Every mailbox in Microsoft 365 has dozens of properties and configurable settings. You can set things like the quota, retention policies, whether POP3 is enabled, and much more. These settings are kept, individually, with each mailbox. There is a default template of settings applied to each mailbox the moment a license is assigned.
The process
It is important to know that mailbox templates are stored in two separate locations. Mailbox plans and CASMailbox plans. Each mailbox has settings stored as part of the Mailbox, and as part of the CASMailbox.
Let’s start with an overview of how this process works:
For every mailbox plan, there’s a corresponding Client Access services (CAS) mailbox plan. The names and display names of the mailbox plans and CAS mailbox plans are identical, and the relationship between them is unbreakable. The mailbox plan and the CAS mailbox plan are assigned to the mailbox when adding a license. Modifying the settings of a mailbox plan won’t update the settings of an existing mailbox that already has the mailbox plan applied.
To modify these settings on an existing mailbox, you can do the following:
- Modify the corresponding mailbox settings directly in the Exchange admin center or in Exchange Online PowerShell (the Set-Mailbox and Set-CasMailbox commands).
- Assign a different license to the user. The mailbox plan that corresponds to the new license will be applied to the existing mailbox.
Mailbox plans
You will find some or all of the below mailbox plans in your tenant. You can check this via this command, after connecting to Exchange Online.
Get-MailboxPlan|Select-Object DisplaynameExample output:
| Subscription or license | Mailbox plan display name |
|---|---|
| Exchange Online Kiosk Office 365 Enterprise F3 | ExchangeOnlineDeskless |
| Office 365 Enterprise E1 Exchange Online Plan 1 | ExchangeOnline |
| Microsoft 365 or Office 365 Enterprise E3 Microsoft 365 or Office 365 Enterprise E5 Exchange Online Plan 2 | ExchangeOnlineEnterprise |
| Microsoft 365 Business Basic | ExchangeOnlineEssentials |
Which of the plans you have in your tenant depends on the license subscriptions you have and which plans were active at the moment you started using your subscriptions.
Real life example and use case
It is not uncommon, from a security point of view, to disable IMAP access to all mailboxes. Especially combined with Legacy Authentication, IMAP is often used by the bad guys to try to find passwords of accounts in your tenant. To disable IMAP by default for all new mailboxes that are assigned an E3 license, you can do this.
Get-CASMailboxPlan ExchangeOnlineEnterpriseCheck the line where it lists ImapEnabled. If this value is True, IMAP is enabled by default. If this value is False, IMAP is disabled by default.
Set-CASMailboxPlan ExchangeOnlineEnterprise -ImapEnabled $FalseNow verify the result, by using Get-CASMailboxPlan. This will NOT update existing mailboxes. You need to set for each mailbox using Set-CASMailbox or remove and re-apply the license. For this, it is useful to set your plans before you create your users.