Skip to content

Prefix – the “Problematic” Exchange Online mailbox restores scenarios in Directory synchronization environment | Part 18#23

In the current article, can be considered as a “prefix” to the subject which I describe as “the “Problematic Exchange Online mailbox restore scenarios in Directory synchronization environment.”

Office 365 and Directory synchronization can consider as a complex environment, that “bind together” two different environments – the On-Premise environment and the “cloud” environment.

This character of this complexity can very easily lead to non-intentional Exchange Online mailbox restores mistakes, which can cause the Administrator feeling of confusion and frustration!

The next articles in the current article series

Before we continue, quick brief about the next articles in the current article series:

In the article – Reviewing the characters of Exchange Online mailbox recovery mistake – New On-Premise Active Directory User Account was created | Part 19#23, we review the characters of the Exchange Online mailbox restore mistake, in which a NEW Active Directory user was created instead of restoring the original Soft Deleted Active Directory user account.

In the article – Solving an Exchange Online mailbox restore mistake by Restoring the original Soft Deleted Active Directory user | Part 21#23, include a description of the required steps that can use for “fixing” the Exchange Online mailbox restores mistake, in which a NEW Active Directory user account created.

In the article – Restoring Exchange Online mailbox content to another mailbox using PowerShell command New-MailboxRestoreRequest | Part 22#23, include a description of the additional solution, that we can use for “fixing” the Exchange Online mailbox restore mistake in which a NEW Active Directory user account created.

In the article – Reviewing the characters of Exchange Online mailbox recovery mistake – Soft Deleted Office 365 was restored | Part 20#23, we review the characters of the Exchange Online mailbox restore mistake, in which the Soft Deleted Office 365 user account was restored instead of restoring the Soft Deleted On-Premise Active Directory user.

In the article – Solving an Exchange Online mailbox restore mistake Office 365 user was restored – removing the ImmutableID value | Part 23#23, include a description of the required steps, that can use for “fixing” the Exchange Online mailbox restore mistake, in which the Soft Deleted Office 365 user account was restored instead of restoring the Soft Deleted On-Premise Active Directory user.

The term “Problematic Exchange Online mailbox restores scenarios”

The term “Problematic Exchange Online mailbox restores scenarios,” is not a technical term, but instead, a term that I use for describing scenarios, in which “Administrative element,” execute Exchange Online mailbox restore process improperly in Directory synchronization based environment.

The main two outcomes of the “Problematic Exchange Online mailbox restore scenarios” realized in the following ways

Scenario 1 – the Exchange Online mailbox that seemingly restored, is not the original Exchange Online mailbox that contains the data. Instead, the user will access an “empty Exchange Online mailbox.”

Scenario 2 – the Office 365 user “entity” restored and have access to the original Exchange Online mailbox to the data, but the “logic binding” between the On-Premise Active Directory user account, and the Office 365 is disconnected.

A brief reminder, in Office 365 Directory synchronization environment, the On-Premise Active Directory user account must be “connected” to his Office 365 user accounts “replica.”

You can read more information about the relationships between On-Premise Active Directory user account and his “Office 365 user account replica” in the article – The special characters of Directory synchronization in an Office 365 environment | Article 1#2 | Part 11#23

The Problematic Exchange Online mailbox restores scenarios

What are the causes that lead to a – “Problematic” Exchange Online mailbox restores scenarios?

Chase 1 – lack of knowledge and lack of clear instructions.

99% of the time, in which a “wrong Exchange Online restore mailbox procedure” was implemented the reason is, lack of knowledge about – what is the “right process” that should have implemented.

The lack of knowledge that caused by a lack of available public information is a painful issue (this is the main reason for me to write the current article series).

At present, there is not much detailed information about the “recommended way” for recovering Exchange Online mailbox in the different type of Office 365 environments such as – cloud only environment, Directory synchronization or Exchange Hybrid environments.

Also, there is not much detailed information on the subject of how to recover from Exchange Online mailbox restores scenario in which the mailbox restore implemented improperly.

Character 2 – Different type of “Problematic Exchange Online mailbox restores scenarios.”

The additional challenge that we are facing is, that there are a couple of options to “damage” the “right process” of restoring Exchange Online mailbox in Directory synchronization environment.

We will need to be equipped with the knowledge about:

  1. What is the specific type of the “Problematic Exchange Online mailbox restore scenarios”?
  2. What are the specific characters of “Problematic Exchange Online mailbox restore scenarios”?
  3. What is the specific solution, that we can implement for- repairing the “Problematic Exchange Online mailbox restores scenario?

“Problematic Exchange Online mailbox restores” scenarios | Classification

In the following diagram, we can see two main classifications of Office 365 environments, in which we can experience the phenomenon of “Problematic Exchange Online mailbox restores scenarios.”

1. Directory synchronization based environment

An environment that includes two directories: The On-Premise Active Directory, and the “cloud directory” meaning, Azure Active Directory.

2. Exchange Hybrid environment

The second type of environment is an Exchange Hybrid environment. In this environment, there are also two directories: The On-Premise Active Directory, and the “cloud directory” (Azure Active Directory) but also, two Exchange environments – the Exchange on-Premises environment and the Exchange Online (Office 365) environment.

