2

I need to temporarily disable a users access to their Office 365 email but not their regular AD account. I don't want to delete the mailbox as emails need to stick around. Our AD is synced with O365.

If I Block sign-in via the O3655 admin centre, it's re-enabled shortly after as the AD account is not disabled. As a work around I have disabled IMAP, POP3, OWA etc in their exchange properties but was wondering if there was a better way of doing this, an AD attribute possibly?

Crimsonfox
  • 353
  • 1
  • 3
  • 18
  • If you just want to block their access to their mailbox then that's a perfectly fine method for doing it. You didn't mention wanting/needing to block access to anything else, like Sharepoint Online, OneDrive, etc. Are those not a concern? – joeqwerty Oct 25 '18 at 13:42
  • No, it was just email but I'm not bothered if it blocks their O365 access altogether. Just need them to be able to sign in to Windows. It's fine if there isn't another way of doing it, I was just curious. – Crimsonfox Oct 25 '18 at 14:32

1 Answers1

2

I imagine this link having some relevance, no? It's for On prem, but it isn't similar enough? You mentioned having done IMAP, POP, and OWA (which is really Outlook on the web referenced in the link). The last one to disable would be MAPI. To disable all of the different types of access, you could use the Set-CASMailbox cmdlet,

Joseph
  • 208
  • 2
  • 11
  • Yeah MAPI has been disabled as well, couldn't remember the name of it when I was making the post. Was just hoping for an ad sync method really. Thanks though. – Crimsonfox Oct 25 '18 at 14:07
  • When you say AD Sync, which software are you talking about? – Joseph Oct 25 '18 at 14:10
  • I'm not really an "AD Sync" guy, more an Exchange guy, but there is a difference between changing AD attributes and disabling a mailbox. But I imagine there is an attribute that you could change on one AD user account internally and it would disable any access, but it could also corrupt their mailbox. It really is better to stick to the Exchange methods for blocking access. – Joseph Oct 25 '18 at 14:16
  • Sorry @Joseph , bit of a catch all term, I'm specifically using Azure AD Connect. I'm not looking for a workaround or hack, just wanted to know if there is a way of doing it properly, attributes seemed like the most possible way that it would be achieved. – Crimsonfox Oct 25 '18 at 14:29
  • Haha, I understand. Disabling mailbox access should always be done through O365/Exchange Server means. I'm sure there's a handy one-liner script you could compose. Looks like it involves [Set-CASMaibox](https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/Set-CASMailbox?view=exchange-ps) – Joseph Oct 25 '18 at 18:21
  • Oh that's a pretty handy cmdlet, I expected them to be separate. Might just set up my own solution based on a group so I can keep track.easily. Thanks! – Crimsonfox Oct 25 '18 at 19:34
  • Cool, if you think that would be the best way to do it, would you mark it as the answer? Only if you think it will do what you want. I updated my answer. – Joseph Oct 26 '18 at 01:46