Some folks got worried about the contents of message center notification MC411428 (August 8, 2022). This notification tells us that Microsoft is making a change to the retention period for an inactive mailbox after all holds are released. A mailbox becomes inactive upon the hard-deletion of its Azure AD account if any of the myriad types of retention holds exist over items in the mailbox. Holds include all-mailbox litigation holds to retention labels placed on specific items. Inactive mailboxes are a form of soft-deleted mailboxes designed to allow organizations to keep information belonging to ex-employees for compliance purposes (shared mailboxes are another option). Because inactive mailboxes are online (but hidden from user view), Microsoft Search indexes their contents and makes them available for eDiscovery.

The nice thing about inactive mailboxes is that they don’t require any licenses. Exchange Online keeps inactive mailboxes for as long as you want, or rather, until the removal of the last hold that retains mailbox data. Some of the inactive mailboxes in my tenant go back to 2015, as seen in the Microsoft Purview compliance portal (Figure 1).

Inactive mailboxes in the Microsoft Purview Compliance portal
Figure 1: Inactive mailboxes in the Microsoft Purview Compliance portal

Soft-Deleted Mailboxes and Azure AD Account Recovery

Exchange Online keeps soft-deleted mailboxes for the deleted mailbox retention period (30 days). This period matches the time that Azure AD keeps deleted user accounts in its recycle bin and means that if an administrator restores the Azure AD account, the restore can reconnect the mailbox to the account.

After 30 days, Azure AD permanently removes the account. Once the Azure AD account is gone, Exchange Online either permanently removes the mailbox (if no hold exists) or puts it into an inactive state. The mailbox remains inactive until the removal of all holds and retention policies from the mailbox. At this point, Exchange Online updates the mailbox state to make it soft-deleted (but not inactive). The owner’s Azure AD account is long gone, so if normal logic applies, Exchange Online will immediately move to permanently remove the mailbox.

Additional Recovery Period for Old Inactive Mailboxes

However, accidents do happen and it’s possible that administrators might release holds keeping inactive mailboxes online. You don’t want to run the risk that an accident leads to unexpected loss of information needed for compliance purposes, so Microsoft built in an extra recovery period that starts once an inactive mailbox becomes soft-deleted. Previously, the recovery period was 183 days. During this time administrators can run an eDiscovery search to recover and export the information in the soft-deleted mailbox.

The change announced in MC411428  is that Microsoft will reduce the recovery period to 30 days in late August with the change available worldwide by late September. Microsoft says that they’ve sought customer feedback for the change, and it will maintain consistency with other solutions. Following the 30-day recovery period, Exchange Online permanently deletes the once inactive mailboxes and their content becomes irrecoverable.

Keeping Inactive Mailboxes Around

On the surface, reducing the time allowed to administrators to recover data if mistakes happen seems like a bad thing. However, given the array of holds and policies that can keep a mailbox inactive, it’s not. If you’re worried about the change, create a retention policy that keeps all Exchange Online mailbox content for an extended period (say, 20 years) and apply it to all mailboxes. Alternatively, if you have Office 365 E5 or Microsoft 365 E5, you can create a retention policy with an adaptive scope to find and preserve inactive mailboxes. Either way means that there’s little danger that inactive mailboxes will ever be released from all holds to enter the soft-deleted state.

There’s no downside to keeping inactive mailboxes for extended periods. They don’t do any harm, don’t interfere with administrative processes, and don’t cost you any money (Microsoft pays for the storage consumed by inactive mailboxes).

Depending on the compliance environment your organization operates under, there might be a case for making every deleted mailbox inactive as described above and then ignoring them. Other organizations might need a more subtle approach and make only certain mailboxes inactive.

One Last Point

Unconnected with inactive mailboxes (except that you can run the Get-Mailbox -InactiveMailboxOnly cmdlet to see them), it’s worth emphasizing that Microsoft will end support for the old Exchange Online PowerShell with MFA module on August 31, 2022 and retire it on December 31, 2022 (MC407050, July 29). This method of connecting to Exchange Online with MFA is based on the V1 module inherited from on-premises. Scripts should use the Exchange Online PowerShell V2 module instead. This version supports modern authentication out-of-the-box, including certificate-based authentication.