This complex environment, provides “many routes” to scenarios of “improperly Exchange Online mailbox restores procedure.”

The Problematic Exchange Online mailbox restores scenarios basic classification -01

Troubleshooting a “Problematic” Exchange Online mailbox restores scenarios

To troubleshoot a “Problematic” Exchange Online mailbox restores problem; we need to understand the scenario at hand.

Each scenario has his own unique characters and his unique solution.

Solution path 1#3 – “revert” restore mistake that was done.

In this type of solution, we try to revert the “restore Exchange Online mailbox mistake,” to an earlier state, before the recovery mistake executed.
After we revert to the “earlier state,” we can start the second phase, in which we perform the Exchange Online mailbox restore by using the recommended steps.

For example, a scenario in which a NEW Active Directory was created instead of restoring the original Soft Deleted Active Directory Active Directory user account.

In this case, we will delete the “unnecessary Active Directory user account,” and implement the best practice restore procedure, meaning; restore the “original” Active Directory Soft Deleted user account.

Solution path 2#3 – Implement “alternative solution,” that will enable the user to access his mailbox data

In this type of solution, we don’t try to “fix” Exchange Online restores mistake, but instead, provide the user access to his Exchange Online mailbox data, by exporting the data from the original Soft Deleted Exchange Online mailbox to the NEW Exchange Online mailbox that created.

For example, A scenario in which a NEW Active Directory created, instead of restoring the original Soft Deleted Active Directory Active Directory user account.

In this case, we will use the PowerShell command that will “copy” all the content from the original Soft Deleted Exchange Online mailbox to the “NEW empty Exchange Online mailbox” that created.

Solution path 3#3 – Implement a “workaround” that will Fix the existing miss configuration

In this type of solution, we don’t try to revert the existing restore mailbox mistake, but instead, we run a “fix” that will “glue the broken pieces.”

For example, a scenario in which the Office 365 user account was restored, instead of
the ”original” On-Premise Active Directory user account.

This type of restore mistake, lead to a scenario that can describe as “orphan Office 365 user account.” The term “orphan” describes a scenario in which we lose the “binding” between the Office 365 user account and the On-Premise Active Directory user account.

The offered solution, in this case, is to “Glue together” these accounts, by manipulating the ImmutableID value of the Office 365 user account.

Dealing with Problematic Exchange Online mailbox restores scenarios

The relationship between On-Premise Active Directory user and Office 365 user | Recovered user account scenario

In the scenario, I would like to highlight the relationship that exists between two synchronized user accounts in Directory synchronization environment.

The “relationship” realized in many ways, but this time; I would like to emphasize the relationship that exists between On-Premise Active Directory user and Office 365 user, in a scenario of “On-Premise Active Directory user account recovery.”

Given that the Office 365 user considers as a “synchronized user account”;

  • When the On-Premise Active Directory user deleted, the Office 365 user account that is “bound” to the On-Premise Active Directory user, will also be belted (but the opposite is not true).
  • When Soft Deleted On-Premise Active Directory user recovered, the Office 365 user account that is “bound” to the On-Premise Active Directory user, will also be recovered (but the opposite is not true).

As mentioned, Azure Active Directory “knows” about the Active Directory user that connected to the Office 365 user, by using the ImmutableID value.

When we restore Soft Deleted Active Directory user account, the information synchronized to the cloud (Azure Active Directory).

The relationship between On-Premise Active Directory user and Office 365 user ?-01

The Azure Active Directory gets the GUID value of the restored On-Premise Active Directory user account and compares the GUID value with existing Office 365 user account ImmutableID value (including the Soft Deleted Office 365 user accounts).

When the Azure Active Directory “look” in the Azure Active Directory recycle bin, she “sees” Soft Deleted user account that his ImmutableID value is identical to the GUID value of the restored On-Premise Active Directory user account.

The Azure Active Directory “understand” that the Soft Deleted Office 365 user accounts are the “partner” of the On-Premise Active Directory user account.

The Azure Active Directory restore the Soft Deleted Office 365 user account.

The relationship between On-Premise Active Directory user and Office 365 user ?-02

After the Office 365 user account restored, the “bonding” between the two users account restored.

The relationship between On-Premise Active Directory user and Office 365 user ?-03

An additional process that implemented related to – the restore of the Exchange Online mailbox.

  • When Azure Active Directory restores the Soft Deleted user account, the Exchange Online license that assigned to the user also restored.
  • Azure Active Directory informs the Exchange Online that an Exchange Online license restored.
  • Exchange Online will restore the Soft Deleted Exchange Online mailbox which her license was recovered and “bind” the restored Exchange Online mailbox to the Office 365 user account.
The relationship between On-Premise Active Directory user and Office 365 user ?-04

You can read additional information about the characters of Directory synchronization in an Office 365 based environment, and the relationship that exists between On-Premise Active Directory user account and his Office 365 user account “partner,” in the following articles:

The source for the common restore mistakes in Directory synchronization environment | Soft Match

The main source for Exchange Online mailbox restore mistakes is caused by a very popular miss conception, that relates to the Directory synchronization feature named – Soft match.

