共用方式為


Office 365: Correcting users who have had a mailbox in the cloud and on-premises…

In some previous blog posts I have outlined conditions where users may have inadvertently had a mailbox both on premises and in the cloud at the same time.  The following links outline these scenarios and how to attempt to proactively identity users that may fall in this condition.

https://blogs.technet.microsoft.com/timmcmic/2018/04/10/office-365-detecting-and-preventing-duplicate-mailboxes-between-on-premises-and-exchange-online/

https://blogs.technet.microsoft.com/timmcmic/2017/09/10/office-365-users-have-both-a-cloud-and-on-premises-mailbox/

https://blogs.technet.microsoft.com/timmcmic/2018/04/09/office-365-licensing-mail-users-results-in-mailbox-objects/

With an understanding of the scenarios that lead to this and how to proactively identity users administrators can quickly identify the conditions that lead to this occurring and work to prevent it for other accounts moving forward.  How do we handle an account though that has encountered this condition?

There are two methods to handle accounts that have had mailboxes both on premises and in the cloud.  I will outline the options below for administrators to consider – as each has benefits and drawbacks.

OPTION #0: Delete the existing Azure Active Directory Account

The Exchange Online mailbox object is linked to an Azure Active Directory account.  When the azure active directory account is removed and subsequently purged from the recycle bin the Exchange Online mailbox is placed in a soft deleted state.  During the next Azure Active Directory Connect synchronization cycle the user will be resynchronized to Azure Active Directory as new and will carry forward the Exchange attribute from on premises.  This should result in a mail user created in Exchange Online and not a mailbox object.  The mailbox object can now be migrated from on premises and the associated soft deleted mailbox merged into the original to retain data.

There are several benefits to this approach:

  • Deleting and purging an account from Azure Active Directory is generally a simple process.
  • The mailbox can be immediately migrated from on-premises once the mail user object is provisioned.
  • Exchange Online supports the administrator merging mailbox contents.  The soft deleted mailbox belonging to the user can be merged into the migrated mailbox allowing for no messages to be lost.

There are several potential drawbacks to this approach:

  • This is a complete Azure Active Directory account reset.
  • All permissions granted to this account within the service – for example Sharepoint site ownership / OneDrive / and any other services will be lost.
  • Any membership in cloud only distribution lists – for example Office 365 groups – will be lost.
  • There may be a brief interruption in mail flow to this account while the deletion and recreation of the Exchange Online object occurs.

In Exchange Online we can verify the presence of a mailbox that matches an on premises account.

Exchange Online:

PS C:\> Get-Mailbox testduplicate

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId

---- ----- -------- ----------------- -------------------------

testduplicate testduplicate NAMPR06DG282-db128 49.5 GB (53,150,2... e3eaf6c1-f012-42e9-a54...

On-Premises Exchange:

[PS] C:\>Get-Mailbox testduplicate

Name Alias ServerName ProhibitSendQuota

---- ----- ---------- -----------------

Test Duplicate testduplicate azure-mbx Unlimited

In the portal we can verify that the account is synchronized from the on-premises active directory.

image

The synchronized user has now been verified to have both a mailbox in the cloud and on-premises.

To begin the recovery the administrator should capture the Exchange Online mailbox information – specifically the Exchange GUID of the mailbox.  This GUID will be utilized in the recovery of the soft deleted mailbox.

PS C:\> Get-Mailbox testduplicate | select-object ExchangeGUID

ExchangeGuid

------------

fa38094d-cbfd-46b7-82f6-8a3022e39a66

Using Azure Active Directory powershell the account can be removed and purged from the recycle bin.

PS C:\> Remove-MsolUser -UserPrincipalName testduplicate@domain.com -Force

PS C:\> Remove-MsolUser -UserPrincipalName testduplicate@domain.com -Force –RemoveFromRecycleBin

The deletion can be verified using powershell.  The user cannot be found in either the active users list or the recycle bin – this indicates a successful deletion.

PS C:\> Get-MsolUser -UserPrincipalName testduplicate@domain.com

Get-MsolUser : User Not Found. User: testduplicate@domain.com.

At line:1 char:1

+ Get-MsolUser -UserPrincipalName testduplicate@domain.com

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UserNotFoundException,Microsoft.Online.Administration.Automation.GetUser

PS C:\> Get-MsolUser -UserPrincipalName testduplicate@domain.com -ReturnDeletedUsers

Get-MsolUser : User Not Found. User: testduplicate@domain.com.

At line:1 char:1

+ Get-MsolUser -UserPrincipalName testduplicate@domain.com -Return ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UserNotFoundException,Microsoft.Online.Administration.Automation.GetUser

In Exchange Online we can confirm that the mailbox object is no longer present.

PS C:\> Get-Mailbox testduplicate

The operation couldn't be performed because object 'testduplicate' couldn't be found on

'CO1PR06A002DC02.NAMPR06A002.prod.outlook.com'.
+ CategoryInfo : NotSpecified: (:) [Get-Mailbox], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=DM6PR06MB4026,RequestId=76d78567-e257-4608-a175-2dc3cd8658c2,TimeStamp=7/15/2018
3:51:45 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 260B3828,Microsoft.Exchange.Management.Rec
ipientTasks.GetMailbox
+ PSComputerName : ps.outlook.com

The duplicate online mailbox should now be in a soft deleted state.

PS C:\> Get-Mailbox testduplicate -SoftDeletedMailbox

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId

---- ----- -------- ----------------- -------------------------

Test Duplicate testduplicate NAMPR06DG282-db128 49.5 GB (53,150,2...

At this time the online portion of the accounts have been cleaned up.  Azure Active Directory Connect synchronization can be performed and the object should be reprovisioned from the on-premises directory.

