In certain support circumstances it may become necessary to hard delete an Azure Active Directory account. When the user has a mailbox that has been migrated to Exchange Online additional steps may be required to restore mailbox access.
It is important to note that hard deleting an account should not be a common place operation. There can potentially be significant impacts to the other services that are linked to an account – for example Sharepoint Online site ownerships / permissions and One Drive for Business files.
When a mailbox is migrated to Exchange Online the on premises mailbox GUID is preserved in Office 365. If the original Azure Active Directory account is hard deleted – the Exchange Online mailbox will be set to an inactive status. The Azure Active Directory account will be provisioned as a remote mailbox but continues to have the Exchange GUID of the mailbox on premises. If a license is assigned to the new account – a mailbox is not provisioned due to the presence of the on premises Exchange GUID. The assumption is that the mailbox needs to be migrated again.
Let’s take a look at an example.
In this example there is an on premises mailbox. This can be validated with get-recipient and noting the recipientType is UserMailbox.
[PS] C:>Get-Recipient BlogTest
Name RecipientType
---- -------------
Blog Test UserMailbox
The ExchangeGUID is stamped on the mailbox when created on premises and is utilized to create the link between the Active Directory object and the mailbox object within the database.
[PS] C:>Get-Mailbox BlogTest | Select-Object exchangeGuid
ExchangeGuid
------------
3155cca2-d022-4cbe-8f93-e3ecfc98894d
In Office 365 an on premises mailbox is represented as a mail user object. This can be validated with get-recipient and noting the recipientType is MailUser.
PS C:> Get-Recipient BlogTest
Name RecipientType
---- -------------
Blog Test MailUser
The same exchangeGUID found on premises is stamped on the mail user object in Office 365.
PS C:> Get-Recipient BlogTest | Select-Object exchangeGUID
ExchangeGuid
------------
3155cca2-d022-4cbe-8f93-e3ecfc98894d
When the mailbox is successfully migrated to Office 365 a conversion of the object on premises occurs to a remote mailbox type.
[PS] C:>Get-RemoteMailbox BlogTest
Name RecipientTypeDetails RemoteRecipientType
---- -------------------- -------------------
Blog Test RemoteUserMailbox Migrated
The recipient in Office 365 is now a user mailbox object.
PS C:> Get-Recipient BlogTest
Name RecipientType
---- -------------
Blog Test UserMailbox
The GUIDs continue to remain the same.
[PS] C:>Get-RemoteMailbox BlogTest | Select-Object exchangeGUID
ExchangeGuid
------------
3155cca2-d022-4cbe-8f93-e3ecfc98894d
PS C:> Get-Mailbox BlogTest | Select-Object exchangeGUID
ExchangeGuid
------------
3155cca2-d022-4cbe-8f93-e3ecfc98894d
This represents the standard account creation and migration process.
At this time through a support engagement it is determined that the associated Azure Active Directory account needs to be hard deleted. This is accomplished through the remove-msolUser command.
PS C:> Remove-MsolUser -UserPrincipalName blogtest@domain.org
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y
PS C:> Remove-MsolUser -UserPrincipalName blogtest@domain.org -RemoveFromRecycleBin
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y
When the Azure Active Directory account is removed the associated Exchange Online mailbox is also removed.
PS C:> Get-Mailbox BlogTest
The operation couldn't be performed because object 'BlogTest' couldn't be found on
'CO1PR06A002DC01.NAMPR06A002.prod.outlook.com'.
+ CategoryInfo : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=DM6PR06MB4026,RequestId=0bfe62ac-6691-43d8-99e6-5ae8358796b5,TimeStamp=4/29/2018
3:37:40 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] CEDE4B18,Microsoft.Exchange.Management.RecipientTasks.GetMailbox
+ PSComputerName : ps.outlook.com
When the next Azure Active Directory Connect cycle runs the same account will be provisioned as a new object in Azure Active Directory.
PS C:> Get-MsolUser -UserPrincipalName blogtest@domain.org
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
blogtest@domain.org Blog Test False
The provisioning of the new account is detected by Exchange Online and a mail user object is provisioned.
PS C:> Get-Recipient BlogTest
Name RecipientType
---- -------------
BlogTest MailUser
In this instance the object is a remote mailbox / migrated user. It would be expected that a mailbox object would appear in Exchange Online – but the object is a mail user.
When reviewing the properties of the Azure Active Directory object validation errors exist and an error is noted on the account in the portal.
PS C:> Get-MsolUser -UserPrincipalName blogtest@domain.org | Select-Object validationStatus
ValidationStatus
----------------
Error
Why does the validation error exist? When a mailbox has been migrated to Office 365 the ExchangeGUID continues to remain on the object on premises. This was visible in the previous commands we executed. Although the recipient type is remote mailbox – the presence of an ExchangeGUID on premises prevents a mailbox from being provisioned. The service assumes there is still a mailbox to be migrated.
If this is the case – how do we get the blank mailbox that we were looking for to provision? The exchangeGUID can be removed on premises. This can be accomplished by using ADSIEdit and locating the account to be modified.
At the next Azure Active Directory Connect synchronization cycle the exchangeGUID will be cleared from the object in Office 365. When the object is completed synchronization the Exchange Online object remains a mail user but the exchangeGUID is now null.
PS C:> Get-Recipient BlogTest | fl recipientType,skuassigned,exchangeGUID
RecipientType : MailUser
SKUAssigned :
ExchangeGuid : 00000000-0000-0000-0000-000000000000
At this time a license can be assigned to the user.
PS C:> Get-MsolUser -UserPrincipalName blogtest@domain.org | Select-Object isLicensed,Licenses
IsLicensed Licenses
---------- --------
True {Organization:STANDARDWOFFPACK}
When the license assignment successfully provisions to Exchange Online the mail user is converted to a user mailbox – a new mailbox has been provisioned.
PS C:> Get-Recipient BlogTest | fl recipientType,skuassigned,exchangeGUID
RecipientType : UserMailbox
SKUAssigned : True
ExchangeGuid : ec78d8ce-fee9-40e7-b8a6-d0628a22c527
The original mailbox can now be merged into the new mailbox to preserve any data delivered to the original mailbox.
from TechNet Blogs https://ift.tt/2KnNPcB
No comments:
Post a Comment