A Truly Horrible Name for What’s a Pretty Good Way to Stop User Mailboxes Being Removed in Error

On November 5, the Exchange development group announced the new delicensing resiliency feature. Unfortunately, the blog post for the announcement went out at the same time that the Microsoft Technical Community was in the middle of a major upgrade (it was offline for most of the day), so you might not have seen the news.

Delicensing resiliency is a horrible name for a feature. What it means is that large Exchange Online tenants (with more than 10,000 paid seats) can enable an extra layer of protection for unlicensed mailboxes. Most users are licensed for Exchange Online through a service plan included in a product SKU like Office 365 E3 (Figure 1) or Microsoft 365 Business Premium. An Exchange Online license can be bought separately, but that’s usually only done to enable features like an archive for shared mailboxes.

When a product license containing the Exchange Online service plan is removed from an Entra ID user account, Exchange Online notices that the user’s mailbox is no longer licensed and starts a 30-day countdown clock. Because it is no longer licensed, the user loses access to the mailbox. However, if an administrator assigns an Exchange Online license or service plan to the account, the mailbox reverts to a licensed state and normal service is resumed. If not, Exchange Online proceeds to permanently remove the mailbox and data is no longer recoverable.

One way that organizations guard against inadvertent removal of mailboxes is to make the mailbox into an inactive mailbox by applying a retention hold to the mailbox before removing licenses (or complete account deletion). This mechanism works and supports both mailbox recovery and restore, but the affected users lose access to their mailbox because it’s in an unlicensed state.

Group Licensing Errors

What seems to have happened in the past is that some tenants have made mistakes with group-based licensing. This mechanism allows a group to hold licenses that Entra ID assigns automatically to users when they join the group. Conversely, when someone leaves the group, Entra ID removes the license held by the group.

Exchange Online has supported license stacking since January 2023. License stacking means that a user account can be assigned several licenses of the same type. For instance, they can hold Office 365 E5 and Microsoft 365 E5 licenses, both of which come with an Exchange Online Plan 2 service plan. If one license is removed, the second license remains in place and the user’s mailbox is unaffected. License stacking facilitates license swapping or switching, which happens when a tenant upgrades its licenses and needs to assign new licenses to users while removing old licenses.

It’s possible that some license swaps went wrong in the past due to errors made in group-based assignments. Perhaps users were removed from the group that controlled assignments of the old license without being added to the group that controlled assignments for the new license. It’s easy to see how such a thing could occur. The upshot is that accounts removed from the original group enter an unlicensed state for Exchange Online and lose access to their mailboxes, which is not a great situation to be in as it disrupts internal and external communications and can cause users not to receive email.

The Extra 30-Day Grace Period

Microsoft’s solution is to introduce an additional 30-day grace period during which unlicensed mailboxes remain fully functional. The extra time is intended to allow administrators to realize that a problem has occurred and take appropriate action, which might be something as simple as adding the affected users to a group.

After the 30-day grace period lapses, the normal mailbox removal process clicks into gear and the user loses access to their mailbox. Eventually, the 30-day removal retention period expires, and Exchange Online removes the mailbox permanently.

Tools to Help with Delicensing Resiliency

To back up the extra grace period, Microsoft is providing several tools, including:

• A new Get-PendingDelicenseUser cmdlet to check for mailboxes due to be delicensed.
• A new Licenses removed recently tab in the Billing section of the Microsoft 365 admin center to list mailboxes in the grace period (with an option to expedite delicensing for a mailbox, meaning that it goes straight into the normal 30-day removal cycle).
• Service Health advisories for admins when “delicensing activity” occurs (presumably only when the delicensing resiliency feature is enabled and only covering Exchange Online licenses)
• Email notifications to users whose Exchange Online license has been removed telling them to contact their administrator if the removal was in error.

Overall, it seems like a pretty good plan. Of course, I followed the instructions in the documentation to see what happened if I enabled the feature and failed utterly:

Set-OrganizationConfig -DelayedDelicensingEnabled:$true

Set-OrganizationConfig: |Microsoft.Exchange.Management.Tasks.DelayedDelicensedUserException|Your tenant does not qualify for the Exchange Online Delicensing Resiliency feature, which is only available to tenants with more than 10,000 paid licenses.

Oh well. Most mailboxes removed in my tenant are as a result of my actions. I guess I don’t need to worry so much about this kind of thing. But if I was running a tenant with more than 10,000 paid Exchange seats, this is absolutely a feature to enable.

Learn about using Exchange Online and the rest of Office 365 by subscribing to the Office 365 for IT Pros eBook. Use our experience to understand what’s important and how best to protect your tenant.