Office 365: Correcting users who have had a mailbox in the cloud and on-premises…


In some previous blog posts I have outlined conditions where users may have inadvertently had a mailbox both on premises and in the cloud at the same time.  The following links outline these scenarios and how to attempt to proactively identity users that may fall in this condition.


https://blogs.technet.microsoft.com/timmcmic/2018/04/10/office-365-detecting-and-preventing-duplicate-mailboxes-between-on-premises-and-exchange-online/

https://blogs.technet.microsoft.com/timmcmic/2017/09/10/office-365-users-have-both-a-cloud-and-on-premises-mailbox/

https://blogs.technet.microsoft.com/timmcmic/2018/04/09/office-365-licensing-mail-users-results-in-mailbox-objects/


With an understanding of the scenarios that lead to this and how to proactively identity users administrators can quickly identify the conditions that lead to this occurring and work to prevent it for other accounts moving forward.  How do we handle an account though that has encountered this condition?


There are two methods to handle accounts that have had mailboxes both on premises and in the cloud.  I will outline the options below for administrators to consider – as each has benefits and drawbacks.


OPTION #0:  Delete the existing Azure Active Directory Account


The Exchange Online mailbox object is linked to an Azure Active Directory account.  When the azure active directory account is removed and subsequently purged from the recycle bin the Exchange Online mailbox is placed in a soft deleted state.  During the next Azure Active Directory Connect synchronization cycle the user will be resynchronized to Azure Active Directory as new and will carry forward the Exchange attribute from on premises.  This should result in a mail user created in Exchange Online and not a mailbox object.  The mailbox object can now be migrated from on premises and the associated soft deleted mailbox merged into the original to retain data.


There are several benefits to this approach:


  • Deleting and purging an account from Azure Active Directory is generally a simple process.
  • The mailbox can be immediately migrated from on-premises once the mail user object is provisioned.
  • Exchange Online supports the administrator merging mailbox contents.  The soft deleted mailbox belonging to the user can be merged into the migrated mailbox allowing for no messages to be lost.


There are several potential drawbacks to this approach:


  • This is a complete Azure Active Directory account reset.
  • All permissions granted to this account within the service – for example Sharepoint site ownership / OneDrive / and any other services will be lost.
  • Any membership in cloud only distribution lists – for example Office 365 groups – will be lost.
  • There may be a brief interruption in mail flow to this account while the deletion and recreation of the Exchange Online object occurs.


In Exchange Online we can verify the presence of a mailbox that matches an on premises account.


Exchange Online:


PS C:\> Get-Mailbox testduplicate


Name                      Alias           Database                       ProhibitSendQuota    ExternalDirectoryObjectId

----                      -----           --------                       -----------------    -------------------------

testduplicate             testduplicate   NAMPR06DG282-db128             49.5 GB (53,150,2... e3eaf6c1-f012-42e9-a54...


On-Premises Exchange:


[PS] C:\>Get-Mailbox testduplicate


Name                      Alias                ServerName       ProhibitSendQuota

----                      -----                ----------       -----------------

Test Duplicate            testduplicate        azure-mbx        Unlimited


In the portal we can verify that the account is synchronized from the on-premises active directory.


image


The synchronized user has now been verified to have both a mailbox in the cloud and on-premises.


To begin the recovery the administrator should capture the Exchange Online mailbox information – specifically the Exchange GUID of the mailbox.  This GUID will be utilized in the recovery of the soft deleted mailbox.


PS C:\> Get-Mailbox testduplicate | select-object ExchangeGUID


ExchangeGuid

------------

fa38094d-cbfd-46b7-82f6-8a3022e39a66


Using Azure Active Directory powershell the account can be removed and purged from the recycle bin.


PS C:\> Remove-MsolUser -UserPrincipalName testduplicate@domain.com -Force

PS C:\> Remove-MsolUser -UserPrincipalName testduplicate@domain.com -Force –RemoveFromRecycleBin


The deletion can be verified using powershell.  The user cannot be found in either the active users list or the recycle bin – this indicates a successful deletion.


