Exchange recipients, routing, delegation, lifecycle, and evidence

Exchange Online Recipient Management Runbook

Operate mail-enabled identities as governed business objects. Choose the correct recipient type and source of authority, protect primary and proxy addresses, control mailbox and group delegation, detect forwarding, validate delivery, preserve former-employee content correctly, and retain reversible change evidence.

Mailbox, group, resource, mail user, and contact decisionsAliases, permissions, forwarding, hybrid authority, and deliveryProvisioning, change, offboarding, recovery, and audit evidence
IT administrators reviewing a physical Exchange Online recipient, alias, delegation, and message-routing governance model
Recipient type, address ownership, delegation, forwarding, directory authority, and lifecycle state determine how mail resolves and who can act as the identity.

Operating objective

Keep every recipient unique, owned, correctly routed, and recoverable

An Exchange Online recipient is any mail-enabled object that can receive messages. User, shared, room and equipment mailboxes store content; mail users and contacts route to external addresses; distribution groups, dynamic distribution groups, mail-enabled security groups, and Microsoft 365 groups expand to members or deliver to group resources. Selecting the wrong type creates licensing, permission, delivery, retention, ownership, and lifecycle problems.

The runbook must also respect source of authority. Cloud-only objects can be managed in Microsoft 365 and Exchange Online. Directory-synchronized recipients usually require Exchange attributes to be changed in the on-premises authority and synchronized—unless the organization has deliberately transferred the Exchange-attribute source of authority to cloud management for that object. A successful EAC save is not evidence that the authoritative directory will preserve the change.

Control statement: each recipient needs an approved type, unique primary/proxy addresses, authoritative management plane, business and technical owner, permission/forwarding record, lifecycle state, validation test, and next review date.

Recipient type decision matrix

Choose the object that matches identity, storage, collaboration, and security needs

RecipientUse whenKey controlsCommon mistakeClosure evidence
User mailboxOne licensed person needs sign-in, email/calendar storage, and individual accountability.Identity/license, aliases, forwarding, protocols, delegation, retention/hold, offboarding.Reusing a former employee identity or removing the license before preservation decisions.User/object IDs, license, addresses, sign-in, delivery, policy, lifecycle ticket.
Shared mailboxMultiple licensed users operate a common address such as support or billing.Block direct sign-in, named owners, members, Full Access/Send As, size, archive/hold licensing, sent-item behavior.Treating it as a login account, exceeding 50 GB unlicensed, or leaving former delegates.Purpose/owner, account blocked, size/license, delegates, send/receive test, review date.
Room/equipment mailboxA bookable location or resource needs calendar processing, delegates, capacity, and policy.Booking window, conflicts, approvers, external requests, work hours, delegates, auto-processing.Using a user/shared mailbox and losing resource-specific booking controls.Resource properties, booking policy, delegate approval, representative booking test.
Distribution groupOne address must deliver to a maintained set of members without a collaborative mailbox.Owners, membership, join/leave, sender restrictions, external senders, moderation, delegates.Ownerless lists, stale members, public external delivery, or confusing it with a security group.Owner attestation, members, delivery settings, delegate list, internal/external test.
Dynamic distribution groupMembership should be calculated from trustworthy recipient attributes at message time.Filter logic, attribute governance, preview/test population, owner, sender/moderation settings.Using weak department/location attributes and sending to unintended recipients.Filter, sample expansion, attribute owner, change ticket, delivery validation.
Mail-enabled security groupThe same governed group must receive mail and grant supported resource permissions.Security ownership, membership approvals, delivery controls, nested impact, dual-purpose review.Changing mail membership without understanding access permissions elsewhere.Security/mail owners, members, resource dependencies, delivery and access tests.
Microsoft 365 groupMembers need a group mailbox plus SharePoint, Planner, Teams, or broader collaboration lifecycle.Owners, members/guests, privacy, expiration, naming, Teams/site dependencies, send-as behavior.Creating it only as a distribution list and ignoring connected workloads.Owners/members, privacy, connected resources, lifecycle and mail-flow tests.
Mail user/contactAn external destination must appear in the address book; a mail user also needs an internal account/permissions.External address, owner/sponsor, domain, address-book visibility, group membership, lifecycle.Stale vendor routing, hidden forwarding, or granting an account when a contact is sufficient.External-address confirmation, sponsor, group dependencies, delivery test, expiry/removal date.

Twelve-step change runbook

Inventory, authorize, change, validate, and preserve rollback evidence

Capture the request and business outcome

Record requester, sponsor, recipient type, address, purpose, data sensitivity, audience, required permission, delivery expectation, start/end date, urgency, and change window.

Find existing and conflicting objects

Search all recipients, soft-deleted objects, groups, contacts, mail users, public-folder recipients, and proxy addresses. Do not assume a free display name means the SMTP address is available.

