Best practices for Microsoft 365 inactive mailboxes and departing employee data

I never asked my friend what happened with the potential deal but, for me, it highlighted an important missing process in many companies – that of treating departing employee data as valuable (also, in some cases, legally required).

At the end of the day, companies hire employees for their abilities, know-how, creativity, and experience. Blindly destroying the data, they work with and create is a huge waste for the sake of freeing up a Microsoft 365 license, especially when options exist to both store leaver data securely and reassign their licenses without risking legal or business disruption.

Some of our customers do think about the implications of reassigning the license of a departing employee. Many come to us with questions like: "We're spending a fortune on Microsoft 365 licenses for employees that have left the organization. We want to recycle them, but what should we do with all of the departed employee's Microsoft 365 data?" Believe it or not, this shows a great deal of progress in their thinking. Unfortunately, however, many companies, as in the example above, still reassign the Microsoft 365 licenses of departed employees indiscriminately and, in doing so, delete all their data.

As IT and corporate legal departments well know, inactive and departed employee data – including inactive Microsoft 365 mailboxes, OneDrive accounts, Teams conversations and files (including videos), can put a strain on the IT department, including the costly consumption of Microsoft 365 licenses, rising privacy risk, and expensive eDiscovery response. That said, an important part of the employee exit and data management process, safeguarding employee data should be top of mind for HR, IT, and Corporate Legal, and when an employee gives notice or is RIF'd, an HR checklist should be followed, with a set of actions to perform before the employee departs.

However, in many cases (if the checklist even exists), it does not address what to do with the employee's most valuable asset – their accumulated work data. In fact, valuable corporate data exists in all Microsoft 365 mailboxes, OneDrive accounts, local workstation data, and SharePoint servers, but many HR processes don't include the proactive collection of employee data before departure. Jumping too quickly to delete a departed user's account (and the associated data) can rid you of the chance to access crucial information and runs the risk of regulatory non-compliance. Once you go far enough down the line and data is permanently deleted, there's no magic button marked 'recover inactive mailbox'. Microsoft 365 simply kills those files for good.

The process should see IT alerted immediately to begin capturing and consolidating leaver data and migrating it into data repositories, such as those in a corporate cloud, where it can be secured, managed, and accessed by authorized employees. The immediate thinking should never be 'delete inactive mailbox'. Microsoft 365 licenses shouldn't be valued more than often crucial leaver data. Your GC may want to keep all email and OneDrive data for an extended time in case lawsuits (i.e., wrongful termination) crop up during the statute of limitations, as well as keeping it available for use and reference for current employees.

Why don't organizations have better processes for inactive Microsoft 365 licenses?

It's hard to say definitively, but in my experience, most companies simply haven't thought of it or haven't developed a standardized process to collect and manage employee data. Often, it's because the IT department is overworked and so instead chooses to keep the departed employee's mailbox and Microsoft 365 account "as is" until the time they have more data. Eventually, someone in IT notices the growing number of departed employee mailboxes and wonders how much the company is spending on licenses for Microsoft 365. Show inactive mailboxes to whoever controls the company purse strings, and they'll likely jump at the chance to claw back some of the outlay. Look at your own Microsoft 365 inactive mailbox cost, and you'll probably want to do the same.

In a recent example, a customer noticed they were paying for 8,000 inactive mailboxes in an Microsoft 365 BPOS subscription and 7,000 inactive mailboxes in their standard Microsoft 365 subscription – totaling 15,000 Microsoft 365 E5 licenses. They had estimated that the 15,000 Microsoft 365 inactive mailboxes were costing them approximately $5 million annually in subscription costs. In another example, a mid-size U.S. city told me that over 55% of their current Microsoft 365 mailboxes were from departed employees.

