Restore Exchange Online Mailbox – Hard deleted Azure account and soft deleted mailbox

/ December 4, 2017

Sharing the steps on how you can restore a mailbox when Azure AD account has been hard deleted but mailbox is under soft deleted state.

Let me first explain, How we landed up in that state ?

As per our Company policy we have litigation hold on all mailboxes for certain number of months. if the employee is terminated, user object is moved to Organizational Unit that is excluded from Synchronization in Azure Ad connect.

Azure AD recycle bin has a 30 day retention limit set by Microsoft and can not be changed by Tenant administrators.

If above is the situation and User is rehired after 30 days & is moved back to correct organizational Unit doesn’t activate all his services.

We are particularly interested in restoring user’s mailbox object which is in soft deleted state.

Here are the steps that needs to be followed if you are in similar situation:

  • First step is to move the user back to terminated OU (OU that is excluded from directory synchronization).
  • Ones the synchronization is completed, remove the user permanently from the Azure AD recycle bin, use below command.

Remove-MsolUser -UserPrincipalName “user principal name” -RemoveFromRecycleBin

  • Note down Soft deleted Exchange mailbox properties.

Get-Mailbox “user principle name” -softdeletedmailbox | Select Name, DisplayName, MicrosoftOnlineServicesID, ExchangeGuid

  • Create a cloud mailbox & connect it to inactive mailbox Guid extracted from above object.

New-Mailbox -Name “Name” -inactivemailbox “ExchangeGuid” -MicrosoftOnlineServicesID “MicrosoftOnlineServicesID” -Password (ConvertTo-SecureString -String ‘Pa$$w0rd’-AsPlainText -Force)

  • After this, we need to merge the On-premise AD object with newly created cloud object, get the guid of the AD object from ADSI edit.

You can also get the guid from AD module or Quest module if you have it loaded.

Get-QADUser “userid” | fl *guid*

merging of objects is possible if you can set the immuatable id of cloud object same as that on on-pemise object.

If you will check the immutable id of the cloud object we created, it should be blank.

Get-msoluser -UserPrincipalName user@company.onmicrosoft.com | fl *imm*

  • You need to set the immutable id of cloud object to the extracted immutable id from on-premise object.

This can be done by using below command

[System.Convert]::ToBase64String((new-Object system.Guid(“Objectguid extracted from ADSI”)).ToByteArray())

mRQ/tW2v76869H0KWuARhezUK6Q==

  • In the end set the immutable id for the cloud object.

Set-MsolUser -UserPrincipalName “user@company.onmicrosoft.com” -ImmutableId mRQ/tW2v76869H0KWuARhezUK6Q==

Next directory synchronization will merge both the accounts and exchange mailbox is restored, don’t forget to assign the subscriptions after restoration.

Thanks for Reading

Vikas Sukhija

http://SysCloudPro.com

 

Advertisement

Related posts

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s