Office 365 and Exchange Online Restore and Recover Processes for Soft-Deleted Mailboxes

This article provides background information on and process details for performing Exchange Online restore and recover operations on soft-deleted mailboxes.

Environment Scenario:

• Organization using Office 365 and Exchange Online
• Directory synchronization via Azure AD Connect
• Configured Federated Domain (SSO) with Office 365
• Test accounts used for this article were unlicensed and therefore, cannot have a hold applied

When an employee leaves an organization, at a minimum their on-premises AD user account object should either be deleted or removed from the scope of directory synchronization. The procedure for doing so depends on how the organization's identity lifecycle. The removal of the on-premises AD account will initiate a flow that includes moving the Azure AD user account object into the Azure AD recycle bin and soft-deleting the associated Exchange Online mailbox. By default the Azure AD account and soft-deleted mailbox will remain in Office 365 for 30 days, after which time they will be permanently deleted.

If an organization needs to retain a mailbox for longer than 30 days the mailbox can be made inactive before removing the Azure AD user account object, by placing the mailbox on hold or by applying a retention policy to the mailbox in the Office 365 Security & Compliance Center. (Emphasis: the hold needs to be placed on the mailbox before the Azure AD account deletion.) The contents of an inactive mailbox will be retained for the duration of the hold or the retention period of the Office 365 retention policy applied to it before the mailbox was deleted. An inactive mailbox will not consume a license but will be discoverable via eDiscovery or content search. Inactive mailboxes may be recovered/converted or restored back into normal mailboxes at a later date (more details below). Additional information regarding inactive mailboxes can be found in the articles "Overview of Inactive Mailboxes in Office 365" (link) and "Manage Inactive Mailboxes in Office 365" (link).

Also note that there is no "inactive" flag or attribute on the mailbox to indicate that it is inactive. There is in fact an -InactiveMailboxOnly switch on the Get-Mailbox cmdlet but it lists all soft-deleted mailboxes and not necessarily those that are inactive due to a hold being placed on them. To find the mailboxes in a tenant that are inactive with a hold, query the WhenSoftDeleted attribute for those that have been soft-deleted for over 30 days. For example:

 PS C:\> Get-Mailbox -InactiveMailboxOnly | ? {$_.WhenSoftDeleted -lt [DateTime]::Now.AddDays(-30)} | ft Name,WhenSoftDeleted

Name               WhenSoftDeleted
----               ---------------
Test32             06/12/17 9:23:07 PM
Test24             06/12/17 9:10:04 PM
Test25             07/19/17 8:56:14 AM

In the event of an on-premises AD account's accidental deletion (or accidental removal from directory synchronization scope) the basic process for restoration of service is to recover the on-premises AD account from the AD recycle bin (or place it back into sync scope), allow the account to sync back out to Office 365, the Azure AD account will recovered from the Azure AD recycle bin and the Exchange Online mailbox will be activated and reconnected.

Now what happens when an organization wants to provide a soft-deleted mailbox (either via a normal delete within 30 days or one that has been deleted for longer than 30 days but is on hold) to another user? There are two options, restore and recover:

• Restore - If another employee takes on the job responsibilities of the departed employee, or if another user needs access to the contents of the inactive mailbox, the contents of the inactive mailbox to an existing mailbox can be restored (or merged). The archive from an inactive mailbox can also restored. After it's restored, the inactive mailbox is preserved and is retained as an inactive mailbox.
• Recover - If the departed employee returns to your organization, or if a new employee is hired to take on the job responsibilities of the departed employee, the contents of the inactive mailbox can be recovered. This method converts the inactive mailbox to a new mailbox that contains the contents of the inactive mailbox. After it's recovered, the inactive mailbox no longer exists.

Note that a restore leaves the inactive mailbox in place while a recover converts it to normal mailbox.

An organization will need to decide which to utilize depending on the current circumstances. For example, providing a new employee with all of the email contents of the previous employee's mailbox may be a desirable way of introducing them to the position, in which case recovery could be used. However, perhaps there is pending litigation involving the previous employee and the inactive mailbox must remain unaltered, in which case a restore could be used to copy data into a new mailbox while leaving the old one in place.

There are a few additional considerations when performing a recovery. Per https://support.office.com/en-us/article/Recover-an-inactive-mailbox-in-Office-365-35d0ecdb-7cb0-44be-ad5c-69df2f8f8b25, when an inactive mailbox is recovered, the following will occur:

• Litigation Hold (if it was enabled for the inactive mailbox) is removed.
• In-Place Holds are removed. This means that the inactive mailbox is removed as a source mailbox from any In-Place Hold or In-Place eDiscovery searches.
• The inactive mailbox is removed from any Office 365 retention policies that where applied to it.
• The single item recovery period (which is defined by the RetainDeletedItemsFor mailbox property) is set to 30 days. Typically, when a new mailbox is created in Exchange Online, this retention period is set to 14 days. Setting this to the maximum value of 30 days gives you more time to recover any data that's been permanently deleted (or purged) from the inactive mailbox. You can also disable single item recovery or set the single item recovery period back to the default of 14 days.
• Retention hold is enabled, and the retention hold duration is set to 30 days.

