How to remove users from an Exchange Online in-place hold policy

In-place hold, legal hold, compliance hold, journaling and/or select “D”: all of the above, when it’s simplified down to its simplest form is storing emails for X amount of time in case there’s a problem and these need to be reviewed. What’s great about Office 365 Exchange Online is that there is the ability to store those emails in the cloud for 2555 days (or roughly speaking 7 years).

Let’s fast forward to having in-place hold enabled for an Exchange Online tenant. In my reference case I have roughly 10,500 users in the tenant and numerous in-place hold policies, with the largest containing 7,500 or so users. I’ve run into a small problem with this Hybrid based environment whereby I need to move a mailbox that is covered by an in-place hold policy (let’s call it “Lucians Mailbox Search Policy”) back to on-premises for a couple of reasons. The following blog post outlines how to remove users from an in-place hold via PowerShell as the Office 365 / Exchange Online Control Panel may not let you do that when you have thousands of users in a single hold policy.

Problem

When working with Exchange Online (and potentially with Exchange Server 2013 and Server 2016, but this is a cloud orientated blog, so, lets stick with Exchange Online), there is the very likely hood that there are tens of thousands of users in a tenant. When you have that many users, it’s important to be able to use tools to manage large numbers effectively.

I ran into a problem where the Exchange Online Control Panel was not allowing me to remove two users from an in-place hold policy that covered roughly 7,500 users. This is part one of the problem, but, part two is also a reference to eDiscovery search that ties in with in-place hold polices. eDiscovery search in our tenant has a maximum search size of 5,000 users. This does not affect the in-place hold policy much as that is limited to 10,000 users and we’re bellow that. However, this client may need eDiscovery in the future, so I’ll come back to this problem later in the is post.

To remove two users from the in-place hold policy called “Lucian’s Mailbox Search Policy”- I need to use PowerShell to get around the ECP.

Solution

The following PowerShell cmdlets are able to be used to remove a user from a in-place hold policy.

Get the data

Run the following PowerShell to create a variable in your PS session grabbing all the mailboxes in the hold policy called “Lucians Mailbox Search Policy”

# Create a variable which will get the mailbox search
$check = Get-MailboxSearch “Lucian’s Mailbox Search Policy"

Back this up!

I’ve included this as an additional step to be safe in that if you delete too many users, you can go back and restore the original policy.

# To list all the mailboxes in the hold, as well as back up the data, run the following
# This will save the sources.txt file in your current PowerShell target, eg: PS C:\TEMP>
$check.sources > sources.txt

Remove your users

Run the following, replacing to to remove the users from your PS sessions variable $check.

# Removes the users from the mailbox search list
$check.sources.remove("<user1>")
$check.sources.remove("<user2>")
$check.sources.remove("<user3>")

Important side note - when entering the data, this needs to be in the form of either DistinguishedName or LegacyExchangeDN.

Save and go live

The final step is to save the new list of SourceMailboxes to the live in-place hold policy.

# Sets your prod/live in-place hold to be the current PS sessions hold, minus the 3 users removed
Set-MailboxSearch "Lucian’s Mailbox Search Policy" -SourceMailboxes $check.sources

Final words

I wasn’t able to find much literature on this matter through the oracle (Google). This solution came about via a Microsoft Premier support case. I was in the process of simply removing some users from a clients hold policy, however, I’m in the process of setting up new polices and transitioning users. The above solution though is great in that it allows for a powershell solution to removing users from a hold which I previously wasn’t sure was possible.


Questions?

Have a question about this post? Ask away on Twitter or in my AMA repo.