Determine source of authority

Confirm cloud-only, directory-synchronized, hybrid remote mailbox, or transferred Exchange-attribute SOA. Make the change in the authoritative plane and record sync/rollback behavior.

Select the recipient type

Use the smallest object that meets sign-in, storage, calendar, membership, collaboration, security-principal, and external-routing requirements. Document rejected alternatives.

Validate naming and addresses

Apply display-name and alias standards, approved accepted domain, one primary reply address, required aliases, legacy coexistence addresses, and reserved/high-risk name review.

Configure ownership and least privilege

Assign at least two appropriate owners where practical, and only required Full Access, Send As, Send on Behalf, membership, moderation, booking, or management permissions.

Review forwarding and delivery controls

Check mailbox forwarding, inbox rules, transport rules, external target addresses, DeliverToMailboxAndForward, outbound-spam forwarding policy, remote domains, and approved exceptions.

Apply licensing and retention decisions

Verify mailbox/archive size, shared/resource licensing triggers, archive, retention, eDiscovery/litigation hold, inactive-mailbox requirements, and legal/records approval before license or account changes.

Save before state and execute

Export recipient properties, addresses, delegates, group settings, forwarding, license, hold, and source authority. Apply the minimum change through EAC/PowerShell and preserve command/output.

Validate object and directory convergence

Requery Exchange Online and the authority, confirm RecipientTypeDetails, addresses, ownership, permissions, hidden status, license, and synchronization. Watch for authoritative overwrite.

Test mail and delegated behavior

Test internal and approved external delivery, reply address, NDR behavior, moderation, Full Access, Send As/On Behalf labeling, forwarding copy, GAL visibility, and representative clients.

Close, monitor, and schedule review

Attach approvals, before/after, delivery evidence, rollback, user confirmation, unresolved exceptions, monitoring owner, and next review. Recheck after directory sync and policy propagation.

Delegation and forwarding

Separate mailbox access, sending identity, and message redirection

Full Access

Lets a delegate open and modify mailbox content; it does not grant send rights. Review automapping, hidden-address-list behavior, private-item expectations, owner approval, and prompt removal after role change.

Send As

Messages appear directly from the mailbox or group. It does not grant read access. Because attribution is less visible to recipients, restrict it to named roles, preserve audit evidence, and validate sent-item behavior.

Send on Behalf

Shows the delegate acting on behalf of the mailbox/group and does not grant read access. If both Send As and Send on Behalf exist, Exchange uses Send As; remove conflicting grants unless intentionally required.

Forwarding safeguard: Microsoft’s default “Automatic - System-controlled” outbound-spam setting now behaves as Off for external automatic forwarding. A mailbox setting can exist yet delivery can still be blocked by outbound spam policy, remote-domain control, or mail-flow rule. Validate effective behavior and never weaken the tenant globally for one exception.

Lifecycle and offboarding

Preserve business mail before disabling, converting, unlicensing, or deleting

ScenarioPre-change checksControlled actionRecovery/rollbackEvidence
Employee leavesLegal/records hold, manager access, forwarding need, aliases, groups, delegates, apps, OneDrive/Teams dependencies.Block sign-in/reset sessions, preserve per policy, remove risky access, convert only if justified, set time-bound delegation/forwarding, document license timing.Restore account/license within supported window; retain before-state GUIDs and content decisions.HR trigger, approvals, hold, sign-in, license, delegates, forwarding, test, end date.
Convert user to sharedMailbox licensed before conversion, size under unlicensed threshold, archive/hold licensing, authoritative type in hybrid.Convert while licensed, block sign-in, update remote mailbox type where required, assign delegates, then remove license only when eligible.Reassign license and convert back if needed; validate type after sync.Before/after type, size, license, account blocked, delegates, delivery.
Remove licenseRetention/hold, eDiscovery search need, mailbox type, archive, recovery window, manager/business owner approval.Remove only after preservation path is confirmed. A normal unheld user mailbox becomes inaccessible and is retained for the documented 30-day recovery window.Reassign Exchange Online license within the window; test mailbox reconnection.License time, mailbox GUID, hold state, recovery deadline, owner acknowledgement.
Create inactive mailboxApplicable Microsoft 365 retention/eDiscovery/Litigation hold applied before deletion; records/legal authorization.Apply supported hold/retention first, validate it, then delete the user according to the inactive-mailbox procedure.Recover or restore using supported inactive-mailbox process; do not treat MRM archive policy as the creating hold.Hold type/scope, validation, deletion, inactive state, owner, retention end.
Retire group/contactOwner response, mail flow/activity, members, senders, permissions, apps, transport rules, aliases, replacement address.Announce, restrict/hide if useful, test replacement, remove dependencies, then delete with rollback window and address reservation plan.Restore object where supported or recreate from export; prevent alias reassignment during recovery period.Owner decision, dependency list, delivery test, deletion, rollback data.

