Exchange.Management.Tasks.RecipientTaskException: The user mailbox couldn't be permanently deleted. The user mailbox has at least one type of hold or hold policy applied to it. Please remove the holds before trying to
delete. LitigationHoldEnabled: false, ComplianceTagHoldApplied: true, DelayHoldApplied: true,
DelayReleaseHoldApplied: true, OrganizationPolicies Applied: mbxf6a1654abdba4712a43c354e28a4d56c:2, UserPolicies Applied: 7c5feb6c-5719-4d12-96df-e70bb54b14c3, restrictivePolicies Applied: , CpsInfo: . For more information, please see the PowerShell cmdlets, Get-OrganizationConfig <>|fl inplace*, and Get-Mailbox <>|fl compl*,delay*,inplace*,litig*OrganizationPolicies Applied: 

Because of the need to check compliance policies, it can take several minutes before Remove-Mailbox returns with an error. This is not unusual. It’s just Exchange Online making sure that everything is in place to allow it to remove the mailbox.

Dealing with Compliance Policies

In this instance, Exchange Online reports that it cannot proceed because the mailbox comes within the scope of an organization retention policy (mbxf6a1654abdba4712a43c354e28a4d56c:2) and a user policy (7c5feb6c-5719-4d12-96df-e70bb54b14c3).

To check on the organization holds, run the Get-OrganizationConfig cmdlet and examine the hold identifiers. In this output, the hold identifier appears at the end of the list.

Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds
mbx85eb38087b2642619b79161788f5b81b:1
grp85eb38087b2642619b79161788f5b81b:1
grp5d763f9615e8424a8190b49687c65f46:1
grpfcab5f8ef3e74a778c33a744d686b010:1
mbx19200b9af08442529be070dae2fd54d3:1
grpf6a1654abdba4712a43c354e28a4d56c:1
mbxc1e2d6f1785d4bf8a7746a26e58e5f66:1
mbxf6a1654abdba4712a43c354e28a4d56c:2

To find the retention policy, remove the “mbx” prefix and the “:2” suffix from the hold identifier to end up with f6a1654abdba4712a43c354e28a4d56c. Connect to the compliance endpoint and use this value to find the retention policy:

Connect-IPPSSession
Get-RetentionCompliancePolicy -Identity f6a1654abdba4712a43c354e28a4d56c

Name                        Enabled Mode
----                        ------- ----
Company Retention Labels       True Enforce

Some retention policies publish retention labels to mailboxes and other locations (as is the case here), so this policy does not retain anything. But to make sure that retention policies don’t stop the removal of the mailbox, you can exclude the mailbox from all organization-wide holds by running Set-Mailbox. At the same time, you should remove the delay hold applied to mailboxes to prevent the Managed Folder Assistant from immediately removing retained information from mailboxes after releasing holds.

These commands exclude the soft-deleted mailbox from all organization holds and releases the delay hold on regular mailbox content (RemoveDelayHoldApplied) and compliance records (RemoveDelayReleaseHoldApplied):

Set-Mailbox -Identity $Mbx.DistinguishedName -InactiveMailbox -ExcludeFromAllOrgHolds 
Set-Mailbox -Identity $Mbx.DistinguishedName -RemoveDelayHoldApplied -InactiveMailbox
Set-Mailbox -Identity $Mbx.DistinguishedName -RemoveDelayReleaseHoldApplied -InactiveMailbox

Other retention policies might be in place to keep information stored in the mailbox. For more information, read Microsoft’s advice about how to identify and remove these holds.