PS C:\> Get-MsolUser -UserPrincipalName testduplicate@domain.com

Get-MsolUser : User Not Found.  User: testduplicate@domain.com.

At line:1 char:1

+ Get-MsolUser -UserPrincipalName testduplicate@domain.com

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
     + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UserNotFoundException,Microsoft.Online.Administration.Automation.GetUser


PS C:\> Get-MsolUser -UserPrincipalName testduplicate@domain.com -ReturnDeletedUsers

Get-MsolUser : User Not Found.  User:
testduplicate@domain.com.

At line:1 char:1

+ Get-MsolUser -UserPrincipalName testduplicate@domain.com -Return ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
     + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UserNotFoundException,Microsoft.Online.Administration.Automation.GetUser


In Exchange Online we can confirm that the mailbox object is no longer present.


PS C:\> Get-Mailbox testduplicate

The operation couldn't be performed because object 'testduplicate' couldn't be found on

'CO1PR06A002DC02.NAMPR06A002.prod.outlook.com'.
     + CategoryInfo          : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
     + FullyQualifiedErrorId : [Server=DM6PR06MB4026,RequestId=76d78567-e257-4608-a175-2dc3cd8658c2,TimeStamp=7/15/2018
     3:51:45 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 260B3828,Microsoft.Exchange.Management.Rec
   ipientTasks.GetMailbox
     + PSComputerName        : ps.outlook.com


The duplicate online mailbox should now be in a soft deleted state.


PS C:\> Get-Mailbox testduplicate -SoftDeletedMailbox


Name                      Alias           Database                       ProhibitSendQuota    ExternalDirectoryObjectId

----                      -----           --------                       -----------------    -------------------------

Test Duplicate            testduplicate   NAMPR06DG282-db128             49.5 GB (53,150,2...


At this time the online portion of the accounts have been cleaned up.  Azure Active Directory Connect synchronization can be performed and the object should be reprovisioned from the on-premises directory.


PS C:\> Get-MsolUser -UserPrincipalName testduplicate@domain.com


UserPrincipalName             DisplayName    isLicensed

-----------------             -----------    ----------

testduplicate@domain.com      Test Duplicate False


The object should now be successfully provisioned as a mail user within Exchange Online.  This is the expected recipient type for an on premises mailbox.


PS C:\> Get-MailUser testduplicate


Name                                     RecipientType

----                                     -------------

Test Duplicate                           MailUser


At this time the on-premises mailbox can be migrated to Office 365.  This is an optional step – but would be required in order to perform the merge of any data contained within the service at this time.


image


When the migration has completed successfully the object will become a mailbox object within Exchange Online.


PS C:\> Get-Mailbox testduplicate


Name                      Alias           Database                       ProhibitSendQuota    ExternalDirectoryObjectId

----                      -----           --------                       -----------------    -------------------------

Test Duplicate            testduplicate   NAMPR06DG143-db051             99 GB (106,300,44... 7ba2fffc-e3ce-4d65-b350-d0a3763e5ffa


To complete our recovery the mailbox restoration can be processed.  To begin we need the Exchange GUID of the migrated mailbox.


PS C:\> Get-Mailbox testduplicate | Select-Object exchangeGUID


ExchangeGuid

------------

e683f1ee-4c85-4b99-b4bc-7511572a361d


The Exchange GUID for the soft deleted mailbox was previously recorded.  Using this information we can begin the merge process.


New-MailboxRestoreRequest -SourceMailbox fa38094d-cbfd-46b7-82f6-8a3022e39a66 -TargetMailbox e683f1ee-4c85-4b99-b4bc-7511572a361d –AllowLegacyDNMismatch


Name           TargetMailbox Status

----           ------------- ------

MailboxRestore testduplicate Queued


The merge can be monitored with get-mailboxRestoreRequest. 


