M365 mailbox defaults: here is how mailbox plans work

Every mailbox in Microsoft 365 has dozens of properties and configurable settings. You can set things like the quota, retention policies, whether POP3 is enabled, and much more. These settings are kept, individually, with each mailbox. There is a default template of settings applied to each mailbox the moment a license is assigned.

The process

It is important to know that mailbox templates are stored in two separate locations. Mailbox plans and CASMailbox plans. Each mailbox has settings stored as part of the Mailbox, and as part of the CASMailbox.

Let’s start with an overview of how this process works:

Mailbox plan assignment flow
Mailbox plan flowchart

For every mailbox plan, there’s a corresponding Client Access services (CAS) mailbox plan. The names and display names of the mailbox plans and CAS mailbox plans are identical, and the relationship between them is unbreakable. The mailbox plan and the CAS mailbox plan are assigned to the mailbox when adding a license. Modifying the settings of a mailbox plan won’t update the settings of an existing mailbox that already has the mailbox plan applied. 

To modify these settings on an existing mailbox, you can do the following:

  • Modify the corresponding mailbox settings directly in the Exchange admin center or in Exchange Online PowerShell (the Set-Mailbox and Set-CasMailbox commands).
  • Assign a different license to the user. The mailbox plan that corresponds to the new license will be applied to the existing mailbox.

Mailbox plans

You will find some or all of the below mailbox plans in your tenant. You can check this via this command, after connecting to Exchange Online.

Get-MailboxPlan|Select-Object Displayname

Example output:

Powershell output of Get-Mailboxplan command
Subscription or licenseMailbox plan display name
Exchange Online Kiosk
Office 365 Enterprise F3
Office 365 Enterprise E1
Exchange Online Plan 1
Microsoft 365 or Office 365 Enterprise E3
Microsoft 365 or Office 365 Enterprise E5
Exchange Online Plan 2
Microsoft 365 Business BasicExchangeOnlineEssentials

Which of the plans you have in your tenant depends on the license subscriptions you have and which plans were active at the moment you started using your subscriptions.

Real life example and use case

It is not uncommon, from a security point of view, to disable IMAP access to all mailboxes. Especially combined with Legacy Authentication, IMAP is often used by the bad guys to try to find passwords of accounts in your tenant. To disable IMAP by default for all new mailboxes that are assigned an E3 license, you can do this.

Get-CASMailboxPlan ExchangeOnlineEnterprise

Check the line where it lists ImapEnabled. If this value is True, IMAP is enabled by default. If this value is False, IMAP is disabled by default.

Set-CASMailboxPlan ExchangeOnlineEnterprise -ImapEnabled $False

Now verify the result, by using Get-CASMailboxPlan. This will NOT update existing mailboxes. You need to set for each mailbox using Set-CASMailbox or remove and re-apply the license. For this, it is useful to set your plans before you create your users.