PS C:\> Get-MsolUser -UserPrincipalName testduplicate@domain.com

UserPrincipalName DisplayName isLicensed

----------------- ----------- ----------

testduplicate@domain.com Test Duplicate False

The object should now be successfully provisioned as a mail user within Exchange Online.  This is the expected recipient type for an on premises mailbox.

PS C:\> Get-MailUser testduplicate

Name RecipientType

---- -------------

Test Duplicate MailUser

At this time the on-premises mailbox can be migrated to Office 365.  This is an optional step – but would be required in order to perform the merge of any data contained within the service at this time.

image

When the migration has completed successfully the object will become a mailbox object within Exchange Online.

PS C:\> Get-Mailbox testduplicate

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId

---- ----- -------- ----------------- -------------------------

Test Duplicate testduplicate NAMPR06DG143-db051 99 GB (106,300,44... 7ba2fffc-e3ce-4d65-b350-d0a3763e5ffa

To complete our recovery the mailbox restoration can be processed.  To begin we need the Exchange GUID of the migrated mailbox.

PS C:\> Get-Mailbox testduplicate | Select-Object exchangeGUID

ExchangeGuid

------------

e683f1ee-4c85-4b99-b4bc-7511572a361d

The Exchange GUID for the soft deleted mailbox was previously recorded.  Using this information we can begin the merge process.

New-MailboxRestoreRequest -SourceMailbox fa38094d-cbfd-46b7-82f6-8a3022e39a66 -TargetMailbox e683f1ee-4c85-4b99-b4bc-7511572a361d –AllowLegacyDNMismatch

Name TargetMailbox Status

---- ------------- ------

MailboxRestore testduplicate Queued

The merge can be monitored with get-mailboxRestoreRequest. 

PS C:\Users\timmcmic> Get-MailboxRestoreRequest

Name TargetMailbox Status

---- ------------- ------

MailboxRestore testduplicate InProgress

PS C:\Users\timmcmic> Get-MailboxRestoreRequest

Name TargetMailbox Status
---- ------------- ------
MailboxRestore testduplicate Completed

At this time this option has completed.

OPTION #1: Remove the Exchange Online License

The Exchange Online mailbox object is linked to an Azure Active Directory account.  When the Exchange Online license is removed from the object the associated mailbox will be made unavailable.  This should result in a mail user created in Exchange Online and not a mailbox object.  The mailbox object can now be migrated from on premises and the associated soft deleted mailbox merged into the original to retain data.

There are several benefits to this approach:

  • The existing Azure Active Directory account is preserved.
  • All permissions assigned to the object are preserved across Sharepoint and OneDrive etc.  (This assumes ONLY the Exchange Online license is removed…)

There are several potential drawbacks to this approach:

  • The Exchange Online mailbox is not recoverable.  Any data contained will be lost.
  • There may be a brief interruption in mail flow to this account while the deletion and recreation of the Exchange Online object occurs.

To begin the mailbox can be confirmed in Exchange Online and On-Premises.

Exchange Online:

PS C:\> Get-Mailbox testlicense

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId

---- ----- -------- ----------------- -------------------------

TestLicense TestLicense NAMPR06DG103-db019 49.5 GB (53,150,2... c686dfd9-aa4a-4b54-8680-cc0d4c9b0a62

On-Premise Exchange:

[PS] C:\>Get-Mailbox testlicense

Name Alias ServerName ProhibitSendQuota

---- ----- ---------- -----------------

Test License testlicense azure-mbx Unlimited

In the portal we can confirm that the account is synchronized from the on-premises Active Directory.

image

The synchronized user has now been verified to have both a mailbox in the cloud and on-premises.

The Exchange Online license can now be removed through the portal.

image

When the license removal has synchronized into Exchange Online the mailbox will be converted to a mail user.

PS C:\> Get-MailUser testLicense

Name RecipientType

---- -------------

Test License MailUser

When the conversion to a mail user has occurred the mailbox can be migrated from on premises.  If the license is re-assigned the object will convert back to a mailbox.  Assigning an Exchange Online license should be withheld until the mailbox is migrated (or the previous recipient type is changed – reference the previously attached blogs) allowing it to be safe to apply a license.

OPTION #3: The user has no license but has an error with correlation ID in Azure Active Directory

I recently worked with a customer where we were looking at pursuing Option #2 as documented in this article.  With Option #2 our plan was to remove licenses, migrate the mailboxes, and forgo any ability to recover data that might be contained within the Office 365 mailbox. 

When reviewing the properties of the user in the Office 365 Portal (Azure Active Directory) the user had no Exchange license currently assigned.  When reviewing the object within Exchange Online the mailbox object existed as a User Mailbox type.

PS C:\> Get-Mailbox testlicense

Name Alias Database ProhibitSendQuota ExternalDirectoryObjectId
---- ----- -------- ----------------- -------------------------
TestLicense TestLicense NAMPR06DG103-db019 49.5 GB (53,150,2... c686dfd9-aa4a-4b54-8680-cc0d4c9b0a62

One issue that we noted in the properties of the user account within the Office 365 portal was an error condition and a correlation ID.

image

In addition executing get-msolUser –userPrincipalName testLicense@domain.com shows the errors field populated and validation status error.

Errors : {Microsoft.Online.Administration.ValidationError, Microsoft.Online.Administration.ValidationError}

ValidationStatus : Error

The presence of a correlation ID and error indicates that there are synchronization and object validation issues between Exchange Online and Azure Active Directory.  Due to the fact that there are multiple reasons this could occur – especially for accounts that are in this state – my recommendation is we fail back to Option #1 for the recovery of these types of accounts.