Given the above, use care when recovering a mailbox that has been inactive for an extended period of time. Upon recovery, even though retention hold is enabled and the processing of a retention policy is suspended for 30 days, a mis-assigned retention policy could remove aged content from the newly-recovered mailbox after 30 days.

The remainder of the article details the procedures for performing a restore and a recover.

1. Perform Restore Process to Existing Mailbox
2. Perform Recovery Process to New Mailbox with Soft Match

Perform Restore Process to Existing Mailbox

In this example, mailbox TestMbx01 has been soft-deleted for less than 30 days. We will perform a restore to new mailbox TestMbx10. The soft-deleted mailbox TestMbx01 will remain in-place and without a hold but will eventually be removed after being soft-deleted for 30 days.

We need to ensure that there is no ambiguity when working with a soft-deleted mailbox so need to obtain the mailbox's Exchange GUID:

 PS C:\> Get-Mailbox testmbx01 -InactiveMailboxOnly | fl Name,DistinguishedName,ExchangeGuid,PrimarySmtpAddress

Name               : TestMbx01
DistinguishedName : CN=TestMbx01,OU=Soft Deleted Objects,OU=jebjeb.onmicrosoft.com,OU=Microsoft Exchange Hosted
                     Organizations,DC=NAMPR15A001,DC=PROD,DC=OUTLOOK,DC=COM
ExchangeGuid       : 44d9503c-8b4d-43c6-b60b-951312dd4535
PrimarySmtpAddress : TestMbx01@jebeckham.com

Once we have the GUID, assign the mailbox object to a variable:

 PS C:\> $InactiveMailbox = Get-Mailbox -InactiveMailboxOnly -Identity 44d9503c-8b4d-43c6-b60b-951312dd4535
PS C:\> $InactiveMailbox

Name                     Alias               ServerName       ProhibitSendQuota
----                     -----               ----------       -----------------
TestMbx01                 TestMbx01           sn1pr15mb0207   99 GB (106,300,440,576 bytes)

Once the inactive mailbox has been identified, perform the actual restore operation. Note that we specify a target mailbox and folder (as to keep things tidy in the target mailbox):

 PS C:\> New-MailboxRestoreRequest -SourceMailbox $InactiveMailbox.DistinguishedName -TargetMailbox TestMbx10@jebeckham.com -TargetRootFolder "TestMbx01-Restore" -AllowLegacyDNMismatch

Name           TargetMailbox Status
----           ------------- ------
MailboxRestore TestMbx10     Queued

The restore request has been queued and we simply need to wait for completion:

 PS C:\> Get-MailboxRestoreRequest

Name           TargetMailbox Status
----           ------------- ------
MailboxRestore TestMbx10     Completed

We can also check the details of the restore request at any time but here, I have checked them at the end:

 PS C:\> Get-MailboxRestoreRequest | fl

RunspaceId       : e42290bf-3ad7-4c19-8f9d-346e8c53d856
SourceDatabase   : NAMPR15DG013-db119
TargetMailbox     : TestMbx10
Name             : MailboxRestore
RequestGuid       : f4e44d33-f92f-4e6b-b8c0-4d7107167763
RequestQueue     : NAMPR15DG098-db101
Flags             : IntraOrg, Pull
BatchName         :
Status           : Completed
Protect           : False
Suspend           : False
Direction         : Pull
RequestStyle     : IntraOrg
OrganizationId   : NAMPR15A001.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/jebjeb.onmicrosoft.com -
                   NAMPR15A001.PROD.OUTLOOK.COM/ConfigurationUnits/jebjeb.onmicrosoft.com/Configuration
SourceMailboxSize :
WhenChanged       : 03/02/18 10:34:37 AM
WhenCreated       : 03/02/18 10:33:32 AM
WhenChangedUTC   : 03/02/18 4:34:37 PM
WhenCreatedUTC   : 03/02/18 4:33:32 PM
Identity         : TestMbx10\MailboxRestore
IsValid           : True
ObjectState       : New

Once complete, we can find the complete contents of the old mailbox in the target folder we specified in the target mailbox:

[caption id="attachment_45" align="alignnone" width="801"] Restore success![/caption]

Just to confirm, the original soft-deleted mailbox still remains after the restore process:

 PS C:\> Get-MsolUser -SearchString testmbx01 -ReturnDeletedUsers

UserPrincipalName       DisplayName isLicensed
-----------------       ----------- ----------
TestMbx01@jebeckham.com TestMbx01   False

PS C:\> Get-Mailbox testmbx01 -InactiveMailboxOnly

Name                     Alias               ServerName       ProhibitSendQuota
----                     -----               ----------       -----------------
TestMbx01                 TestMbx01           sn1pr15mb0207   99 GB (106,300,440,576 bytes)

Perform Recovery Process to New Mailbox with Soft Match

In this example, mailbox TestMbx02 has been soft-deleted for less than 30 days. We will perform a recover to new mailbox TestMbx20. This will initially be a cloud-only account but will then be soft-matched to an on-premises user account object.

