Exchange Best Practices for Untrusted Mailbox Users

There are many scenarios where a mailbox and its access can become "untrusted".  Preventative solutions abound, but this article will focus on the following worst case scenarios for the quickest way to shut down access with the least amount of impact and administrative effort.

1. A mobile device or computer with saved access to a mailbox is stolen
2. An employee is suddenly terminated
3. One or more users with access to a group mailbox are abruptly untrusted but the remaining group members still need access
4. Criminal investigation or other legal process requires access to mailbox but no access from the original mailbox owner
5. Mailbox credentials have been compromised

Disabling a mailbox user's Active Directory account is not enough.  For example, here's some of the considerations when dealing with an untrusted mailbox:

• Outlook or MAPI connections can remain connected to Exchange for up to 2 hours even after the AD account has been disabled.  For performance reasons, active connections to store or RPCClientAccess are cached in this manner.
• Outlook Web Access, Exchange Web Services, and Activesync also have caches.  Activesync devices with their long heartbeat intervals and token cache can still allow access up to 24 hours after an AD account has been disabled.

Generic Solution:
1.  Disable the mailbox to prevent re-access of the mailbox by the user (example of specific steps)
2.  Set a Send Prohibit Quota to quickly prevent sending off any messages.
example:  Set-Mailbox alias -IssueWarningQuota 0 -ProhibitSendQuota 0
3.  Move the mailbox to terminate all active logons to the mailbox, including the user's current logon
4.  Office 365 mailboxes or other hosted/cloud solutions may not allow moving the mailbox quickly, so disabling protocols at the CASMailbox level will accomplish a similar solution.

To quickly prevent Activesync devices from reconnecting:

1. Disable Activesync.
   Set-CASMailbox untrustedmbxuser -ActiveSyncEnabled:$false

2. Add all existing device partnerships to the individual blocklist for the untrusted mailbox user.
   Get-MobileDevice -Mailbox untrustedmbxuser | foreach{Set-CASMailbox -Identity untrustedmbxuser -ActiveSyncAllowedDeviceIDs @{Remove=$_.deviceid} -ActiveSyncBlockedDeviceIDs @{Add=$_.deviceid}}

3. Remove all device partnerships. Any attempt to reconnect the device will force the device to be reprovisioned, triggering a new check for Activesync enablement and the individual blocklist entries.
   Get-MobileDevice -Mailbox untrustedmbxuser | foreach{Remove-MobileDevice -Identity $_.identity -Confirm:$false}

A real world scenario: Untrusted mailbox but no device wipe. 

Dfunker just won the lottery! At lunch he announces he’s leaving the company to pursue his lifelong dream of blogging funny cat stories. Someone brings in a cake and pretty soon it’s a party. Things move quickly and by the end of the day DFunker has his site up and is sending and receiving ideas and images for his new career still using his corporate email account. Unfortunately, the HR lead is a staunch dog lover and insists DFunker’s mailbox and BYOD Activesync connection must be shut down immediately. Your manager however is truly excited for DFunker’s new endeavor and has promised to forward along any pictures and ideas DFunker isn’t able to glean after he’s gone and access has been cut off. How do you satisfy these requirements while respecting the personal BYOD property of DFunker?

Solution Requirements

A. Immediately disconnect Dfunker’s device and access to his mailbox.

B. Don’t disturb any personal data on Dfunker’s personal device, just corporate data.

C. Keep the mailbox active so coworkers can continue to contact him with ideas, and his manager can access later to collect last minute messages to forward as appropriate.

D. Prevent Dfunker from sending any more cat stories from his corporate mailbox.

E. Disable Dfunker’s access to other Active Directory resources.

Correct Order of commands:

1. Set-Mailbox dfunker -IssueWarningQuota 0 -ProhibitSendQuota 0 -UseDatabaseQuotaDefaults:$false
2. Disable-ADAccount dfunker -Verbose [since we don't need to do a factory reset of the device, we can disable the AD account near the top of the list]
3. Set-CASMailbox dfunker -ActiveSyncEnabled:$false
4. Get-MobileDevice -Mailbox dfunker | foreach{Set-CASMailbox -Identity dfunker -ActiveSyncAllowedDeviceIDs @{Remove=$_.deviceid} -ActiveSyncBlockedDeviceIDs @{Add=$_.deviceid}}
5. Get-MobileDevice -Mailbox dfunker | foreach{Remove-MobileDevice -Identity $_.identity -Confirm:$false}
6. New-MoveRequest -TargetDatabase DB01 -Identity dfunker@contoso.com -ForceOffline:$true -BadItemLimit 10 -confirm:$false -AllowLargeItems -Priority:emergency

References:
EAS devices sync after account disable or password change
Removed Mobile Device Still Has Access To Exchange Mailbox via Exchange ActiveSync

Some great articles that help fill in the pieces; 
http://blogs.technet.com/b/messaging_with_communications/archive/2012/06/26/activesync-disabled-accounts-and-devices-continuing-to-sync.aspx
http://blogs.technet.com/b/messaging_with_communications/archive/2012/06/27/part-ii-outlook-amp-owa-disabled-accounts-and-users-still-being-able-to-access.aspx