Many Ways Exist in Microsoft 365 to Find Inactive Mailboxes

On Tuesday, I posted a link to an old (2018) article explaining how to use message trace data to identify inactive distribution lists. Almost by return, I received a request to ask if it’s possible to use the same technique to find inactive mailboxes. The answer is yes, but before we go any further along that path, we should recognize that other methods exist to detect underused mailboxes, such as analyzing mailbox statistics and Entra ID sign in records or even looking through historical message trace searches to analyze message traffic for the last 90 days.

Looking past email, the Graph usage reports API reveals a ton of data about user activity that can be combined to reveal an in-depth view of how active accounts are across multiple workloads. You could also investigate activity by extracting audit log data for accounts and build a very granular view of exactly what people do in Microsoft 365 over a period. In other words, many ways exist to find inactive mailboxes using different data available to tenant administrators.

Changing the Script to Find Inactive Mailboxes

Not being a great fan of recreating wheels, I took the script written to detect inactive distribution lists and made the necessary changes. You can download the script from GitHub. The major changes are in two areas:

First, the script creates an array of user mailboxes rather than distribution lists. If you want to check activity for shared mailboxes, modify the script to include shared mailboxes in the receipt type details parameter for Get-ExoMailbox:

[array]$Mbx = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails 'UserMailbox', 'SharedMailbox' | Sort-Object DisplayName

Second, the script extracts message trace Delivered events rather than Expanded events. Expanded events are good for distribution lists because they happen when Exchange Online resolves the distribution list membership to create bifurcated copies of messages for delivery to individual recipients. Delivered events occur when Exchange Online successfully delivers a message. The script extracts details of the sender for these events on the basis that an active mailbox sends messages (which is what Figure 1 shows the script reporting). Inactive mailboxes might receive a ton of messages, but unless they send a message, they’re not really active.

Generating Report Files

The script checks for the availability of the ImportExcel module. If found, the output file generated by the script is an Excel worksheet. Otherwise, the script creates a CSV file. The ImportExcel module is very easy to use and the worksheets it creates are nicer to work with in Excel than the CSV equivalent.

The code is straightforward. The Get-Module cmdlet checks for the module. If found, the output file name in the Downloads folder for the current user is generated. It’s easier to use the Downloads folder instead of checking for an arbitrary folder like “c:temp” and creating the folder if not available.

# Generate report
If (Get-Module ImportExcel -ListAvailable) {
    $ExcelGenerated = $True
    Import-Module ImportExcel -ErrorAction SilentlyContinue
    $OutputXLSXFile = ((New-Object -ComObject Shell.Application).Namespace('shell:Downloads').Self.Path) + "InactiveMailUsers.xlsx"
    $Report | Export-Excel -Path $OutputXLSXFile -WorksheetName "Inactive Mail Users Report" -Title ("Inactive Mail Users Report{0}" -f (Get-Date -format 'dd-MMM-yyyy')) -TitleBold -TableName "InactiveMailUsers" 
} Else {
    $OutputCSVFile = ((New-Object -ComObject Shell.Application).Namespace('shell:Downloads').Self.Path) + "InactiveMailUsers.csv"
    $Report | Export-Csv -Path $OutputCSVFile -NoTypeInformation -Encoding Utf8
  }
  
  If ($ExcelGenerated) {
    Write-Host ("An Excel report is available in {0}" -f $OutputXLSXFile)
  } Else {
    Write-Host ("A CSV report is available in {0}" -f $OutputCSVFile)

More to Do to Improve the Script

I’m sure that people will find ways to improve the script. For instance, you might decide to include details of the account that owns each mailbox, like their country or department. The beauty of PowerShell is that it’s easily changed. Go for it!

subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.

Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.