As when performing a restore, we need to ensure that there is no ambiguity when working with a soft-deleted mailbox so need to obtain the mailbox's Exchange GUID:

 PS C:\> Get-Mailbox testmbx02 -InactiveMailboxOnly | FL Name,DistinguishedName,ExchangeGuid,PrimarySmtpAddress

Name               : TestMbx02
DistinguishedName : CN=TestMbx02,OU=Soft Deleted Objects,OU=jebjeb.onmicrosoft.com,OU=Microsoft Exchange Hosted
                     Organizations,DC=NAMPR15A001,DC=PROD,DC=OUTLOOK,DC=COM
ExchangeGuid       : a0f88755-9b5a-4ba6-8508-e91163807a80
PrimarySmtpAddress : TestMbx02@jebeckham.com

Once we have the GUID, assign the mailbox object to a variable:

 PS C:\> $InactiveMailbox = Get-Mailbox -InactiveMailboxOnly -Identity a0f88755-9b5a-4ba6-8508-e91163807a80
PS C:\> $InactiveMailbox

Name                     Alias               ServerName       ProhibitSendQuota
----                     -----               ----------       -----------------
TestMbx02                 TestMbx02           sn6pr15mb2464   99 GB (106,300,440,576 bytes)

Once the inactive mailbox has been identified, perform the actual recover operation. Note that we are creating a new cloud-only account to which the inactive mailbox will be recovered:

 PS C:\> New-Mailbox -InactiveMailbox $InactiveMailbox.DistinguishedName -Name TestMbx30 -DisplayName TestMbx30 -MicrosoftOnlineServicesID TestMbx30@jebjeb.onmicrosoft.com -Password (ConvertTo-SecureString -String 'P@ssw0rd' -AsPlainText -Force) -ResetPasswordOnNextLogon $False

WARNING: After you create a new mailbox, you must go to the Office 365 Admin Center and assign the mailbox a license, or it will be disabled after the grace period.

Name                     Alias               ServerName       ProhibitSendQuota
----                     -----               ----------       -----------------
TestMbx30                 TestMbx30           sn6pr15mb2464   99 GB (106,300,440,576 bytes)

WARNING: The inactive mailbox has been recovered. To preserve data until you obtain a valid license, we have enabled Single Item Recovery for 30 days. Additionally we have also enabled Retention Hold for 30 days. Once a valid license has been assigned for this mailbox, you can choose to disable these settings and use Litigation or In-Place Hold instead to preserve data.

Once complete, we can see the new cloud-only account and mailbox:

 PS C:\> Get-MsolUser -SearchString TestMbx30 | fl UserPrincipalName,DisplayName,isLicensed,ImmutableId

UserPrincipalName : TestMbx30@jebjeb.onmicrosoft.com
DisplayName       : TestMbx30
IsLicensed       : False
ImmutableId       :

PS C:\> Get-Mailbox TestMbx30

Name                     Alias               ServerName       ProhibitSendQuota
----                     -----               ----------       -----------------
TestMbx30                 TestMbx30           sn6pr15mb2464   99 GB (106,300,440,576 bytes)

Now that the mailbox has been recovered, we can perform a soft-match to an on-premises account which is being synced to Office 365. We start by assigning the primary SMTP address of the cloud-only account to the on-premises AD account:

 [PS] C:\>Set-User testmbx30 -WindowsEmailAddress TestMbx30@jebjeb.onmicrosoft.com

We allow for directory synchronization to complete and check on the account again from Azure AD:

 PS C:\> Get-MsolUser -SearchString TestMbx30 | fl UserPrincipalName,DisplayName,isLicensed,ImmutableId

UserPrincipalName : TestMbx30@jebeckham.com
DisplayName       : TestMbx30
IsLicensed       : False
ImmutableId       : vPjCsGtfC0OPu8TZkcqFXw==

We see that the UPN updated to the on-premises value as well as the ImmutableId attribute was populated.  Once confirmed, we can sign in to the account using the proper UPN and federated domain. We find that the previous inactive mailbox has been recovered (highlighted below is that TestMbx30 is the signed-on account but the previous message was send to TestMbx02):

[caption id="attachment_55" align="alignnone" width="801"] Recover Success![/caption]

Sources and Additional Information

• Delete or Restore User Mailboxes in Exchange Online - https://technet.microsoft.com/en-us/library/dn186233(v=exchg.150).aspx
• Restore An Inactive Mailbox in Office 365 - https://support.office.com/en-us/article/Restore-an-inactive-mailbox-in-Office-365-97e06a7a-ef9a-4ce8-baea-18b9e20449a3
• Recover An Inactive Mailbox in Office 365 - https://support.office.com/en-us/article/Recover-an-inactive-mailbox-in-Office-365-35d0ecdb-7cb0-44be-ad5c-69df2f8f8b25
• Overview of Inactive Mailboxes in Office 365 - https://support.office.com/en-us/article/Overview-of-inactive-mailboxes-in-Office-365-1fbd74e8-7a60-4157-afe8-fe79f05d2038
• Manage Inactive Mailboxes in Office 365 - https://support.office.com/en-us/article/Manage-inactive-mailboxes-in-Office-365-296a02bd-ebde-4022-900e-547acf38ddd7