Tuesday, September 30, 2014

Exchange Online Shared Mailboxes - Licensing, quota and compliance

Like all things cloud, things change.  This was based on September 2014 data and findings.

Writing today about shared mailboxes as a customer recently had several requirements and in reviewing the service description, I have found some inconsistent information.

And here's the current text of the footnote:
A user must have an Exchange Online license in order to access a shared mailbox. Shared mailboxes don’t require a separate license. However, if you want to enable In-Place Archive for a shared mailbox, you must assign an Exchange Online Plan 1 or Exchange Online Plan 2 license to the mailbox. If you want to enable In-Place Hold for a shared mailbox, you must assign an Exchange Online Plan 2 license to the mailbox. After a license is assigned to a shared mailbox, the mailbox size will increase to that of the licensed plan.

So for the purpose of this blog, I am going to focus on three issues:
  1. How large can a shared mailbox (no license) be?
  2. Can you put shared mailboxes into litigation hold or in-place hold?
  3. If you needed >10GB mailboxes or in place hold, how would you assign a license? 
How large can a shared mailbox (no license) be?
I created a shared mailbox and did a get-mailbox and see the prohibit send and receive is at 50GB

So, either the service description is incorrect, or PowerShell's quota reporting of space is incorrect.

So, I started stuffing the shared mailbox.  I have a pretty nice home PC.  SSD, 32GB RAM, etc.  I'd say around 5GB, using Outlook 2013 with all current patches, a shared mailbox became pretty slow and difficult to work with, even in OWA and Outlook 2013.
Can you put shared mailboxes into litigation hold or in-place hold? 
Based on the service description, you need a license for both litigation hold or in-place hold.  
Here's the GUI versus powershell of my in place hold.  You can see that in shell it shows there are no sourcemailboxes but the GUI shows I have an in place hold.  Confusing and very misleading.
According to the shared mailbox screen, it is under in-place hold

And my test eDiscovery with in place hold seems to be capturing data:

 And the preview shows my data!

What about litigation hold?   Well, that allows me to set it:

But can we trust it?  Is it really holding data?  The answer is yes.  Here's a trimmed screenshot of a prior test (not the same as the in-place hold) that captured data.  Even better, this mailbox was deleted, so this also proves that it is in litigation hold since the mailbox is no longer enabled, we know we are not searching an active mailbox.

If you needed >10GB mailboxes or in place hold, how would you assign a license? 

According to the Service Description, if you need in place hold or larger than 10GB shared mailboxes, you need to assign an Exchange Online Plan 1 or Plan 2 license to the mailbox.

However, since the mailbox is shared, you cannot assign a license to it.

So I opened a quick case asking "how do I apply a license to a shared mailbox?"

Their answer was simple - you need to convert the mailbox to a user mailbox.

Once converted, you can assign a license.   However, one may argue or be concerned on the points this brings up:
  • This is no longer a shared mailbox, but is a user mailbox that is shared, it now has a username and password (and the password assigned is not very complex if a cloud only account (@tenant.onmicrosoft.com) 
  • This is now a cloud only account, if you run DirSync or had a security requirement that all accounts be sourced in AD, this would not be within that policy, or subject to any policies your authentication solution might enforce.  If you had a Hybrid environment, you could convert and move the shared user mailbox to on premise, or just create your shared mailboxes on premise
  • Licensing does not appear to be required to have in-place or litigation hold enabled 
UPDATE 10/1/2014: Thanks to Nino Bilic for pointing out, you ABSOLUTELY can license a shared mailbox.  In O365 Users, search for it, and add a country and license.  He also advises that while quota and hold status may be working without a license, you should license them, in case Microsoft decides to enforce licensing, it could put you in a state of non compliance or over the size limit shared mailboxes!

UPDATE 10/8/2014: Another nod to Nino - In this article, Microsoft addresses Exchange Online licensing required and explicitly mentions Litigation Hold as WELL as in place hold require an Exchange plan 2 license!
Manage inactive mailboxes in Exchange Online

In closing..
  1. Quota, litigation and in-place hold all function as expected on shared mailboxes without a license, however this could change and be enforced at any given time, so obviously recommend using licensing if the functionality is needed.
  2. Litigation and in-place hold are completely enabled for shared mailboxes, regardless of the licensing section of the Service Description
  3. Licensing a shared mailbox can be performed by converting them to a user mailbox or by assigning a license to the shared mailbox MSOLUser as documented above

No comments: