Organizational Security & Compliance in Office 365 – Exchange Online


Customer: Contoso

Contoso is a metal fabrication company founded in the Puget Sound region in the early 1900s. E-Mail accounts have been created for the employees in the table below. This works, but Contoso management has brought up concerns relating to e-mail security.


E-Mail Alias




Chad Contoso


Operations Manager



Dave Contoso



Outside Sales


Judi Contoso





Kermit Contoso





Mike Smith





Paul Contoso



Inside Sales


Cloud Solution Provider (CSP) Partner: Fabrikam

Fabrikam is the CSP partner managing Contoso's services

Preventing loss of data

Unintended user deletion

Somehow Chad Contoso's user account has been deleted. Fortunately, mailboxes are retained in Exchange Online for 30 days after user deletion.

Implementation Steps

In the Admin center, expand the Users folder and click 'Deleted users'.

Verify that the user in question is listed. If the user is not there, the user is either not deleted, or has been purged from the system. Select the user and click 'Restore'.

Specify how the restored user's initial password should be set. Click Restore.

An email can be sent with the restored user's new login. Set the recipient and click 'Send email and close' to have the email sent. To skip the email, uncheck 'Send password in email', then click 'Close'.

Click 'Active users' and verify the user is listed.

Mailbox retention for former employees

Paul and Judy Contoso have retired from the company. The mailboxes of these employees need to be retained. With Exchange Online Plan 2, there are two ways to retain the mailbox without using an extra license.

  • Inactive mailbox
    • Contents are protected by hold
    • To access the contents, the mailbox needs to be restored to a licensed user
    • New email cannot be received or sent
  • Shared mailbox
    • Contents are not protected by default
    • The contents are available to anyone with sufficient permission
    • New email can be received
    • New email can be sent by users with send-as or on behalf permission

Inactive mailbox implementation

Navigate to the Exchange admin center and click on the compliance management tab.

Click the plus button to create a new hold. Type in a name and optionally a description, then click Next.

Add the users whose mailbox needs to be retained, then click Next.

Click Next

Specify how long the mailbox should be held, then click Finish.

Click Close after Hold settings have been updated.

Delete the user.

Shared mailbox implementation

Navigate to the recipients tab in the Exchange admin center and select the user's mailbox.

In the actions pane click the Convert link under the 'Convert to Shared Mailbox' heading.

Click Yes on the warning dialog.

Click Close after the conversion has been completed.

Navigate to the Active users list in the Admin Center and click the user.

Click the Edit link under the Product licenses section of the user properties.

Turn off the user's mailbox and click Save.

Click Close.

The user should show up as Unlicensed.

To verify, check the shared mailbox list in the Exchange admin center.

Restricting email delivery

The customer has enlisted the services of interns including Mike Smith. The customer wants to allow interns like Mike to be able to correspond via email, but only with employees and other interns.

Implementation steps

Navigate to the groups list in the Admin center and click Add a group.

Type a name and email alias for the group. Turn off the option to allow people outside the company to send email to the group. Click Add to create the group.

Navigate to the group list in the Exchange admin center. Select the group and click the edit button.

Click the membership header, then add the people for whom email delivery should be limited.

Select 'membership approval' and make sure Closed is selected for both join and leave options. Click Save.

Navigate to the mail flow section of the Exchange admin center and create a new rule.

Click the 'More options…' link to enable additional options and define a rule to handle outbound email.

Define another rule to handle inbound email.

Restricting access to email

The customer wishes to limit access to company email. Company email should be accessed via Outlook installed on company owned computers. The only exception is for employees in the mobile sales team and employees in management. These users should be able to access email via a mobile device using Exchange ActiveSync.

Mailbox feature implementation steps

Edit the Exchange properties of a user

Select the mailbox features heading.

Set the following settings

  • Exchange ActiveSync – Enabled only for mobile and management users
  • OWA for Devices – Disabled for all users
  • Outlook on the web – Disabled for all users
  • IMAP – Disabled for all users
  • POP3 – Disabled for all users
  • MAPI – Enabled for all users

Mobile device policy implementation steps

In the Exchange admin center click on the mobile header, then click the mobile device mailbox policies tab.

Select the Default policy then click the edit button. Multiple policies can be defined if necessary.

Click the security header. Set the security options and click Save.

Additional options are available when using the PowerShell cmdlet Set-MobileDeviceMailboxPolicy, see for details.

Data Loss Prevention rules

Implementation steps

In the Exchange admin center, click the compliance management header and select the 'data loss prevention' tab.

Click the Add button. Specify a name, chose a template then click Save.

Now that the rule has been created, it can be customized and enforced.

Online Archive

An online archive is effectively a secondary mailbox associated with a user's email account. Email can be archived in the online archive manually and via message records management. One limitation is that the archive cannot be accessed via a mobile device using Exchange ActiveSync.

Implementation steps

Access the 'mailbox features' section of a user's Exchange settings

Click the Enable link for Archiving, then click Save.

eDiscovery and Legal Hold

Administrators within the customer's company can manage eDiscovery cases via the Security & Compliance portal.

After logging into the Security & Compliance center as a tenant admin, click eDiscovery under the 'Search & investigation' group.

Click the add button to create a new case. Specify a name and who should have access to the case. Click Finish to create the case.

Once the case has been created, select the case and click the edit button.

Holds can be managed from the Holds section.

Searches can be managed from the Searches section.

Audit logs

Audit logs can be viewed from the Exchange admin center. Navigate to the auditing tab of the 'compliance management' section and click a link to run a report.