In theory, shutting down or disabling a user mailbox in Exchange hybrid 2013 and 2016 might seem simple. But when the time comes, plenty of unplanned scenarios can complicate this simple action. You may want to preserve the mailbox while blocking access or need to enable litigation hold and lock out a user for compliance purposes.
In any case, these three scenarios will help you successfully disable an Exchange hybrid 2013 or 2016 user account.
Terminating Active Directory Synced Users
When an employee leaves your organization, the easiest way to remove the account from Office 365 is to delete or disable the user from Active Directory. This will force the Azure Active Directory Connect client to remove/disable the user in Office 365 during the next sync cycle.
Blocking Sign-in Access
If you need to preserve a user’s mailbox (but block access) you can disable the user’s account in Active Directory or follow the steps below in the Office 365 management portal.
IMPORTANT: Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user’s sign-in access, you should reset the password in your on-premises Active Directory and force a directory sync:
1. Sign in with your Office 365 global admin account at https://portal.office.com/adminportal/home
2. In the Office 365 admin center, select Users.
3. Select the user you want to terminate and choose Edit next to Sign-in status in the user pane.
4. Finally, select Sign-in blocked.
Enable Litigation Hold & Terminate User
Many organizations are required to preserve mailbox data for a number of years to meet government compliance requirements, such as PCI, HIPAA or SOX. Placing a mailbox on litigation hold generally satisfies this requirement, but your organization must own at least one Exchange Online Plan 3 license or higher.
To place a mailbox on litigation hold:
- Log in to the Exchange Administration Console.
- Go to Recipients > Mailboxes.
- In the list of user mailboxes, click the mailbox you want to place on Litigation Hold then click Edit.
- On the mailbox properties page, click Mailbox features.
- Under Litigation hold: Disabled, click Enable to place the mailbox on Litigation Hold.
- On the Litigation Hold page, enter the following optional information:
- Litigation hold duration (days): Use days to specify the duration. If left blank, the mailbox will be placed on hold indefinitely.
- Click Save on the Litigation Hold page, and then click Save on the mailbox properties page.
After placing the mailbox on litigation hold, you can delete the user in Active Directory to free up the Exchange Online Plan E3 license so you can place another mailbox on hold the next time an employee leaves your organization.