Office 365: Resetting a migrated users Azure Active Directory account….

In certain support circumstances it may become necessary to hard delete an Azure Active Directory account.  When the user has a mailbox that has been migrated to Exchange Online additional steps may be required to restore mailbox access.

It is important to note that hard deleting an account should not be a common place operation. There can potentially be significant impacts to the other services that are linked to an account – for example Sharepoint Online site ownerships / permissions and One Drive for Business files.  

When a mailbox is migrated to Exchange Online the on premises mailbox GUID is preserved in Office 365.  If the original Azure Active Directory account is hard deleted – the Exchange Online mailbox will be set to an inactive status.  The Azure Active Directory account will be provisioned as a remote mailbox but continues to have the Exchange GUID of the mailbox on premises.  If a license is assigned to the new account – a mailbox is not provisioned due to the presence of the on premises Exchange GUID.  The assumption is that the mailbox needs to be migrated again.

Let’s take a look at an example.

In this example there is an on premises mailbox.  This can be validated with get-recipient and noting the recipientType is UserMailbox.

[PS] C:\>Get-Recipient BlogTest

Name RecipientType

---- -------------

Blog Test UserMailbox

The ExchangeGUID is stamped on the mailbox when created on premises and is utilized to create the link between the Active Directory object and the mailbox object within the database.

[PS] C:\>Get-Mailbox BlogTest | Select-Object exchangeGuid

ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d

In Office 365 an on premises mailbox is represented as a mail user object.  This can be validated with get-recipient and noting the recipientType is MailUser.

PS C:\> Get-Recipient BlogTest

Name RecipientType

---- -------------

Blog Test MailUser

The same exchangeGUID found on premises is stamped on the mail user object in Office 365.

PS C:\> Get-Recipient BlogTest | Select-Object exchangeGUID

ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d

When the mailbox is successfully migrated to Office 365 a conversion of the object on premises occurs to a remote mailbox type.

[PS] C:\>Get-RemoteMailbox BlogTest

Name RecipientTypeDetails RemoteRecipientType

---- -------------------- -------------------

Blog Test RemoteUserMailbox Migrated

The recipient in Office 365 is now a user mailbox object.

PS C:\> Get-Recipient BlogTest

Name RecipientType

---- -------------

Blog Test UserMailbox

The GUIDs continue to remain the same.

[PS] C:\>Get-RemoteMailbox BlogTest | Select-Object exchangeGUID

ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d

PS C:\> Get-Mailbox BlogTest | Select-Object exchangeGUID

ExchangeGuid

------------

3155cca2-d022-4cbe-8f93-e3ecfc98894d

This represents the standard account creation and migration process.

At this time through a support engagement it is determined that the associated Azure Active Directory account needs to be hard deleted.  This is accomplished through the remove-msolUser command.

PS C:\> Remove-MsolUser -UserPrincipalName blogtest@domain.org

Confirm

Continue with this operation?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

PS C:\> Remove-MsolUser -UserPrincipalName blogtest@domain.org -RemoveFromRecycleBin

Confirm

Continue with this operation?

[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y

When the Azure Active Directory account is removed the associated Exchange Online mailbox is also removed.

PS C:\> Get-Mailbox BlogTest

The operation couldn't be performed because object 'BlogTest' couldn't be found on

'CO1PR06A002DC01.NAMPR06A002.prod.outlook.com'.
+ CategoryInfo : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=DM6PR06MB4026,RequestId=0bfe62ac-6691-43d8-99e6-5ae8358796b5,TimeStamp=4/29/2018
3:37:40 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] CEDE4B18,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
+ PSComputerName : ps.outlook.com

When the next Azure Active Directory Connect cycle runs the same account will be provisioned as a new object in Azure Active Directory.

PS C:\> Get-MsolUser -UserPrincipalName blogtest@domain.org

UserPrincipalName DisplayName isLicensed

----------------- ----------- ----------

blogtest@domain.org Blog Test False

The provisioning of the new account is detected by Exchange Online and a mail user object is provisioned.

PS C:\> Get-Recipient BlogTest

Name RecipientType

---- -------------

BlogTest MailUser

In this instance the object is a remote mailbox / migrated user.  It would be expected that a mailbox object would appear in Exchange Online – but the object is a mail user. 

When reviewing the properties of the Azure Active Directory object validation errors exist and an error is noted on the account in the portal.

PS C:\> Get-MsolUser -UserPrincipalName blogtest@domain.org | Select-Object validationStatus

ValidationStatus

----------------
Error

image

Why does the validation error exist?  When a mailbox has been migrated to Office 365 the ExchangeGUID continues to remain on the object on premises.  This was visible in the previous commands we executed.  Although the recipient type is remote mailbox – the presence of an ExchangeGUID on premises prevents a mailbox from being provisioned.  The service assumes there is still a mailbox to be migrated.

If this is the case – how do we get the blank mailbox that we were looking for to provision?  The exchangeGUID can be removed on premises.  This can be accomplished by using ADSIEdit and locating the account to be modified.

image

image

At the next Azure Active Directory Connect synchronization cycle the exchangeGUID will be cleared from the object in Office 365.  When the object is completed synchronization the Exchange Online object remains a mail user but the exchangeGUID is now null.

PS C:\> Get-Recipient BlogTest | fl recipientType,skuassigned,exchangeGUID

RecipientType : MailUser

SKUAssigned :

ExchangeGuid : 00000000-0000-0000-0000-000000000000

At this time a license can be assigned to the user.

PS C:\> Get-MsolUser -UserPrincipalName blogtest@domain.org | Select-Object isLicensed,Licenses

IsLicensed Licenses

---------- --------
True {Organization:STANDARDWOFFPACK}

When the license assignment successfully provisions to Exchange Online the mail user is converted to a user mailbox – a new mailbox has been provisioned.

PS C:\> Get-Recipient BlogTest | fl recipientType,skuassigned,exchangeGUID

RecipientType : UserMailbox

SKUAssigned : True

ExchangeGuid : ec78d8ce-fee9-40e7-b8a6-d0628a22c527

The original mailbox can now be merged into the new mailbox to preserve any data delivered to the original mailbox.