Inactive Microsoft 365 mailboxes versus shared mailboxes

Currently, when an employee leaves a company, many organizations will quickly reassign the employee's Microsoft 365 account to pass the license to another employee. Alternatively, they'll cancel it altogether to save on cost. The departed employee's mailbox data is retained for 30 days after the license is removed. During this period, the company can still recover the mailbox data by undeleting the account. However, after 30 days, the data is permanently deleted – raising the risk of destruction of evidence or spoliation claims if the data is potentially responsive in current or anticipated litigation.

A common method for preserving departed employee data is by converting an Microsoft 365 mailbox to a "shared mailbox." The main driver for the popularity of this strategy is that Microsoft 365 shared mailboxes are free. However, there are several complicating issues with shared mailboxes:

1. Every user that accesses the shared mailbox must be assigned a Microsoft 365 license
2. The maximum size of a shared mailbox cannot exceed 50 GB. After that, it must be licensed
3. It cannot be used to archive emails
4. It cannot be used for Journaling
5. Storing emails in a shared mailbox does not guarantee immutability – a legal defensibility issue due to the potential destruction of evidence or spoliation
6. Chain of custody is broken as the individual mailbox owners moved to a shared mailbox will no longer exist.
7. It cannot be accessed using an Outlook client

Depending on access rights to the shared mailbox, approved employees can still delete or edit content in a shared mailbox – also a legal defensibility issue. To mitigate the risk of data loss due to delegates deleting shared mailbox content, the organization should apply read-only access policies instead of the default full mailbox access. However, this does not apply immutability to the data and could cause the data to be called into question later by regulators, auditors, or opposing counsel in a litigation setting.

The immutability issue (#5 above) can catch many by surprise, especially corporate attorneys. If immutability is required for legal reasons, i.e., proof that evidence has not been altered, the shared mailbox should have an "In-Place Hold" applied, which requires costly Microsoft 365 licenses – defeating the "no-cost" benefit. Transferring inactive users to a shared mailbox also means you can't search for information effectively (#6 above) because the shared mailbox becomes the owner of all the messages within it. This means you can't look up the inactive user by name and are forced to carry out searches using the To and From fields or as full-text searches based on a specific SMTP address. It adds time and complexity in the case of an investigation or specific request.

Furthermore, the shared mailbox size limitation (#2 above) will force the creation of additional shared mailboxes. Looking at the previous example where the company had 68 TB of inactive mailboxes, it would take 1,360 shared mailboxes to hold 68 TB of departed employee mailbox data – a management and legal nightmare.

The Microsoft 365 inactive mailbox approach

Alternatively, the Microsoft-recommended method for preserving departed employee mailbox data is through declaring (programmatically) the mailbox inactive. Declaring a mailbox inactive is also free and allows the release of the corresponding Microsoft 365 license. How to mark a Microsoft 365 mailbox as inactive is a fairly easy process too.

To setup inactive mailboxes in Microsoft 365, you first need to apply an In-Place Hold on the entire mailbox; you can then delete the corresponding user object. Any licenses assigned to the user will be released for reuse at that stage. This approach seems to be a simple one but, when you dig into the details, there are a number of issues (as we've outlined in this post) when it comes to an inactive mailbox. Microsoft 365 has a few quirks that might lead you to rethink your strategy.

In Part II of this post, we’ll discuss alternative and best practice strategies for managing inactive user mailboxes. This includes how to address inactive user data during a migration to Microsoft 365 and during a legacy archive migration.

The Cloud Archive Organizations Trust

Archive360's Archive2Azure is the cloud archive trusted by enterprises and government agencies worldwide. Purpose-built to run in the hyperscale cloud, it is installed and run in your organization's own public cloud tenancy, where you retain all the power, flexibility, and management while maintaining complete control of your data and its security including encryption keys that only you have access to. Additionally, unlike on-premises and SaaS archiving solutions, you are free to unlock valuable insights via data analytics and carry out powerful searches on your data using the latest cloud-based tools that will benefit multiple teams across your business, from HR to legal and compliance. 

Find out why major, regulated organizations around the world trust Archive360 with their most sensitive data. Get in touch to request a demo today.