Mailbox Configuration¶

Settings applied to user mailboxes in Exchange Online to improve security, compliance, and usability.

Audit Logging¶

Mailbox auditing is on by default for all Exchange Online mailboxes since 2019, but verify it and ensure the right actions are captured.

Connect-ExchangeOnline -UserPrincipalName admin@domain.com

# Verify audit is enabled for a user
Get-Mailbox -Identity user@domain.com | Select-Object AuditEnabled, AuditOwner, AuditDelegate, AuditAdmin

# Enable auditing on all mailboxes (should already be on)
Get-Mailbox -ResultSize Unlimited |
    Where-Object { $_.AuditEnabled -eq $false } |
    Set-Mailbox -AuditEnabled $true

# Recommended audit actions to capture
Set-Mailbox -Identity user@domain.com `
    -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete","Update","Move","MoveToDeletedItems","SendAs","SendOnBehalf"} `
    -AuditDelegate @{Add="HardDelete","SoftDelete","SendAs","SendOnBehalf","Update","Move"} `
    -AuditAdmin @{Add="HardDelete","MessageBind","SendAs","SendOnBehalf"}

Mailbox Forwarding¶

Block or control automatic forwarding to prevent data exfiltration post-compromise.

Disable automatic forwarding globally (recommended)¶

Done via the outbound spam policy — see Anti-Spam. Set Automatic forwarding rules to Off.

Audit existing forwarding rules¶

# Find mailboxes with forwarding configured
Get-Mailbox -ResultSize Unlimited |
    Where-Object { $_.ForwardingAddress -ne $null -or $_.ForwardingSmtpAddress -ne $null } |
    Select-Object DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward

# Find inbox rules that forward externally
Get-Mailbox -ResultSize Unlimited | ForEach-Object {
    Get-InboxRule -Mailbox $_.UserPrincipalName -ErrorAction SilentlyContinue |
        Where-Object { $_.ForwardTo -ne $null -or $_.RedirectTo -ne $null -or $_.ForwardAsAttachmentTo -ne $null } |
        Select-Object @{N="Mailbox";E={$_.MailboxOwnerID}}, Name, ForwardTo, RedirectTo
}

Litigation Hold & In-Place Hold¶

Place a litigation hold on a mailbox to preserve all content (including deletions) for compliance or legal purposes.

# Enable litigation hold with 7-year retention
Set-Mailbox -Identity user@domain.com `
    -LitigationHoldEnabled $true `
    -LitigationHoldDuration 2555 `
    -LitigationHoldOwner "Legal Hold - Case Name"

# Check hold status
Get-Mailbox -Identity user@domain.com |
    Select-Object LitigationHoldEnabled, LitigationHoldDuration, LitigationHoldOwner

# Place all mailboxes on hold (use with caution)
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} |
    Set-Mailbox -LitigationHoldEnabled $true

Mailbox Size & Quotas¶

# Get mailbox sizes
Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics |
    Select-Object DisplayName, TotalItemSize, ItemCount |
    Sort-Object { $_.TotalItemSize.Value.ToBytes() } -Descending |
    Select-Object -First 20

# Check quota settings
Get-Mailbox -Identity user@domain.com |
    Select-Object IssueWarningQuota, ProhibitSendQuota, ProhibitSendReceiveQuota

# Increase mailbox quota for a specific user
Set-Mailbox -Identity user@domain.com `
    -IssueWarningQuota 45GB `
    -ProhibitSendQuota 49GB `
    -ProhibitSendReceiveQuota 50GB `
    -UseDatabaseQuotaDefaults $false

Email Retention (Retention Tags & Policies)¶

Retention policies are now managed via Microsoft Purview → Data lifecycle management.

For legacy MRM (Messaging Records Management) via Exchange:

# List existing retention policies
Get-RetentionPolicy | Select-Object Name, RetentionPolicyTagLinks

# Assign a retention policy to a mailbox
Set-Mailbox -Identity user@domain.com -RetentionPolicy "Default MRM Policy"

Shared Mailboxes¶

# Create a shared mailbox
New-Mailbox -Shared -Name "Helpdesk" -DisplayName "IT Helpdesk" -Alias helpdesk

# Grant Full Access and Send As
Add-MailboxPermission -Identity helpdesk -User user@domain.com -AccessRights FullAccess -InheritanceType All
Add-RecipientPermission -Identity helpdesk -Trustee user@domain.com -AccessRights SendAs

# List all shared mailboxes and their members
Get-Mailbox -RecipientTypeDetails SharedMailbox | ForEach-Object {
    $mb = $_
    $members = Get-MailboxPermission $mb.Identity |
        Where-Object { $_.User -notlike "NT AUTHORITY*" -and $_.IsInherited -eq $false }
    [PSCustomObject]@{
        SharedMailbox = $mb.DisplayName
        Members = ($members.User -join ", ")
    }
}

Mobile Device Access¶

Control how mobile devices connect to Exchange Online:

Exchange admin center → Mobile → Mobile device access

Setting	Recommended value
Device access rule	Quarantine new devices (require admin approval)

Or rely entirely on Intune MAM/MDM via Conditional Access (preferred modern approach — see Intune).

Clutter & Focused Inbox¶

# Disable Focused Inbox organisation-wide
Set-OrganizationConfig -FocusedInboxOn $false

# Check current setting
Get-OrganizationConfig | Select-Object FocusedInboxOn