PS C:\Users\timmcmic> Get-MailboxRestoreRequest


Name           TargetMailbox Status

----           ------------- ------

MailboxRestore testduplicate InProgress


PS C:\Users\timmcmic> Get-MailboxRestoreRequest

Name           TargetMailbox Status
----           ------------- ------
MailboxRestore testduplicate Completed


At this time this option has completed.



OPTION #1:  Remove the Exchange Online License


The Exchange Online mailbox object is linked to an Azure Active Directory account.  When the Exchange Online license is removed from the object the associated mailbox will be made unavailable.  This should result in a mail user created in Exchange Online and not a mailbox object.  The mailbox object can now be migrated from on premises and the associated soft deleted mailbox merged into the original to retain data.


There are several benefits to this approach:


  • The existing Azure Active Directory account is preserved.
  • All permissions assigned to the object are preserved across Sharepoint and OneDrive etc.  (This assumes ONLY the Exchange Online license is removed…)


There are several potential drawbacks to this approach:


  • The Exchange Online mailbox is not recoverable.  Any data contained will be lost.
  • There may be a brief interruption in mail flow to this account while the deletion and recreation of the Exchange Online object occurs.


To begin the mailbox can be confirmed in Exchange Online and On-Premises.


Exchange Online:


PS C:\> Get-Mailbox testlicense


Name                      Alias           Database                       ProhibitSendQuota    ExternalDirectoryObjectId

----                      -----           --------                       -----------------    -------------------------

TestLicense               TestLicense     NAMPR06DG103-db019             49.5 GB (53,150,2... c686dfd9-aa4a-4b54-8680-cc0d4c9b0a62


On-Premise Exchange:


[PS] C:\>Get-Mailbox testlicense


Name                      Alias                ServerName       ProhibitSendQuota

----                      -----                ----------       -----------------

Test License              testlicense          azure-mbx        Unlimited


In the portal we can confirm that the account is synchronized from the on-premises Active Directory.


image


The synchronized user has now been verified to have both a mailbox in the cloud and on-premises.


The Exchange Online license can now be removed through the portal.


image


When the license removal has synchronized into Exchange Online the mailbox will be converted to a mail user.


PS C:\> Get-MailUser testLicense


Name                                     RecipientType

----                                     -------------

Test License                             MailUser


When the conversion to a mail user has occurred the mailbox can be migrated from on premises.  If the license is re-assigned the object will convert back to a mailbox.  Assigning an Exchange Online license should be withheld until the mailbox is migrated (or the previous recipient type is changed – reference the previously attached blogs) allowing it to be safe to apply a license.



OPTION #3:  The user has no license but has an error with correlation ID in Azure Active Directory


I recently worked with a customer where we were looking at pursuing Option #2 as documented in this article.  With Option #2 our plan was to remove licenses, migrate the mailboxes, and forgo any ability to recover data that might be contained within the Office 365 mailbox. 


When reviewing the properties of the user in the Office 365 Portal (Azure Active Directory) the user had no Exchange license currently assigned.  When reviewing the object within Exchange Online the mailbox object existed as a User Mailbox type.


PS C:\> Get-Mailbox testlicense

Name                      Alias           Database                       ProhibitSendQuota    ExternalDirectoryObjectId
----                      -----           --------                       -----------------    -------------------------
TestLicense               TestLicense     NAMPR06DG103-db019             49.5 GB (53,150,2... c686dfd9-aa4a-4b54-8680-cc0d4c9b0a62


One issue that we noted in the properties of the user account within the Office 365 portal was an error condition and a correlation ID.


image


In addition executing get-msolUser –userPrincipalName testLicense@domain.com shows the errors field populated and validation status error.


Errors                                 : {Microsoft.Online.Administration.ValidationError, Microsoft.Online.Administration.ValidationError}

ValidationStatus                       : Error


The presence of a correlation ID and error indicates that there are synchronization and object validation issues between Exchange Online and Azure Active Directory.  Due to the fact that there are multiple reasons this could occur – especially for accounts that are in this state – my recommendation is we fail back to Option #1 for the recovery of these types of accounts.


Comments (0)

Skip to main content