Top recipient risks and misconfigurations

Changes that cause delivery failure, impersonation, access sprawl, or data loss

Wrong management authority

A synchronized attribute is edited in the cloud, fails, or is overwritten; hybrid type and license state diverge.

Duplicate or recycled proxy address

A legacy alias is assigned to the wrong recipient, exposing messages or blocking provisioning.

Shared mailbox sign-in left active

The associated account can authenticate directly instead of requiring accountable licensed delegates.

Delegate grants accumulate

Full Access, Send As, and Send on Behalf survive transfers, leave, and vendor changes without owner review.

Forwarding inventory is incomplete

Admins check one mailbox field but miss inbox rules, transport rules, target addresses, remote domains, or outbound-policy precedence.

License removed before preservation

The mailbox disconnects before conversion, hold, manager access, or recovery evidence is complete.

Ownerless distribution group

Membership, external senders, moderation, and sensitive audience expand without accountable review.

Dynamic group trusts weak attributes

Incorrect department/location data silently changes the recipient population at delivery time.

Mail user/contact becomes hidden forwarding

An external target remains in groups or the GAL after the sponsor and business purpose end.

Delivery tested from one path only

Internal mail works while external senders, moderation, alias reply, forwarding, or delegated sending fails.

Evidence and recurring review

Make recipient operations measurable and audit-ready

Inventory evidence

  • RecipientTypeDetails and object/GUID identities
  • Primary/proxy/target addresses and accepted domain
  • Cloud/sync/SOA status and authoritative system
  • Owner, purpose, lifecycle, license, size, and visibility

Access evidence

  • Full Access, Send As, Send on Behalf
  • Group owners, members, senders, moderation
  • Forwarding fields, inbox/transport rules, remote domains
  • Exceptions, approvals, start/end, and reviews

Useful metrics

  • Ownerless/stale recipients and proxy conflicts
  • External forwarding and aged exceptions
  • Delegates not reviewed on schedule
  • Failed changes, NDRs, rollback, and recovery events

Daily/weekly

  • Provisioning failures and delivery incidents
  • New forwarding, delegate, and high-risk address changes
  • Offboarding deadlines and soft-delete windows
  • Unexpected directory overwrite or sync errors

Monthly/quarterly

  • Owners, delegates, groups, external recipients
  • Shared/resource licenses, size, sign-in, and holds
  • Accepted domain and naming alignment
  • Automation identity, RBAC, SOP, and evidence quality

Privacy and audit

  • Restrict exports containing addresses and relationships
  • Use approved evidence storage and retention
  • Redact business-sensitive distribution data
  • Separate operational proof from mailbox content

Frequently asked questions

Exchange Online recipient management FAQ

Where should synchronized recipient attributes be changed?

Normally in the authoritative on-premises Exchange/Active Directory management plane and then synchronized. Microsoft now supports transferring Exchange-attribute source of authority to cloud management for selected objects when deliberately configured. Verify IsExchangeCloudManaged/SOA and the organization’s design before editing.

Does Full Access let a delegate send as the mailbox?

No. Full Access lets the delegate open and modify mailbox contents. Send As and Send on Behalf are separate permissions, and neither grants read access. If both send permissions exist, Send As is used.

When does a shared mailbox need a license?

Users accessing it need licensed Exchange Online mailboxes. The shared mailbox can generally remain unlicensed up to 50 GB, but licensing is required for larger capacity and features such as archive or hold according to the applicable plan. Verify current Microsoft licensing before removal.

Why can external forwarding fail when mailbox forwarding is configured?

Effective behavior also depends on outbound-spam automatic-forwarding policy, remote domains, mail-flow rules, and the forwarding method. Microsoft’s Automatic system-controlled value now behaves as Off for external automatic forwarding. Test with an approved external recipient.

How long is an unheld deleted or unlicensed user mailbox recoverable?

Microsoft documents a 30-day soft-deleted or license-removal recovery window for standard scenarios. Holds and inactive-mailbox behavior differ. Record the exact action time, mailbox GUID, hold state, and recovery deadline rather than relying on memory.

How often should recipients be reviewed?

Monitor provisioning, delivery, forwarding, and offboarding risks daily/weekly; reconcile owners, delegates, groups, external recipients, shared/resource mailboxes, licenses, and exceptions monthly or quarterly based on risk; review RBAC, automation, evidence, and lifecycle design at least quarterly.

Make every mail-enabled object accountable

Build recipient operations that are secure, supportable, and reversible

IT Perfection helps Orange County and Southern California organizations inventory Exchange recipients, correct source-of-authority and address issues, govern shared mailboxes and groups, review delegation and forwarding, improve provisioning/offboarding, validate delivery, and produce evidence for Microsoft 365 operations, security, and compliance.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal/compliance review, records decision, licensing review, or tested recovery plan.