Skip to content

Reviewing the characters of Exchange Online mailbox recovery mistake – Soft Deleted Office 365 was restored | Part 20#23

In the current article, we describe characters of a typical Exchange Online mailbox restore mistake in Office 365 Directory synchronization environment and describe the characteristics of an optional solution.

The mailbox restore mistake is:

  • Office 365 User account was restored (and his Exchange Online mailbox was restored).
  • New Active Directory user with seemingly identical details was created and the information was Synchronized to the Office 365 Directory.

The provided solution is based on a concept of – “Encourage” the Directory Synchronization SOFT Match process by deleting the Office 365 user ImmutableID value.

The Exchange Online restore mailbox article series.

There are two common scenarios, in which a deleted Exchange on-Premises mailbox restore process is implemented Improperly in Office 365 Directory synchronization environment:

  1. Restore Exchange Online Mailbox Mistake 1#2 – Scenario in which a NEW Active Directory user created, instead of restoring the original Soft Deleted On-Premise Active Directory user account.
  2. Restore Exchange Online Mailbox Mistake 2#2 – Scenario in which a Synchronized Soft Deleted Office 365 user account restored, and his Exchange Online mailbox also restored, instead of restoring the original Soft Deleted On-Premise Active Directory user account.

The current article, dedicated to the High-level description of – “Restore Exchange Online Mailbox Mistake 2#2”.

In the next article – Solving an Exchange Online mailbox restore mistake Office 365 user was restored – removing the ImmutableID value | Part 23#23, we provide a setep by step description of the solution, that we can use for “fixing” the Exchange Online mailbox restore mistake that executed Improperly.

Note – the second Exchange Online mailbox restore mistake, a scenario in which a Synchronized Soft Deleted Office 365 user account restored, and his Exchange Online mailbox also restored, instead of restoring the original Soft Deleted On-Premise Active Directory user account, will be reviewed in the article – Reviewing the characters of Exchange Online mailbox recovery mistake – New On-Premise Active Directory User Account was created | Part 19#23

Directory synchronization based environment | best practice for recovering Exchange Online mailbox

Before we begin with the description of the specific characters of the “Problematic Exchange Online mailbox restores scenarios” in Directory synchronization based environment, and the possible solution that can be implemented, let’s start with a quick reminder, about the “best practice” guideline for restoring Exchange Online mailbox in Directory synchronization environment:

The recommended steps, in a scenario in which we are required to restore deleted Exchange Online mailbox in Office 365 Directory synchronization environment are:

  1. Start the restore process, by restoring the Soft Deleted On-Premise Active Directory user account that is “bound” to the Office 365 user account, which considers as the owner of the Soft Deleted Exchange Online mailbox (number 1).
  2. The information about the restored On-Premise Active Directory user reaches the Office 365 Directory, that locate the Soft Deleted Office 365 user account that is “bound” to the restored On-Premise Active Directory user. The Azure Active Directory automatically starts the restore process of the Soft Deleted Office 365 user account. The Exchange Online license will also be restored automatically (number 2).
  3. The information about the restored Exchange Online license will be synchronized to Exchange Online infrastructure. Exchange Online will automatically start the restore process of the Soft Deleted Exchange Online mailbox and the restore Exchange Online mailbox, will be “attached” to the restored Office 365 user account (number 3).
Best practice for restoring Exchange Online mailbox in Directory synchronization -01

The scenario description

To be able to understand better the specific character of the “problematic Exchange on-Premises mailbox restore scenario,” in which the Office 365 Soft Deleted user account restored, instead of restarting the original Soft Deleted Active Directory user account, let’s use the following scenario:

Organization infrastructure

  • An organization uses Office 365 services, and Exchange Online as his mail infrastructure.

Directory infrastructure

  • Directory management is implemented via the On-Premise Active Directory, and Directory synchronization server (Azure AD Connect).
  • The Directory synchronization server is responsible for synchronizing information from the local On-Premise Active Directory to the Office 365 Directory (Azure Active Directory).

