Capture the request and business outcome
Record requester, sponsor, recipient type, address, purpose, data sensitivity, audience, required permission, delivery expectation, start/end date, urgency, and change window.
Exchange recipients, routing, delegation, lifecycle, and evidence
Operate mail-enabled identities as governed business objects. Choose the correct recipient type and source of authority, protect primary and proxy addresses, control mailbox and group delegation, detect forwarding, validate delivery, preserve former-employee content correctly, and retain reversible change evidence.

Operating objective
An Exchange Online recipient is any mail-enabled object that can receive messages. User, shared, room and equipment mailboxes store content; mail users and contacts route to external addresses; distribution groups, dynamic distribution groups, mail-enabled security groups, and Microsoft 365 groups expand to members or deliver to group resources. Selecting the wrong type creates licensing, permission, delivery, retention, ownership, and lifecycle problems.
The runbook must also respect source of authority. Cloud-only objects can be managed in Microsoft 365 and Exchange Online. Directory-synchronized recipients usually require Exchange attributes to be changed in the on-premises authority and synchronized—unless the organization has deliberately transferred the Exchange-attribute source of authority to cloud management for that object. A successful EAC save is not evidence that the authoritative directory will preserve the change.
Control statement: each recipient needs an approved type, unique primary/proxy addresses, authoritative management plane, business and technical owner, permission/forwarding record, lifecycle state, validation test, and next review date.
Recipient type decision matrix
| Recipient | Use when | Key controls | Common mistake | Closure evidence |
|---|---|---|---|---|
| User mailbox | One licensed person needs sign-in, email/calendar storage, and individual accountability. | Identity/license, aliases, forwarding, protocols, delegation, retention/hold, offboarding. | Reusing a former employee identity or removing the license before preservation decisions. | User/object IDs, license, addresses, sign-in, delivery, policy, lifecycle ticket. |
| Shared mailbox | Multiple licensed users operate a common address such as support or billing. | Block direct sign-in, named owners, members, Full Access/Send As, size, archive/hold licensing, sent-item behavior. | Treating it as a login account, exceeding 50 GB unlicensed, or leaving former delegates. | Purpose/owner, account blocked, size/license, delegates, send/receive test, review date. |
| Room/equipment mailbox | A bookable location or resource needs calendar processing, delegates, capacity, and policy. | Booking window, conflicts, approvers, external requests, work hours, delegates, auto-processing. | Using a user/shared mailbox and losing resource-specific booking controls. | Resource properties, booking policy, delegate approval, representative booking test. |
| Distribution group | One address must deliver to a maintained set of members without a collaborative mailbox. | Owners, membership, join/leave, sender restrictions, external senders, moderation, delegates. | Ownerless lists, stale members, public external delivery, or confusing it with a security group. | Owner attestation, members, delivery settings, delegate list, internal/external test. |
| Dynamic distribution group | Membership should be calculated from trustworthy recipient attributes at message time. | Filter logic, attribute governance, preview/test population, owner, sender/moderation settings. | Using weak department/location attributes and sending to unintended recipients. | Filter, sample expansion, attribute owner, change ticket, delivery validation. |
| Mail-enabled security group | The same governed group must receive mail and grant supported resource permissions. | Security ownership, membership approvals, delivery controls, nested impact, dual-purpose review. | Changing mail membership without understanding access permissions elsewhere. | Security/mail owners, members, resource dependencies, delivery and access tests. |
| Microsoft 365 group | Members need a group mailbox plus SharePoint, Planner, Teams, or broader collaboration lifecycle. | Owners, members/guests, privacy, expiration, naming, Teams/site dependencies, send-as behavior. | Creating it only as a distribution list and ignoring connected workloads. | Owners/members, privacy, connected resources, lifecycle and mail-flow tests. |
| Mail user/contact | An external destination must appear in the address book; a mail user also needs an internal account/permissions. | External address, owner/sponsor, domain, address-book visibility, group membership, lifecycle. | Stale vendor routing, hidden forwarding, or granting an account when a contact is sufficient. | External-address confirmation, sponsor, group dependencies, delivery test, expiry/removal date. |
Twelve-step change runbook
Record requester, sponsor, recipient type, address, purpose, data sensitivity, audience, required permission, delivery expectation, start/end date, urgency, and change window.
