Microsoft Tenancy User Cleanup

Executive Overview & Detailed Implementation Runbook — Northern Data Solutions, Office of the CTO

Purpose: A single, complete guide that pairs the executive case for right-sizing your Microsoft 365 tenancy with a working, click-by-click runbook. The Executive Overview explains the “why”; the runbook that follows is the “how” — converting every non-human mailbox to a shared mailbox, reclaiming licenses, and placing every identity under governance.

Who performs this: Microsoft 365 / Exchange Online administrator (Global Admin or Exchange Admin role), with sign-off from owners and managers.

Executive Overview

Why This Matters

Every paid license should belong to a real, living person. Over time, Microsoft 365 tenancies accumulate licensed accounts that no human uses — shared addresses like info@, sales@, or billing@, mailboxes for departed staff, and “service” accounts created for a one-time project. Each of these consumes a paid license, widens your attack surface, and creates an identity that nobody owns, onboards, or offboards.

The cleanup is simple in principle: if a mailbox is not a person, it should not hold a user license. Non-human mailboxes belong in a shared mailbox, which Microsoft provides at no per-user license cost. The result is lower spend, a smaller attack surface, and a tenancy where every identity maps to an accountable individual — the foundation that CyberSecureID (powered by Okta) relies on to enforce least privilege and Zero Trust.

The Rule in One Sentence: A licensed user = a live human. Anything else (a role, a team, a function, or a departed employee) becomes a shared mailbox.

What a Shared Mailbox Is (per Microsoft)

Microsoft defines a shared mailbox as “a mailbox that multiple users can access to read and send email messages.” It is designed for teams or functions — such as support@, info@, or billing@ — that need one shared point of contact. When a team member replies, the message appears to come from the shared mailbox itself, not from the individual.

Microsoft’s key points for executives:

• No separate license required. A shared mailbox does not need its own user license and can store up to 50 GB of email at no per-user cost.

• Users still need their own license. To open a shared mailbox, each staff member must have their own licensed Exchange Online mailbox — which a real employee already has.

• Shared calendar included. Each shared mailbox comes with a shared calendar the team can use for appointments and scheduling.

• Larger needs may need a license. Going beyond 50 GB, or applying litigation hold/larger archives, requires an Exchange Online Plan 2 license — the exception, not the rule.

Bottom line for the business: Converting a non-human licensed mailbox to a shared mailbox typically frees the paid license entirely while preserving the address, its history, and access for the team that uses it. This is found money in nearly every tenancy we review.

How This Connects to Identity (CyberSecureID, powered by Okta)

Cleaning up the tenancy is not only a cost exercise — it is step one of modern identity governance. Our CyberSecureID Identity Access Management platform, powered by Okta, becomes the single source of truth for who can access what, when, and from where. A clean tenancy makes that source of truth accurate.

• Lifecycle automation (joiners, movers, leavers). New hires are provisioned by role; departing staff have every account, session, and token revoked in seconds — not weeks — so orphaned licensed mailboxes never re-accumulate.

• Least privilege & zero standing privilege. Every human and service identity gets only the access its role requires; standing admin rights are eliminated.

• Universal SSO & phishing-resistant MFA via CyberSecureID Verify. Real users authenticate once with adaptive, FIDO2-grade MFA; legacy and unattended accounts that can’t support it are surfaced and retired.

• Continuous audit & attestation. Quarterly access reviews are generated automatically and routed to managers — turning “who owns this mailbox?” into a standing, answerable question.

For the full business case — compliance mapping (CMMC, FTC Safeguards, PCI), cyber-insurance bindability, and real-world breach examples — see the executive briefing in our knowledge base: CyberSecureID IAM with CyberSecureID Verify: An Executive Briefing.

Before You Begin

Prerequisites and Access

• Administrative role: You hold Global Administrator or Exchange Administrator in Microsoft Entra ID.

• Admin portals: Access to the Microsoft 365 admin center (admin.microsoft.com) and the Exchange admin center (admin.exchange.microsoft.com).

• PowerShell (optional but recommended at scale): The Exchange Online Management module installed.

• A change window and approvals: Owner/manager sign-off captured in Phase 2 before any conversion in Phase 3.

Connect to Exchange Online PowerShell (used throughout this runbook):

# Install once (run PowerShell as administrator):
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

# Connect (use your admin UPN):
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

Important: Make a record before you change anything. Phase 1 produces the inventory that is your rollback reference. Do not begin converting or removing licenses until Phases 1 and 2 are complete and signed off.