If Remove-Mailbox reports that the mailbox is under an Exchange Online litigation hold, you can release it with:

Set-Mailbox -Identity $Mbx.DistinguishedName -LitigationHoldEnabled $False -InactiveMailbox

App Retention Policies

The error displayed when running Remove-Mailbox identified a hold for a user policy 7c5feb6c-5719-4d12-96df-e70bb54b14c3. Running Get-RetentionCompliancePolicy finds the policy:

Get-RetentionCompliancePolicy -Identity 7c5feb6c-5719-4d12-96df-e70bb54b14c3 -DistributionDetail | Format-Table Name, Enabled, Mode, ExchangeLocation, Applications

Name                   Enabled Mode    ExchangeLocation Applications
----                   ------- ----    ---------------- ------------
Teams Private Channels    True Enforce {All}            {User:MicrosoftTeamsChannelMessages}

This information tells us that the policy applies to all Exchange Online mailboxes. As such, you would expect that the in-place holds stored in the organization configuration would list the policy, but it’s not there. That’s because this is an app retention policy to process the compliance records created by the Microsoft 365 substrate for Teams private channel conversations.

Microsoft’s advice for retention policies covering all Exchange Online mailboxes is to add the soft-deleted mailbox as an exclusion from the policy. Usually, you add a mailbox exclusion by running the Set-AppRetentionCompliancePolicy cmdlet like this:

Set-AppRetentionCompliancePolicy -Identity "Teams Private Channels" -AddExchangeLocationException $Mbx.PrimarySmtpAddress

Unfortunately, you can’t add soft-deleted mailboxes as exclusions for app retention policies. Microsoft has acknowledged this deficiency in app retention policies and is working to fix the problem. If you have Office 365 E5 or above, you can use adaptive scopes to control retention policies applied to inactive mailboxes. However, the need still exists to exclude specific inactive mailboxes to allow their removal.

Otherwise, the only workaround is to disable the app retention policy for a time to allow the mailbox removal to proceed. It can take up to a day after disabling the policy before Exchange Online allows the mailbox deletion to proceed. After deleting the mailbox, you can reenable the app retention policy. This is not a good situation from a compliance perspective.

Checking Holds to Find a Big Block

After taking care of all the holds, we can move forward to check the hold status of the mailbox with Get-Mailbox:

Get-Mailbox -SoftDeletedMailbox -Identity $Mbx.Distinguishedname | Format-List compl*, delay*, InplaceHolds, litigationholdEnabled

ComplianceTagHoldApplied : True
DelayHoldApplied         : False
DelayReleaseHoldApplied  : False
InPlaceHolds             : {-mbxf6a1654abdba4712a43c354e28a4d56c, -mbxc1e2d6f1785d4bf8a7746a26e58e5f66, mbx19200b9af08442529be070dae2fd54d3, -mbx85eb38087b2642619b79161788f5b81b}
LitigationHoldEnabled    : False

To be able to remove the mailbox, we need a False status for all the hold types. Everything is good apart from ComplianceTagHoldApplied. This means that some items in the mailbox have retention labels. To find and remove the retention labels, you would need to recover the inactive mailbox and check all the folders and individual items, possibly by using a content search to find tagged items. Obviously, this could be a huge piece of work. Deleting the items and folders won’t work because the items will stay in the Recoverable Items structure until the end of their retention period.

Unless you know with surgical precision about which items and folders have labels, it’s probably best to leave these mailboxes alone and let the labelled items expire. Eventually, after the last item expires, the Managed Folder Assistant will delete the mailbox.

If you do end up with False for all hold types, you should be able to run Remove-Mailbox successfully,

Removing Soft-Deleted Mailboxes is Complex

Following the ups and downs involved in tracking down and removing holds, we can conclude that deletion of soft-deleted mailboxes is a complex business. If you knew you had to completely remove a mailbox in advance, you could use the Retention Policy Lookup feature in the compliance portal to check what policies are involved beforehand. Even so, this would only show Microsoft 365 retention policies, and as we’ve discovered, other factors can stop the removal of a mailbox, including the presence of a single labelled item. Sometimes it’s easy to identify a blocking hold, and sometimes it isn’t. And even when you can, you might be only able to work around the hold by removing it temporarily.

With all that in mind, perhaps it’s best to leave soft-deleted and inactive mailboxes alone and let Exchange Online manage the complex interaction of retention policies and decide when mailboxes finally slip away into a permanently removed state. After all, you don’t pay for inactive mailboxes, they don’t get in the way, so why worry about them?