Search all recipients, soft-deleted objects, groups, contacts, mail users, public-folder recipients, and proxy addresses. Do not assume a free display name means the SMTP address is available.
Confirm cloud-only, directory-synchronized, hybrid remote mailbox, or transferred Exchange-attribute SOA. Make the change in the authoritative plane and record sync/rollback behavior.
Use the smallest object that meets sign-in, storage, calendar, membership, collaboration, security-principal, and external-routing requirements. Document rejected alternatives.
Apply display-name and alias standards, approved accepted domain, one primary reply address, required aliases, legacy coexistence addresses, and reserved/high-risk name review.
Assign at least two appropriate owners where practical, and only required Full Access, Send As, Send on Behalf, membership, moderation, booking, or management permissions.
Check mailbox forwarding, inbox rules, transport rules, external target addresses, DeliverToMailboxAndForward, outbound-spam forwarding policy, remote domains, and approved exceptions.
Verify mailbox/archive size, shared/resource licensing triggers, archive, retention, eDiscovery/litigation hold, inactive-mailbox requirements, and legal/records approval before license or account changes.
Export recipient properties, addresses, delegates, group settings, forwarding, license, hold, and source authority. Apply the minimum change through EAC/PowerShell and preserve command/output.
Requery Exchange Online and the authority, confirm RecipientTypeDetails, addresses, ownership, permissions, hidden status, license, and synchronization. Watch for authoritative overwrite.
Test internal and approved external delivery, reply address, NDR behavior, moderation, Full Access, Send As/On Behalf labeling, forwarding copy, GAL visibility, and representative clients.
Attach approvals, before/after, delivery evidence, rollback, user confirmation, unresolved exceptions, monitoring owner, and next review. Recheck after directory sync and policy propagation.
Delegation and forwarding
Lets a delegate open and modify mailbox content; it does not grant send rights. Review automapping, hidden-address-list behavior, private-item expectations, owner approval, and prompt removal after role change.
Messages appear directly from the mailbox or group. It does not grant read access. Because attribution is less visible to recipients, restrict it to named roles, preserve audit evidence, and validate sent-item behavior.
Shows the delegate acting on behalf of the mailbox/group and does not grant read access. If both Send As and Send on Behalf exist, Exchange uses Send As; remove conflicting grants unless intentionally required.
Forwarding safeguard: Microsoft’s default “Automatic - System-controlled” outbound-spam setting now behaves as Off for external automatic forwarding. A mailbox setting can exist yet delivery can still be blocked by outbound spam policy, remote-domain control, or mail-flow rule. Validate effective behavior and never weaken the tenant globally for one exception.