So, the big question is – Do we know the meaning of the term – Directory synchronization Soft match?

Even if you think that you are familiar with the concept of Directory Synchronization Soft Match, I recommended spending a few minutes to read the next section, so we will be able to be on the same page.

What is the purpose of Directory Synchronization Soft match?

In Directory synchronization based environment; the “natural process” of the event should “starts” in the On-Premise Active Directory environment.

For example – a NEW Active Directory user is created; the information is synchronized to the cloud (Azure Active Directory), and thus a NEW Office 365 created.

The relationship between the On-Premise Active Directory user object and his “Office 365 replica” user account “Immortalized,” by using a dedicated Office 365 property named – ImmutableID.

The ImmutableID value includes a copy of the On-Premise Active Directory user GUID (Globally Unique Identifier) value.

This is how the two-separated environment (On-Premise Active Directory and Azure Active Directory), knows of the relationship that exists between the two objects (the two user accounts).

The relationship -On-Premise Active Directory user and his Office 365 replica- ImmutableID

The Directory synchronization mechanism named – Soft Match, was created for solving a common misconfiguration problem in Directory synchronization based environment.

As mentioned, the “natural flow” in Directory synchronization environment starts from the direction of the On-Premise Active Directory.

But, what about a scenario, in which an Office 365 user was created using the login name – John@o365info.com, and at a later stage, an Active Directory user with an identical login name (John@o365info.com) created?

A logical answer could be – a “collision” between two objects.

Two objects (two users accounts) have the same property – user login name, and we need to decide which object is more “dominant” meaning, which object will “run over” the “another object.”

Another possible solution for this logical problem is, a more “more peaceful solution,” that is implemented by the Directory Synchronization named – Soft Match.

Another way that we can use for describing the concept of the Active Directory Soft match is – a mechanism that tries to find the common denominator between two objects, and bind them together as a couple.

Directory synchronization Soft Match-looking for the common denominator between two objects

In case that the Directory synchronization recognizes a scenario, which fulfills the following two conditions:

Condition 1#2

  1. On-Premise Active Directory user and Office 365 have the same user login name or,
  2. On-Premise Active Directory user and Office 365 have the same E-mail address.

Condition 2#2

Office 365 doesn’t have an immutable value, meaning; the Office 365 is not “connected” to existing On-Premise Active Directory user account.

The Directory synchronization is smart enough to “understand,” that these two objects are related to each other, and for this reason, they should be “attached together.”

Directory synchronization Soft match | Case 1 | User login name is identical

In the following diagram, we can see an example to a scenario, in which the On-Premise Active Directory user account created after the Office 365 created.

The Office 365 user account “Sync Type” property, consider as – In cloud

Booth of the users has the same using login name (user principal name).

When we run the Directory synchronization, the synchronization process finds two separate user accounts that have the same User login name.

The Directory synchronization implements the Soft match mechanism, and “bind” together with the On-Premise Active Directory user account with the Office 365 user accounts.

After the Directory synchronization Soft Match process is completed, the Office 365 user account property – “Sync Type,” consider as – Sync with Active Directory.

The “binding” process that the Directory synchronization executes, is implemented in the following way:

The Directory synchronization, copy the GUID value of the On-Premise Active Directory user account to the Office 365 ImmutableID value.

After this process had completed, the result described as – “Hard Match.”

Directory synchronization Soft match -Case 1 - User logon name is identical -01

From now on, the two-user account considers as “connected.”
Each update in the On-Premise Active Directory user account will be synchronized to his “user partner” in the cloud (Azure Active Directory).

Directory synchronization Soft match | Case 2 | User E-mail address is identical

In the current scenario, the On-Premise Active Directory user account and the Office 365 user account doesn’t have the same UPN (user login name).

The Login name information

  • On-Premise Active Directory user login name is – John@o365info.com
  • Office 365 user login name is – David@o365info.com

The E-mail addresses information

  • On-Premise Active Directory E-mail address is – John@o365info.com
  • Office 365 user E-mail address is – John@o365info.com

In this scenario, the common denominator between the two users account is the E-mail address.

Directory synchronization Soft match- Case 2 - User E-mail address is identical - Part 1-2

When we run the Directory synchronization, the synchronization process finds two separate user accounts, which have the same E-mail address.

The Directory synchronization implements the Soft Match mechanism, and “bind” together with the On-Premise Active Directory user account with the Office 365 user accounts.

After the Soft Match process completed, the Office 365 user “Sync Type” property, consider as – Sync with Active Directory.

It’s important to mention that after the Soft Match complete, the Office 365 user UPN, will be updated by using the UPN name of the On-Premise Active Directory user account (On-Premise Active Directory, consider as a source of authority).

In our scenario, the Office 365 user UPN will be updated to John@o365info.com

Directory synchronization Soft match- Case 2 - User E-mail address is identical - Part 2-2

The next article in the current article series

Reviewing the characters of Exchange Online mailbox recovery mistake – New On-Premise Active Directory User Account was created | Part 19#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *