How Exchange Online Uses Mailbox Plans to Populate Mailbox Settings

Posted on by Tony Redmond

Despite the central importance of Exchange Online in many Microsoft 365 tenants, it’s natural that some administrators might not have grasped the finer details of mailbox management. There’s lots to look after elsewhere from SharePoint Online sharing permissions to the many management policies used by Teams. One detail that I often think is overlooked is the role played by mailbox plans, specifically how mailbox plans affect mailbox settings.

Four Mailbox Plans for Each Tenant

Every tenant comes equipped with four mailbox plans, which you can see by running the Get-MailboxPlan cmdlet. These plans accommodate the different variations of Exchange available in different Office 365 and Microsoft 365 products.

Get-MailboxPlan | Format-Table DisplayName, IsDefault, Name

DisplayName              IsDefault Name
-----------              --------- ----
ExchangeOnlineEnterprise      True ExchangeOnlineEnterprise-8fc1c029-5e32-485e-9810-179fb4701447
ExchangeOnlineDeskless       False ExchangeOnlineDeskless-bc1e76cc-4c0b-491c-a518-3a0a43cbf78e
ExchangeOnline               False ExchangeOnline-12c139bc-eafa-4a43-b4d2-e285f83e075d
ExchangeOnlineEssentials     False ExchangeOnlineEssentials-1a1bf516-90d5-4c4b-a047-5b3544ad9826

The role of the mailbox plan is to be a template holding settings for mailbox properties. When you create a new mailbox, the new mailbox inherits settings from the mailbox plan chosen by Exchange Online. Most mailboxes are created along with new accounts via the Microsoft 365 admin center. When this happens, Exchange Online uses the license assigned to the account to select the mailbox plan to apply to the new mailbox. Table 1 shows the match-up between licenses and mailbox plans.

ProductsMailbox Plan
Exchange Online Kiosk
Microsoft 365 F3
Office 365 F3		ExchangeOnlineDeskless
Exchange Online Plan 1
Microsoft 365 E1
Office 365 E1		ExchangeOnline
Exchange Online Plan 2
Microsoft 365 E3/E5
Office 365 E3/E5		ExchangeOnlineEnterprise
Microsoft 365 Business BasicExchangeOnlineEssentials
Table 1: Licenses and Mailbox Plans

Default Plan

In the output for Get-MailboxPlan shown above, the Exchange Online Enterprise plan is marked as the default. If you create a user mailbox without a license, Exchange Online uses the default plan to populate its settings. Mailboxes which don’t need licenses, like shared and resource mailboxes, use the Exchange Online mailbox plan. An administrator can specify the mailbox plan to use when creating a new mailbox with the New-Mailbox cmdlet.

Updating Mailbox Plans

The Set-MailboxPlan cmdlet configures settings in mailbox plans while the Get-MailboxPlan cmdlet reports the settings. Because the idea behind mailbox plans is to configure basic mailbox settings, not every property configurable with the Set-Mailbox cmdlet is available in a mailbox plan. The settings cover:

  • Mailbox quotas and warning thresholds.
  • Message send and receive size.
  • Deleted items retention period.
  • Mailbox retention policy.
  • User role assignment policy.

In this example, we use Set-MailboxPlan to update the Exchange Online enterprise plan to update the largest supported message size for send and receive to 125 MB, change the deleted item retention period from 14 to 30 days, and assign a new default mailbox retention policy.

Set-MailboxPlan -Identity ExchangeOnlineEnterprise -MaxSendSize 125MB -MaxReceiveSize 125MB -RetainDeletedItemsFor 30.00:00:00 -RetentionPolicy "General Mailbox Retention Policy"

Somewhat frustratingly, although Get-MailboxPlan returns a large set of mailbox properties and values, Set-MailboxPlan is unable to update most settings listed by Get-MailboxPlan. If you want to update a mailbox property outside the set supported by Set-MailboxPlan, you must run Set-Mailbox after creating the mailbox. For instance, you might want to write a value into one of the custom attributes.

Modifying the settings of a mailbox plan does not affect existing mailboxes. If you want to change settings for existing mailboxes, you’ll need to run the Set-Mailbox or Set-CASMailbox cmdlets. However, if the license assigned to a user mailbox changes, Exchange Online applies the settings for the relevant plan to the mailbox.

CAS Mailbox Plans

Each mailbox plan has a corresponding CAS mailbox plan. This mimics the relationship between Set-Mailbox and Set-CasMailbox where the first cmdlet updates essential mailbox settings while the second deals with connectivity. In this instance, the Set-CASMailboxPlan cmdlet allows administrators to control the following settings.

  • Enabling Exchange ActiveSync.
  • Enabling IMAP4 and POP3.
  • OWA mailbox policy.

The protocol settings only disable or enable connections. They do nothing to force modern authentication (and as we know for Apple iOS clients, even when an email app supports modern authentication, it might not be used).

Here’s an example of disabling the POP3 and IMAP4 protocols in all mailbox plans. Given Microsoft’s well-founded focus on the elimination of basic authentication for email connectivity, it’s probably a good idea to disable these protocols for new mailboxes. You can always enable the protocols on a per-mailbox basis if someone convinces you that they have a good reason to use these ancient protocols (suitably upgraded for modern authentication).

Get-CASMailboxPlan | Set-CASMailboxPlan -PopEnabled $False -IMAPEnabled $False

You can check the protocol settings by running the Get-CASMailboxPlan cmdlet to return the different protocol settings:

Get-CASMailboxPlan -Identity ExchangeOnlineEnterprise | Format-List DisplayName, ImapEnabled, PopEnabled, MapiEnabled, ActiveSyncEnabled, OwaEnabled, OutlookMobileEnabled

Name                 : ExchangeOnlineEnterprise
ImapEnabled          : False
PopEnabled           : False
MAPIEnabled          : True
ActiveSyncEnabled    : True
OWAEnabled           : True
OutlookMobileEnabled : True

Surprisingly, you can’t control access to Exchange Web Services (EWS) through a mailbox plan. This is one of the protocols you’ll need to disable by running Set-CASMailbox after creating a mailbox.

To check how many mailboxes have each mailbox plan, we can check the plan registered for each mailbox. Note that the filter used to find mailboxes requires the distinguished name for the mailbox plan.

$MbxPlans = Get-MailboxPlan
ForEach ($Plan in $MbxPlans) {
   $Dn = (Get-MailboxPlan -Identity $Plan.Name).DistinguishedName
   # Find mailboxes with the plan
   [Array]$Mbx = Get-ExoMailbox -Filter "MailboxPlan -eq '$Dn'" -Properties MailboxPlan -ResultSize Unlimited
   If ($Mbx) {
     ForEach ($M in $Mbx) {
      $ReportLine  = [PSCustomObject][Ordered]@{ 
         Name           = $M.DisplayName
         UPN            = $M.UserPrincipalName
         Plan           = $Plan.DisplayName }
   $Report.Add($ReportLine) }
   }
} #End ForEach
$Report | Group Plan | Format-Table Name, Count

Name                     Count
----                     -----
ExchangeOnlineEnterprise    43
ExchangeOnline              17

Mailbox Plans Summary

Mailbox plans help Exchange Online to run a little smoother by making sure that some essential settings are in place for new mailboxes. It’s likely that you will need to do some further tuning of mailbox settings post creation and it would be nice if Microsoft expanded the set of updatable settings in mailbox plans to make the plans more powerful. At least PowerShell is available to fill the gaps left by Microsoft, a role that’s as important today as it was when Exchange 2007 was the first major server product to support PowerShell many years ago.

Learn how to exploit the Office 365 data available to tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.