Lifecycle and offboarding
| Scenario | Pre-change checks | Controlled action | Recovery/rollback | Evidence |
|---|---|---|---|---|
| Employee leaves | Legal/records hold, manager access, forwarding need, aliases, groups, delegates, apps, OneDrive/Teams dependencies. | Block sign-in/reset sessions, preserve per policy, remove risky access, convert only if justified, set time-bound delegation/forwarding, document license timing. | Restore account/license within supported window; retain before-state GUIDs and content decisions. | HR trigger, approvals, hold, sign-in, license, delegates, forwarding, test, end date. |
| Convert user to shared | Mailbox licensed before conversion, size under unlicensed threshold, archive/hold licensing, authoritative type in hybrid. | Convert while licensed, block sign-in, update remote mailbox type where required, assign delegates, then remove license only when eligible. | Reassign license and convert back if needed; validate type after sync. | Before/after type, size, license, account blocked, delegates, delivery. |
| Remove license | Retention/hold, eDiscovery search need, mailbox type, archive, recovery window, manager/business owner approval. | Remove only after preservation path is confirmed. A normal unheld user mailbox becomes inaccessible and is retained for the documented 30-day recovery window. | Reassign Exchange Online license within the window; test mailbox reconnection. | License time, mailbox GUID, hold state, recovery deadline, owner acknowledgement. |
| Create inactive mailbox | Applicable Microsoft 365 retention/eDiscovery/Litigation hold applied before deletion; records/legal authorization. | Apply supported hold/retention first, validate it, then delete the user according to the inactive-mailbox procedure. | Recover or restore using supported inactive-mailbox process; do not treat MRM archive policy as the creating hold. | Hold type/scope, validation, deletion, inactive state, owner, retention end. |
| Retire group/contact | Owner response, mail flow/activity, members, senders, permissions, apps, transport rules, aliases, replacement address. | Announce, restrict/hide if useful, test replacement, remove dependencies, then delete with rollback window and address reservation plan. | Restore object where supported or recreate from export; prevent alias reassignment during recovery period. | Owner decision, dependency list, delivery test, deletion, rollback data. |
Top recipient risks and misconfigurations
A synchronized attribute is edited in the cloud, fails, or is overwritten; hybrid type and license state diverge.
A legacy alias is assigned to the wrong recipient, exposing messages or blocking provisioning.
The associated account can authenticate directly instead of requiring accountable licensed delegates.
Full Access, Send As, and Send on Behalf survive transfers, leave, and vendor changes without owner review.
Admins check one mailbox field but miss inbox rules, transport rules, target addresses, remote domains, or outbound-policy precedence.
The mailbox disconnects before conversion, hold, manager access, or recovery evidence is complete.
Membership, external senders, moderation, and sensitive audience expand without accountable review.
Incorrect department/location data silently changes the recipient population at delivery time.
An external target remains in groups or the GAL after the sponsor and business purpose end.
Internal mail works while external senders, moderation, alias reply, forwarding, or delegated sending fails.
Evidence and recurring review
Microsoft references
IT Perfection ecosystem
Frequently asked questions
Normally in the authoritative on-premises Exchange/Active Directory management plane and then synchronized. Microsoft now supports transferring Exchange-attribute source of authority to cloud management for selected objects when deliberately configured. Verify IsExchangeCloudManaged/SOA and the organization’s design before editing.
No. Full Access lets the delegate open and modify mailbox contents. Send As and Send on Behalf are separate permissions, and neither grants read access. If both send permissions exist, Send As is used.
Users accessing it need licensed Exchange Online mailboxes. The shared mailbox can generally remain unlicensed up to 50 GB, but licensing is required for larger capacity and features such as archive or hold according to the applicable plan. Verify current Microsoft licensing before removal.
Effective behavior also depends on outbound-spam automatic-forwarding policy, remote domains, mail-flow rules, and the forwarding method. Microsoft’s Automatic system-controlled value now behaves as Off for external automatic forwarding. Test with an approved external recipient.
Microsoft documents a 30-day soft-deleted or license-removal recovery window for standard scenarios. Holds and inactive-mailbox behavior differ. Record the exact action time, mailbox GUID, hold state, and recovery deadline rather than relying on memory.
Monitor provisioning, delivery, forwarding, and offboarding risks daily/weekly; reconcile owners, delegates, groups, external recipients, shared/resource mailboxes, licenses, and exceptions monthly or quarterly based on risk; review RBAC, automation, evidence, and lifecycle design at least quarterly.
Make every mail-enabled object accountable
IT Perfection helps Orange County and Southern California organizations inventory Exchange recipients, correct source-of-authority and address issues, govern shared mailboxes and groups, review delegation and forwarding, improve provisioning/offboarding, validate delivery, and produce evidence for Microsoft 365 operations, security, and compliance.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal/compliance review, records decision, licensing review, or tested recovery plan.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.