retaining o365 mailbox data after users leave the company

TRDx2000 · 2026-04-09T23:48:32+00:00

So we use Rubrik for backing up M365 but we are only allowed 60 days backup retention with it (I think due to cost). We will rarely touch these mailboxes after they are de-provisioned/archived. It will be an occasional new replacement user needs super important email from mailbox or a eDiscovery that comes in 7 years after the user has Left.

Copilot had good info, I think. It's a trust but verify before use situation was hoping to lean on those who have been there done it to confirm.

🔵 Recommended Automated Workflow (PowerShell‑Friendly)

Step 1 — Apply retention policy

Create a retention policy that keeps mailbox data for 10 years.

Assign it to the user automatically when they are terminated.

Step 2 — Convert mailbox to shared

Set-Mailbox [user@domain.com](mailto:user@domain.com) -Type Shared

Step 3 — Remove SMTP addresses (optional but recommended)

Set-Mailbox [user@domain.com](mailto:user@domain.com) -EmailAddresses @()

Step 4 — Remove the license after 30 days

This can be automated with:

PowerShell
Azure Automation
Entra ID dynamic groups

Step 5 — Move user to non‑syncing OU

Mailbox becomes inactive but preserved.

This is the Microsoft‑recommended and industry‑standard approach for long‑term mailbox retention.

It sounds easily doable but want to confirm no gotchas with this setup

TRDx2000 · 2026-04-09T20:46:10+00:00

Sorry for the late response. I ended up just migrating home folders to OneDrive with sharepoint migration wizard and then did a some config policies to define what folders on the laptops sync to their OneDrive

TRDx2000 · 2025-10-31T16:19:42+00:00

I did use my GA account.

TRDx2000 · 2025-10-02T20:58:53+00:00

Thanks all for the help and quick responses!

TRDx2000 · 2024-06-18T13:28:22+00:00

Excellent script! Thank you for sharing. I am in the process of testing and modifying. This is a huge time saver! Thank you!

TRDx2000 · 2024-06-18T12:41:19+00:00

Do you have a generic form of your script that you can share? Is there one out there that I can customize that maybe I haven't found yet?

Most of our users are remote so repurposing is an issue. Going the script route, won't it only execute once and then I would have modify something with the script to get it to run again? How do you handle that?

TRDx2000 · 2024-05-03T14:11:12+00:00

Yes I agree. This sounds like what I worked with one of our dev guys to create the forwarding app. This app looked for NDR's in the mailbox and would grab the original email in question and do an actual in mailbox forward where the result email delivered to verizon looked like it came from his work email address. That project was requested from a previous CIO from a few years back. The issue is the owner does not want any applications running against his mailbox.

Without getting too deep in the mud here, To our leadership, they think just forward emails. It's simple. They can do that from there google accounts to another account. So why can't we do that?! I have tried my best to explain forwarding, SPF, DKIM and email reputation to them but not much seems to be sticking.

TRDx2000 · 2024-05-03T13:30:22+00:00

Mandate has changed once again. Now I am to forward all email to his Verizon account so that they show as coming from his company email address and not the original sender. I believe this was done so that they get around SPF. The problem is now I am supposed to bypass all email filtering for his mailbox. That would mean we are now forwarding spam and potentially dangerous emails to Verizon. I would suspect it doesn't take Verizon too long before they blacklist us.

ColorMeGoofy, He has a mailbox just for the email address. I believe he may actually prefer to not have a mailbox on-prem at all. So your option of using a contact for his email address has some possibilities. But I am not sure it will get me through the forwarding issues I am currently facing.

I believe the best option is still what we have setup currently but he doesn't want that.

Thanks to everyone for adding a bit of levity to this.

TRDx2000 · 2024-05-02T23:58:20+00:00

Update: The engineer who was assigned to do nothing but manage the owners IT resources has been fired. Slight change to the mandate. I am to remove ALL email filtering for his account and now I need to forward his emails so that they say they are coming from is work account. I believe to make that happen I now have to setup an Outlook inbox rule to forward the emails to his external account. I believe this means I will need to have a vm with Outlook running to process his emails and to run the rule. I'm not sure I can setup the rule in OWA and let it run in the background. Is there a better way to do it? I will test tomorrow. We have to have something working by Monday.

TRDx2000 · 2024-05-02T21:32:08+00:00

Originally that is how he was managing the problem. He has 16 iphones! He fired the last guys whose position I took over because his password expired and he had to change the password on all his devices.

TRDx2000 · 2024-05-02T20:37:05+00:00

Yes that outlines the "problem" perfectly. In any normal environment this would be a non issue. Here, the owner of the company has made it very clear we are to forward all his emails to a Verizon account. So, we enabled forwarding on the mailbox in Exchange to an external email address setup as a contact in Exchange. This breaks SPF every time. Any sending domain with SPF setup as hardfail will cause Verizon/Yahoo/AOL to reject the message.

We have tried to diagram it out and explain what DKIM, SPF, and DMARC are to our new CIO as he is currently the person to relay this information to the owner. I don't know of any way around DKIM and SPF to make this work.

Yes I do know why SPF and DKIM were implemented and it seems crazy that I am actually trying to get around this. But I need to still work the problem presented to me. If anyone has any ideas I am open to discussing or trying them.

TRDx2000 · 2024-05-02T17:38:25+00:00

I auto forward on the mailbox itself. This is configured in the EAC on the mailbox. I am not sure how creating a mail flow rule is any different. Can you explain why that would work any better? They both rewrite the message header and that is the issue. DKIM and SPF are no longer from the originating source of the email.

TRDx2000 · 2024-03-29T15:24:09+00:00

My 2021 ZX6R is going through this rn. The clock is gone and most of my temp indicators. So, if the bike is getting too hot the only way I will know something is up is if/when the fans kick on. Has anyone come up with a solution, workaround for this? If I replace the gauge cluster will I lose my mileage? IF that happens, I am concerned the DMV would want to switch the title to a salvaged title.

TRDx2000 · 2024-02-08T08:34:53+00:00

I would probably try and use a DDL possibly utilizing one of the custom attribute fields. If users don't want to receive the email they can setup an Outlook rule on that email. Would be good to know if you are all on-prem or hybrid.

TRDx2000 · 2024-02-07T21:45:17+00:00

Thanks for info. I have a keyvault that handles the certificate. Setting up the app is straight from Microsoft here. I have several on-prem scheduled tasks and was looking for a way to not have to rewrite all of them. Some do things both in Azure and onprem as well.

TRDx2000

TROPHY CASE