Microsoft 365 Security Risk Check
Use this to review tenant security, MFA coverage, administrator roles, sharing controls, mailbox settings, and baseline Microsoft 365 risk indicators.
IT Operations & Cybersecurity Encyclopedia
Exchange Online mailbox lifecycle operations control how mailboxes are created, licensed, delegated, protected, converted, retained, and removed. A disciplined process reduces abandoned mailboxes, unsafe forwarding, excessive permissions, retention mistakes, license waste, and offboarding gaps.
Why it matters
A mailbox is more than an email container. It can hold business records, sensitive files, calendar history, Teams-related messages, legal evidence, customer communication, and delegated access to other users. When a user joins, changes roles, or leaves, mailbox decisions affect security, productivity, compliance, and continuity.
A practical Exchange Online lifecycle process defines when mailboxes are created, how licenses are assigned, who can delegate access, when forwarding is allowed, how shared mailbox conversion is approved, how retention and holds are handled, and what evidence proves that offboarding was completed correctly.
Practical rule: treat mailbox lifecycle actions as data-control events. Every creation, permission change, forwarding rule, shared mailbox conversion, retention decision, and deletion should have an owner, approval, timestamp, and verification record.
Review scope
Create mailboxes through approved onboarding, assign the right license, apply role-based groups, and validate user access and security controls.
Control Full Access, Send As, Send on Behalf, folder permissions, shared mailbox access, and administrator roles with approval and periodic review.
Review mailbox forwarding, inbox rules, external recipients, transport behavior, and suspicious auto-forwarding patterns.
When users move, remove old mailbox permissions, update groups, change shared mailbox access, and validate new business needs.
Disable sign-in, revoke sessions, preserve data, convert to shared mailbox where appropriate, assign delegates, remove licenses, and document final state.
Coordinate retention policies, litigation holds, eDiscovery, inactive mailboxes, and deletion timelines with business and legal requirements.
Review matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| New mailbox | Create mailbox, assign license, apply groups, validate MFA, and confirm user access. | Was the mailbox created from an approved onboarding request? | Ticket, license record, group assignment, mailbox creation timestamp. |
| Delegated access | Review Full Access, Send As, Send on Behalf, folder permissions, shared mailbox membership, and admin roles. | Can every delegate explain why access is needed? | Permission export, manager approval, access review notes. |
| Forwarding and inbox rules | Check automatic forwarding, external recipients, suspicious rules, and exceptions. | Could mail leave the organization without approved business need? | Forwarding report, exception approval, audit log, remediation ticket. |
| Role change | Remove old permissions and groups before adding new access. | Which mailbox access is no longer justified after the move? | Before/after permissions, mover ticket, manager approval. |
| Offboarding | Disable sign-in, revoke sessions, handle mailbox conversion, retention, delegates, forwarding, and license recovery. | Can the former user still access mailbox data or send mail? | Disable timestamp, conversion record, delegate list, license removal. |
| Retention and deletion | Apply retention policy, hold, inactive mailbox, or deletion process based on business and legal requirements. | Is mailbox data preserved or removed according to approved policy? | Retention settings, hold status, legal approval, deletion/restore record. |
Step-by-step review
Export user, shared, resource, inactive, disabled, held, delegated, and externally forwarded mailboxes. Identify owners and business purpose.
Create mailboxes from approved requests, assign licenses and groups, confirm MFA, validate mail flow, and document first-day readiness.
Check Full Access, Send As, Send on Behalf, folder permissions, shared mailbox membership, and administrative roles for excessive access.
Identify external forwarding and risky inbox rules. Remove unknown rules and document approved business exceptions.
Disable sign-in, revoke sessions, convert or preserve mailbox data, assign delegates, remove licenses, and verify no active access remains.
Record retention policy, litigation hold, inactive mailbox, deletion, restore, and exception decisions with business or legal approval.
Common risks
Full Access, Send As, Send on Behalf, and shared mailbox permissions can accumulate after projects, promotions, and departures.
Auto-forwarding can expose business email, customer information, and sensitive records if exceptions are not controlled.
Disabled users and mailboxes converted incorrectly can keep paid licenses longer than needed.
Without timestamps and exports, IT cannot prove sessions were revoked, mailboxes preserved, and permissions removed.
Deleting, converting, or changing mailboxes without retention review can create legal, compliance, or business continuity problems.
Unowned shared mailboxes can become undocumented communication channels with unclear access and retention expectations.
Related support
IT Perfection can help organizations standardize Exchange Online mailbox lifecycle operations, permission review, license cleanup, offboarding runbooks, forwarding controls, and Microsoft 365 administration. Start with Microsoft 365 support when the priority is practical implementation and help desk consistency.
When mailbox lifecycle risk intersects with security audit readiness, sensitive data exposure, or account compromise, OC Security Audit cybersecurity assessment tools can support broader security review and remediation planning.
Created by Ali Hassani, CISO
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Ali Hassani, CISO, brings 25+ years of Microsoft infrastructure, cybersecurity, compliance, identity, messaging, and managed IT experience to help organizations keep mailbox operations controlled, traceable, and business-friendly.
Related validation tools
After reviewing this IT Perfection guide, administrators can use these OC Security Audit resources to validate the same control areas from a security, audit-readiness, or risk-review perspective.
Use this to review tenant security, MFA coverage, administrator roles, sharing controls, mailbox settings, and baseline Microsoft 365 risk indicators.
These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
FAQ
Disable sign-in, revoke sessions, preserve or convert mailbox data as required, assign approved delegates, remove unnecessary groups and permissions, recover licenses, and document the final state.
Forwarding can send business email outside the organization. It should be limited, approved, monitored, and reviewed for suspicious or outdated rules.
Review high-risk and shared mailbox permissions regularly, and always during role changes, offboarding, incidents, audits, and sensitive department changes.
Keep onboarding and offboarding tickets, mailbox permissions, forwarding reports, retention or hold status, license changes, audit logs, and manager or legal approvals.
After reviewing mailbox creation, shared mailbox ownership, delegation, offboarding, retention, and access review, administrators can use these OC Security Audit resources to validate the same Microsoft 365 and identity controls covered in this guide. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
Use this to review mailbox security, admin roles, MFA, external sharing, and baseline Microsoft 365 tenant settings.
Use this to connect mailbox lifecycle work with access review, user lifecycle, least privilege, and offboarding evidence.
Use this when mailbox lifecycle controls need a broader tenant audit across identity, email, collaboration, and governance.
These resources help administrators reduce stale mailboxes, risky delegation, and offboarding gaps in Exchange Online.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.