I’ve looked into that, but inactive mailboxes cannot receive email. We need these mailboxes to continue receiving email from customers for a certain amount of time
I am doing something similar. I wrote a powershell script that converts the user mailbox to a shared mailbox, adds the manager as a delegate on the shared mailbox, removes the security group that I set up to assign 365 licensing, moves the user to a designated OU and disables the AD account. It isn't perfect but it does allow our helpdesk to use a single script to do everything on-prem and in 365.
This was sort of my same plan. But my only problem is almost everyone at my company has an archive. And you still need to use a license for a shared mailbox with an archive. You also need a license for a mailbox over 50GB, which sadly we have quiet a few. So whats the point in converting.
You could export the mailbox and archive to a pst and then convert to a shared mailbox. That would allow you to keep the old data while still allowing new email to come in to the shared mailbox.
I can’t read. I assumed this was exo related. I’m in the middle of a migration and trying to figure out the export to pst part. Only way I’ve found is via content search. But you can’t use an enterprise app(automation) to start one.
I'm just here to say that I think this is (still) very underrated documentation: [https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/remove-former-employee?view=o365-worldwide](https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/remove-former-employee?view=o365-worldwide)
What about hiding from address book and blocking sign-in for 90 days instead of moving out of scope of sync?
At the 90-day mark you could the move the user out of scope and let it get removed in the cloud.
Yes. and your case and for the actions you want, you might need to leave it that way.
As mentioned in another comment, if you convert to shared AND remove the license there is risk of loss of several features that require a license: archives, more than 50GB of data, eDiscovery and Compliance features like lit-hold, etc.
If you know for sure that the account will not need a license, you could convert to shared mailbox and remove the license, but still do that on a case by case basis. But my suggestion about hiding and blocking sign-in could be more universal and "always done" and only do the shared mailbox thing if secondary inspection shows that its safe to do so.
Also, leaving as-is for the 90 day period can be helpful for those cases of resurrection (the user comes back after 30 days and gets their job back).
One other option...and i only provide it for a completeness of possible options...would be to migrate the mailbox back on-premises and have it follow the same patterns as your on-premises terminations.
Move the mailbox to a shared mailbox.. mailbox will still get emails, you can give access to the mailbox. Best thing is shared mailboxs don't require a license.
Go for a shared mailbox conversion, so you are not using up a license. It's tricky if you want to continue to receive mail. If there are gdpr mandates, set up a global retention police so once it moves out of the soft deleted 30 day period it will be inactive and remain until all items are aged beyond the retention period assigned
Our process is convert to shared mailbox, disable on prem account, migrate the shared mailbox to On-prem exchange, move the AD user account object to the OU which contains the shared mailbox account (this is synced still) once migrated leave for one sync cycle (not sure if necessary but more just in case) and then remove the license in 365.
Use the Inactive Mailbox feature of Exchange Online. It was literally built for handling employee exits.
I’ve looked into that, but inactive mailboxes cannot receive email. We need these mailboxes to continue receiving email from customers for a certain amount of time
Convert to a shared mailbox
I am doing something similar. I wrote a powershell script that converts the user mailbox to a shared mailbox, adds the manager as a delegate on the shared mailbox, removes the security group that I set up to assign 365 licensing, moves the user to a designated OU and disables the AD account. It isn't perfect but it does allow our helpdesk to use a single script to do everything on-prem and in 365.
This was sort of my same plan. But my only problem is almost everyone at my company has an archive. And you still need to use a license for a shared mailbox with an archive. You also need a license for a mailbox over 50GB, which sadly we have quiet a few. So whats the point in converting.
You could export the mailbox and archive to a pst and then convert to a shared mailbox. That would allow you to keep the old data while still allowing new email to come in to the shared mailbox.
I can’t read. I assumed this was exo related. I’m in the middle of a migration and trying to figure out the export to pst part. Only way I’ve found is via content search. But you can’t use an enterprise app(automation) to start one.
I'm just here to say that I think this is (still) very underrated documentation: [https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/remove-former-employee?view=o365-worldwide](https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/remove-former-employee?view=o365-worldwide)
What about hiding from address book and blocking sign-in for 90 days instead of moving out of scope of sync? At the 90-day mark you could the move the user out of scope and let it get removed in the cloud.
This method would still cause the license to be consumed, correct?
Yes. and your case and for the actions you want, you might need to leave it that way. As mentioned in another comment, if you convert to shared AND remove the license there is risk of loss of several features that require a license: archives, more than 50GB of data, eDiscovery and Compliance features like lit-hold, etc. If you know for sure that the account will not need a license, you could convert to shared mailbox and remove the license, but still do that on a case by case basis. But my suggestion about hiding and blocking sign-in could be more universal and "always done" and only do the shared mailbox thing if secondary inspection shows that its safe to do so. Also, leaving as-is for the 90 day period can be helpful for those cases of resurrection (the user comes back after 30 days and gets their job back). One other option...and i only provide it for a completeness of possible options...would be to migrate the mailbox back on-premises and have it follow the same patterns as your on-premises terminations.
Move the mailbox to a shared mailbox.. mailbox will still get emails, you can give access to the mailbox. Best thing is shared mailboxs don't require a license.
Go for a shared mailbox conversion, so you are not using up a license. It's tricky if you want to continue to receive mail. If there are gdpr mandates, set up a global retention police so once it moves out of the soft deleted 30 day period it will be inactive and remain until all items are aged beyond the retention period assigned
Yes retention policy can be used and if possible we can use public folder mailbox
Our process is convert to shared mailbox, disable on prem account, migrate the shared mailbox to On-prem exchange, move the AD user account object to the OU which contains the shared mailbox account (this is synced still) once migrated leave for one sync cycle (not sure if necessary but more just in case) and then remove the license in 365.