Phase 1 — Discover

Goal: Build a complete, accurate inventory of every licensed account and flag the ones that are not a single living person. Owner: IT / Microsoft 365 Administrator.

1.1 Sign in and open the Active Users list

Click path: admin.microsoft.com › Show all › Users › Active users.

1. Browse to admin.microsoft.com and sign in with your administrator account.

2. In the left navigation choose Show all, then Users → Active users.

3. Note the total count of active (licensed) users shown at the top of the list.

1.2 Export the full user and license list

Click path: Active users › Export users.

Export the list to a spreadsheet so you can sort, filter, and annotate offline — this becomes your master inventory.

# Export every mailbox with type and primary address:
Get-Mailbox -ResultSize Unlimited |
  Select DisplayName,PrimarySmtpAddress,RecipientTypeDetails |
  Export-Csv .\tenancy_mailboxes.csv -NoTypeInformation

1.3 Flag the non-human accounts

Mark every account that is not one identifiable person:

• Shared/role addresses: info@, sales@, support@, billing@, hr@, careers@, noreply@.

• Service / application accounts: scanner@, printer@, app integrations, “svc-” accounts created for a single project.

• Ambiguous accounts: anything where you cannot immediately name the human who owns it — flag for follow-up in Phase 2.

# Anything already 'SharedMailbox' is done; 'UserMailbox' rows are candidates:
Get-Mailbox -ResultSize Unlimited |
  Where {$_.RecipientTypeDetails -eq 'UserMailbox'} |
  Select DisplayName,PrimarySmtpAddress | Sort DisplayName

Tip: A genuine shared mailbox shows as Shared in the type column. If a role address shows as a regular user mailbox, it is consuming a license unnecessarily — add it to the convert list.

1.4 Identify inactive and departed-employee mailboxes

Click path: Microsoft 365 admin › Reports › Usage › Email activity (or Microsoft Entra admin center → Users → sign-in activity). Cross-reference with HR’s list of departed employees.

# Last sign-in via Microsoft Graph:
Connect-MgGraph -Scopes 'AuditLog.Read.All','User.Read.All'
Get-MgUser -All -Property DisplayName,UserPrincipalName,SignInActivity |
  Select DisplayName,UserPrincipalName,
    @{N='LastSignIn';E={$_.SignInActivity.LastSignInDateTime}}

1.5 Record each flagged mailbox’s size

A standard shared mailbox is free up to 50 GB. Record sizes now so you can spot the rare mailbox that will need a license exception in Phase 3.

Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics |
  Select DisplayName,TotalItemSize,ItemCount |
  Sort TotalItemSize -Descending

Phase 2 — Decide

Goal: Assign a human owner to every flagged mailbox and confirm its disposition, with manager sign-off, before any change is made. Owner: Managers + IT.

2.1 Assign a human owner to every flagged mailbox

Each address must be accountable to a named person, even when it is a shared function. In your inventory spreadsheet, add an Owner column and fill it for every flagged account. For any account with no obvious owner, escalate to the department head — unowned accounts are the highest-risk items.

Tip: This single column — “who owns this?” — is what CyberSecureID (powered by Okta) will enforce continuously through quarterly access attestations once cleanup is complete.

2.2 Confirm the disposition of each account

• Convert to shared mailbox — a role/function address that multiple people use (info@, support@). Free of a license.

• Reassign to a person — the mailbox actually belongs to a real employee under a misleading name; rename/keep licensed.

• Retire — no longer needed; convert to shared for retention, then plan deletion per your retention policy (do not hard-delete during cleanup).

2.3 Define who needs access to each shared mailbox

• Full Access — open, read, and manage the mailbox.

• Send As — send messages that appear to come from the shared address.

• Send on Behalf — send showing “on behalf of” the shared address.

2.4 Obtain owner and manager sign-off

Capture explicit approval from each owner before changing their address. A short email or a signed row in the worksheet is sufficient — the point is an auditable record.

Important: No conversions, license removals, or deletions happen until Phase 2 sign-off is recorded. This protects against removing an address that turns out to be business-critical.

Phase 3 — Convert

Goal: Convert approved mailboxes to shared, reclaim the freed licenses, and grant the agreed access. Owner: IT / Microsoft 365 Administrator.

3.1 Retain data for departed-employee mailboxes first

Before converting a former employee’s mailbox, make sure their email is preserved (converting to shared keeps the contents; deletion does not). Apply a retention policy or litigation hold if required by your compliance program.

# Example: retain everything in the mailbox indefinitely
Set-Mailbox -Identity 'jdoe@yourdomain.com' -LitigationHoldEnabled $true

Important: Litigation hold and >50 GB are the two exceptions that require an Exchange Online Plan 2 license on the shared mailbox. Note these accounts; they will NOT be fully de-licensed.

3.2 Convert the mailbox to a shared mailbox

Click path: Exchange admin › Recipients › Mailboxes › (mailbox) › Convert to shared. This keeps the address, calendar, and all existing mail — it simply changes the mailbox type.

# Convert one mailbox:
Set-Mailbox -Identity 'info@yourdomain.com' -Type Shared

# Convert a batch from your approved CSV (column: PrimarySmtpAddress):
Import-Csv .\approved_to_convert.csv | ForEach-Object {
  Set-Mailbox -Identity $_.PrimarySmtpAddress -Type Shared
}

3.3 Remove and reclaim the license

Click path: Microsoft 365 admin › Users › Active users › (user) › Licenses and apps › clear license › Save. Record the savings; the freed license can be reassigned to a new hire or removed at renewal.

# Remove a license SKU from the account after conversion:
Set-MgUserLicense -UserId 'info@yourdomain.com' `
  -RemoveLicenses @('<skuId>') -AddLicenses @{}

Tip: Wait until the mailbox shows as Shared before removing the license. A shared mailbox under 50 GB will keep working without a license.

3.4 Grant the agreed staff access

Click path: Shared mailboxes › (mailbox) › Members / Read and manage.

# Full Access (open & manage):
Add-MailboxPermission -Identity 'info@yourdomain.com' `
  -User 'jane@yourdomain.com' -AccessRights FullAccess -InheritanceType All

# Send As (send as the shared address):
Add-RecipientPermission -Identity 'info@yourdomain.com' `
  -Trustee 'jane@yourdomain.com' -AccessRights SendAs

3.5 Handle the exceptions

For the few mailboxes flagged as over 50 GB or on legal hold, keep an Exchange Online Plan 2 license assigned and document why. Everything else should now be license-free.

Important: Document every exception. Auditors and your VCSO will want a short, defensible reason each retained license exists.

Phase 4 — Verify & Govern

Goal: Confirm the results, report the savings, and hand ongoing control to CyberSecureID so the tenancy stays clean. Owner: IT + CyberSecureID (powered by Okta).

4.1 Reconcile licenses and report the savings

Click path: Microsoft 365 admin › Billing › Licenses (assigned vs. available). Report reclaimed licenses and the dollar value to leadership — this is the hard-dollar return on the cleanup.

4.2 Confirm every remaining license maps to a person

Re-run your inventory. Every account that still holds a license should now be a named, active human (or a documented exception). If not, return it to Phase 2.

Get-Mailbox -ResultSize Unlimited |
  Where {$_.RecipientTypeDetails -eq 'UserMailbox'} |
  Select DisplayName,PrimarySmtpAddress

4.3 Bring shared mailboxes and identities under CyberSecureID (powered by Okta)

Connect Microsoft 365 to CyberSecureID so every human identity authenticates through universal SSO with phishing-resistant MFA (CyberSecureID Verify), and access to shared mailboxes is governed centrally rather than managed by hand.

4.4 Enable joiner-mover-leaver automation

Turn on lifecycle automation so new hires are provisioned by role and departing staff are deprovisioned in seconds — the control that stops orphaned licensed mailboxes from ever re-accumulating.

4.5 Schedule recurring quarterly access reviews

Configure CyberSecureID to generate quarterly access reviews routed to managers for attestation. This keeps the tenancy clean permanently and produces auditor-ready evidence for CMMC, FTC Safeguards, and PCI.

Keep selling the outcome: A one-time cleanup decays without governance. Pairing this runbook with CyberSecureID and Cyberwatch Advanced converts a manual chore into an automated, audited control that satisfies your compliance frameworks and meets the conditions cyber-insurance carriers now require to bind coverage. Next step: ask the Office of the CTO for a no-cost executive readiness review. See the CyberSecureID IAM Executive Briefing for the full business case.