How to remove a user’s access to their Exchange Online while allowing them access to other Office 365 Services

Acquisitions and divestitures can create some very interesting requirements from organization’s Legal Departments. I am currently working at a client who is in the process of divesting part of their business and they posed a rather interesting challenge to help facilitate the transition period for departing employees. They requested the following:

  1. Maintain all ~100 Exchange Online mailboxes in-tact
  2. Provide “Auto-Replies” in order to alert mail senders that their e-mail address has changed
  3. Prohibit the users from accessing their old e-mail box including reading old e-mail or sending new e-mail
  4. Still allow the users access to other Office 365 services including OneDrive, OneNote, the Office client applications, & SharePoint Online.

When presented with this list I was doing rather well until I hit condition #4 which put a wrinkle in my plans. Traditionally when performing a divestiture, I would usually follow a process of generating PST’s, providing to the new company, putting the mailbox on Legal Hold, converting the mailbox to a Shared Mailbox, remove the O365 license, etc. However, the additional requirement to maintain their access to other O365 services made this quite challenging.

At first I tried going down the path of trying to change permissions on the user mailbox which proved to be useless. There was no way of removing the user’s access to their own mailbox. Next, I started thinking about some sort of a leap frog type approach of creating a shared mailbox, backing up / restoring the user mailbox into it, auto-forwarding all new e-mails from the user mailbox to the shared mailbox without keeping a copy, etc. As you might imagine this became overly complicated rather quickly.

I then shifted my focus to some of Office 365’s security tools and mainly InTune Conditional Access Security Policies. Since my client is currently licensed for E3 with Enterprise Mobility + Security, they have access to both InTune & Conditional Access Policies.

This all came together really nicely as I was able to create a Conditional Access Policy that would block Exchange Online. I could then select users or ideally a group that would receive that automatic block (across OWA, Client, and Mobile).


When testing this out via OWA with the disabled user, I was greeted by this awesome error message:


And yet when I accessed OneDrive it loaded just fine:


One interesting thing I did notice that when I applied that policy, the user’s mailbox disappeared from the Exchange Online admin console. Yet, I was still able to make changes to the mailbox using PowerShell (for example setting the AutoReply).

Here’s the order of operations for the actual cut over:

  1. We put all the mailboxes on litigation hold
  2. Ran a PowerShell script to set the Auto-Reply
  3. Create an O365 Group (either Mail-enabled Security or Distribution List)
  4. Create the Conditional Access Policy and Include that Group to the policy blocking access to Exchange Online

This was so much simpler than the other convoluted process we were pursuing to try and auto-forward messages between mailboxes, etc. Azure Conditional Policies were the absolute key to making this happen and I was very fortunate that my client was already properly licensed.

More info on Enterprise Mobility Suite Licensing can be found here:


Leave a Reply