Office 365: Resetting a migrated users Azure Active Directory account….


In certain support circumstances it may become necessary to hard delete an Azure Active Directory account.  When the user has a mailbox that has been migrated to Exchange Online additional steps may be required to restore mailbox access.


It is important to note that hard deleting an account should not be a common place operation.  There can potentially be significant impacts to the other services that are linked to an account – for example Sharepoint Online site ownerships / permissions and One Drive for Business files. 


When a mailbox is migrated to Exchange Online the on premises mailbox GUID is preserved in Office 365.  If the original Azure Active Directory account is hard deleted – the Exchange Online mailbox will be set to an inactive status.  The Azure Active Directory account will be provisioned as a remote mailbox but continues to have the Exchange GUID of the mailbox on premises.  If a license is assigned to the new account – a mailbox is not provisioned due to the presence of the on premises Exchange GUID.  The assumption is that the mailbox needs to be migrated again.


Let’s take a look at an example.


In this example there is an on premises mailbox.  This can be validated with get-recipient and noting the recipientType is UserMailbox.


[PS] C:\>Get-Recipient BlogTest



Name      RecipientType

----      -------------

Blog Test UserMailbox


The ExchangeGUID is stamped on the mailbox when created on premises and is utilized to create the link between the Active Directory object and the mailbox object within the database.


[PS] C:\>Get-Mailbox BlogTest | Select-Object exchangeGuid



ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d


In Office 365 an on premises mailbox is represented as a mail user object.  This can be validated with get-recipient and noting the recipientType is MailUser.


PS C:\> Get-Recipient BlogTest



Name      RecipientType

----      -------------

Blog Test MailUser


The same exchangeGUID found on premises is stamped on the mail user object in Office 365.


PS C:\> Get-Recipient BlogTest | Select-Object exchangeGUID



ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d


When the mailbox is successfully migrated to Office 365 a conversion of the object on premises occurs to a remote mailbox type.


[PS] C:\>Get-RemoteMailbox BlogTest



Name         RecipientTypeDetails                    RemoteRecipientType

----         --------------------                    -------------------

Blog Test    RemoteUserMailbox                       Migrated


The recipient in Office 365 is now a user mailbox object.


PS C:\> Get-Recipient BlogTest



Name      RecipientType

----      -------------

Blog Test UserMailbox


The GUIDs continue to remain the same.


[PS] C:\>Get-RemoteMailbox BlogTest | Select-Object exchangeGUID



ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d


PS C:\> Get-Mailbox BlogTest | Select-Object exchangeGUID



ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d


This represents the standard account creation and migration process.


At this time through a support engagement it is determined that the associated Azure Active Directory account needs to be hard deleted.  This is accomplished through the remove-msolUser command.


PS C:\> Remove-MsolUser -UserPrincipalName blogtest@domain.org



Confirm

Continue with this operation?

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y



PS C:\> Remove-MsolUser -UserPrincipalName blogtest@domain.org -RemoveFromRecycleBin



Confirm

Continue with this operation?

[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y


When the Azure Active Directory account is removed the associated Exchange Online mailbox is also removed.


PS C:\> Get-Mailbox BlogTest

The operation couldn't be performed because object 'BlogTest' couldn't be found on

'CO1PR06A002DC01.NAMPR06A002.prod.outlook.com'.
     + CategoryInfo          : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
     + FullyQualifiedErrorId : [Server=DM6PR06MB4026,RequestId=0bfe62ac-6691-43d8-99e6-5ae8358796b5,TimeStamp=4/29/2018
     3:37:40 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] CEDE4B18,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
     + PSComputerName        : ps.outlook.com



When the next Azure Active Directory Connect cycle runs the same account will be provisioned as a new object in Azure Active Directory.


PS C:\> Get-MsolUser -UserPrincipalName blogtest@domain.org



UserPrincipalName        DisplayName isLicensed

-----------------        ----------- ----------

blogtest@domain.org      Blog Test   False


The provisioning of the new account is detected by Exchange Online and a mail user object is provisioned.


PS C:\> Get-Recipient BlogTest



Name     RecipientType

----     -------------

BlogTest MailUser


In this instance the object is a remote mailbox / migrated user.  It would be expected that a mailbox object would appear in Exchange Online – but the object is a mail user. 


When reviewing the properties of the Azure Active Directory object validation errors exist and an error is noted on the account in the portal.


PS C:\> Get-MsolUser -UserPrincipalName blogtest@domain.org | Select-Object validationStatus



ValidationStatus

----------------
            Error


image


Why does the validation error exist?  When a mailbox has been migrated to Office 365 the ExchangeGUID continues to remain on the object on premises.  This was visible in the previous commands we executed.  Although the recipient type is remote mailbox – the presence of an ExchangeGUID on premises prevents a mailbox from being provisioned.  The service assumes there is still a mailbox to be migrated.


If this is the case – how do we get the blank mailbox that we were looking for to provision?  The exchangeGUID can be removed on premises.  This can be accomplished by using ADSIEdit and locating the account to be modified.


image


image


At the next Azure Active Directory Connect synchronization cycle the exchangeGUID will be cleared from the object in Office 365.  When the object is completed synchronization the Exchange Online object remains a mail user but the exchangeGUID is now null.


PS C:\> Get-Recipient BlogTest | fl recipientType,skuassigned,exchangeGUID





RecipientType : MailUser

SKUAssigned   :

ExchangeGuid  : 00000000-0000-0000-0000-000000000000


At this time a license can be assigned to the user.


PS C:\> Get-MsolUser -UserPrincipalName blogtest@domain.org | Select-Object isLicensed,Licenses



IsLicensed Licenses

---------- --------
       True {Organization:STANDARDWOFFPACK}


When the license assignment successfully provisions to Exchange Online the mail user is converted to a user mailbox – a new mailbox has been provisioned.


PS C:\> Get-Recipient BlogTest | fl recipientType,skuassigned,exchangeGUID





RecipientType : UserMailbox

SKUAssigned   : True

ExchangeGuid  : ec78d8ce-fee9-40e7-b8a6-d0628a22c527


The original mailbox can now be merged into the new mailbox to preserve any data delivered to the original mailbox.






Comments (0)

Skip to main content