There are many scenarios where a mailbox and its access can become "untrusted".  Preventative solutions abound, but this article will focus on the following worst case scenarios for the quickest way to shut down access with the least amount of impact and administrative effort.

  1. A mobile device or computer with saved access to a mailbox is stolen
  2. An employee is suddenly terminated
  3. One or more users with access to a group mailbox are abruptly untrusted but the remaining group members still need access
  4. Criminal investigation or other legal process requires access to mailbox but no access from the original mailbox owner
  5. Mailbox credentials have been compromised

Disabling a mailbox user's Active Directory account is not enough.  For example, here's some of the considerations when dealing with an untrusted mailbox:

  • Outlook or MAPI connections can remain connected to Exchange for up to 2 hours even after the AD account has been disabled.  For performance reasons, active connections to store or RPCClientAccess are cached in this manner.
  • Outlook Web Access, Exchange Web Services, and Activesync also have caches.  Activesync devices with their long heartbeat intervals and token cache can still allow access up to 24 hours after an AD account has been disabled.

Generic Solution:
1.  Disable the mailbox to prevent re-access of the mailbox by the user (example of specific steps)
2.  Set a Send Prohibit Quota to quickly prevent sending off any messages.
example:  Set-Mailbox alias -IssueWarningQuota 0 -ProhibitSendQuota 0
3.  Move the mailbox to terminate all active logons to the mailbox, including the user's current logon
4.  Office 365 mailboxes or other hosted/cloud solutions may not allow moving the mailbox quickly, so disabling protocols at the CASMailbox level will accomplish a similar solution.

To quickly prevent Activesync devices from reconnecting:
1. Disable Activesync.
Set-CASMailbox untrustedmbxuser -ActiveSyncEnabled:$false

2. Add all existing device partnerships to the individual blocklist for the untrusted mailbox user.
Get-MobileDevice -Mailbox untrustedmbxuser | foreach{Set-CASMailbox -Identity untrustedmbxuser -ActiveSyncAllowedDeviceIDs @{Remove=$_.deviceid} -ActiveSyncBlockedDeviceIDs @{Add=$_.deviceid}}

3. Remove all device partnerships. Any attempt to reconnect the device will force the device to be reprovisioned, triggering a new check for Activesync enablement and the individual blocklist entries.
Get-MobileDevice -Mailbox untrustedmbxuser | foreach{Remove-MobileDevice -Identity $_.identity -Confirm:$false}

EAS devices sync after account disable or password change

Removed Mobile Device Still Has Access To Exchange Mailbox via Exchange ActiveSync

Some great articles that help fill in the pieces;