The Directory user deletion event

  • Active Directory user account was deleted, and the information about the user deletion was synchronized to the Office 365 Directory (Azure Active Directory).
  • Azure Active Directory deletes the Office 365 user account that is “bound” to the deleted On-Premise Active Directory user + the Office 365 user Exchange Online license.
  • The information is synced to Exchange Online. The outcome is that the Exchange Online mailbox was also deleted.

The Active Directory deleted user account details

The deleted Active Directory user account login name is: John@o365info.com

The mission

The organization IT was asked to:

  • Recover the deleted Exchange Online mailbox.
  • Enable the user access to his recovered Exchange Online mailbox and the data stored in the recovered Exchange Online mailbox.

Notice that we mention that, we need to recover the Exchange Online mailbox, and enable the user to access the Exchange Online mailbox.

We didn’t provide any instructions or guideline regarding the “user account,” that will be “attached” to restored Exchange Online mailbox.

Description of the common Exchange Online mailbox restore – Office 365 user was restored (instead of the On-Premise Active Directory user account)

A common “restore mistake” that implemented in a scenario of restoring Exchange Online mailbox restore in Directory synchronization environment is a restore mistake, that includes the two following “two parts”:

  1. Office 365 Soft Deleted user account is restored (instead of – restoring the Active Directory Soft Deleted user account).
  2. A NEW Active Directory user account is created that is seemingly identical to the “original Active Directory user who was deleted. The information about the NEW Active Directory user is synchronized to the Office 365 Directory (Azure Active Directory).
Office 365 User account was restored - Exchange Online mailbox was restored-01

In the following diagram, we can see that the order of the Exchange Online mailbox “mistake restore steps” (number 1).

In our case, the Soft Deleted Office 365 user account restored, and the Exchange Online mailbox.

Then, a NEW Active Directory user account with the same login name was created and synchronized to the cloud (number 2).

Problematic Exchange Online mailbox restore scenario -The Office 365 user account was restored

The result

The process of restoring the Office 365 Soft Deleted user and his Exchange Online mailbox probably will complete successfully.

The “strange phenomenon” is, that when the Directory synchronization server synchronize the information about the “NEW Active Directory user account” to the Azure Active Directory (number 2), one of the following results will happen:

Case 1 – The Directory synchronization process will cause the deletion of the recovered Office 365 user account and to the deletion of the recovered Exchange Online mailbox.

I am not sure that I can explain the logic behind the “deletion operation” the is implemented by the Directory synchronization server (Azure AD Connect) because, in my opinion, the Directory synchronization process, was supposed to report about an error in which two objects use the same login name, instead of deleting the restored Office 365 user account.

Note that the deletion of the restored Office 365 user account lead to the deletion of the restored Exchange Online mailbox (number 5)!

At the current time, this is the scenario that is executed in my environment so for this reason; I will continue to review this type of scenario.

The sequence of events - Directory synchronization synchronize information Azure Directory

Case 2 – Directory synchronization will not be able to complete the synchronization process, and in the Directory synchronization log, we will see, an error event, that informs us that the synchronization cannot complete because of a duplicated user login name.

The outcome

The connection between the Office 365 user account and the On-Premise Active Directory user account is “Broken.”

  1. The NEW On-Premise Active Directory user account will not be synchronized to the Office 365 Directory (Azure Active Directory) and complete the “bounding” with the Soft Deleted Office 365 user account that restored.
  2. There is no option to restore the Exchange Online mailbox. Even if we restore again the Office 365 user account that deleted, each time that the Directory synchronization cycle complete (every 3 hours by default), the Office 365 user account will be deleted again.
The outcome of Problematic Exchange Online mailbox restore scenario - Mistake 2 -01

The bottom line

The bottom line is that in Directory synchronization environment, we should not start the Exchange Online mailbox restore process by restoring the Office 365 user account.

In case that we start the restore process by restoring the Office 365 account, we “break” the connection between the On-Premise Active Directory user account.

In this case, we will need to find a way to “reconnect” again the Office 365 user account to his “On-Premise Active Directory user account.”

The offered solutions

To be able to deal with this type of Exchange Online mailbox restore mistake, we can choose to implement one of the following solutions:

Solution 1#2 – Revert the Exchange Online mailbox restore mistake by deleting the NEW Active Directory user who was created, and restoring the “original” Soft Deleted Active Directory user.

Solution 2#2 – Remove the ImmutableID value of the Office 365 user account, and start the Directory synchronization. The Directory synchronization will activate the Soft Match process, which will create the required “binding” between the NEW On-Premise Active Directory user account and the existing Office 365 user account.

The current article dedicated to the description of the solution which described as “Solution 2#2 “A detailed description of solution “Solution 1#2”, appear in the article – Solving an Exchange Online mailbox restore mistake by Restoring the original Soft Deleted Active Directory user | Part 21#23

The cause of the “restore misconception” procedure

Cause 1 – Office 365 admin center provides a very user-friendly graphical interface, that enables Administrator, to restore the Office 365 user accounts with “one click.”

The task of restoring Soft Deleted On-Premise Active Directory user can be considered as a “complicated task” depend on the specific scenario (Active Directory recycle bin was enabled or not).

In other words, it’s very easy to choose the “easy” option, instead of the “right option” of restoring the original Soft Deleted Active Directory user.

Cause 2 – The basic assumption of the Administrator who performs the “restore Exchange Online mailbox mistake” is, that because the “NEW On-Premise Active Directory user” is “identical” to the previously deleted user (same login name, E-mail address and so on), the Directory synchronization, will automatically implement the Soft Match mechanism.

The administrator expectation is that the Directory Synchronization Soft Match will “bind” the “NEW Active Directory user” with the existing Soft Deleted Office 365 user.

After the automatic “binding,” process completed, the rest of the restore process (the restore of the Soft Deleted Exchange Online mailbox) will start automatically as it should.

The reason for the Soft Deleted failure

The Directory synchronization “Soft matches” process will not be activated because, the restored Office 365 user account ImmutableID property, is already populated with the GUID value of the “original Active Directory user account” (the original Active Directory user who was deleted).

The Directory synchronization “Soft match” mechanism is not configured to “ignore” this information, and “run over” the existing value of the ImmutableID!

As mentioned, in this scenario the Directory synchronization will delete the restored Office 365 user account that has the identical login name (UPN) as the NEW On-Premise Active Directory user (John@o365info.com).

Note – another optional outcome is, that the Directory synchronization server, will report about duplicate objects, and will not be able to synchronize the information about the NEW Active Directory user account to the Office 365 Directory (Azure Active Directory).

Directory Synchronization Soft match will Take place-02

Optional solution – “Encourage” the Directory Synchronization Soft Match process

To be able to deal with the “Exchange Online mailbox recovery mistake,” that have the following characters:

  1. Office 365 Soft Deleted user account is restored instead of – restoring the Active Directory Soft Deleted user account.
  2. New Active Directory user account was created that is seemingly identical to the “original Active Directory user who was deleted. The information was synchronized to the cloud.

The steps that need to be implemented are as follows:

  • Remove the ImmutableID value from the Soft Deleted Office 365 user account.
  • Start the Directory synchronization process.
  • Let the Directory synchronization process to perform the Soft Match, which will “bind” the NEW On-Premise Active Directory user account, to the Office 365 user account (by populating the ImmutableID value of the Office 365 user with the GUID value of the NEW On-Premise Active Directory user account).

The “solution” that we are going to review based on the following logic:
Instead of implementing the “recommended restore process” in which we restore the original Soft Deleted Active Directory, we will “bind” the NEW Active Directory user account with the restored Office 365 user account.

Binding together the two users accounts

In case that we perform all the required steps, the Directory synchronization will initialize the Soft Match process which will bind the two-user account.

After the process of the Soft Match completed, the “connection” or the “binding” between the two user accounts will be described as – Hard Match.

The proposed solution

Delete the ImmutableID attribute of the restored Office 365 account.

In the current section, we are going to implement a solution which I describe as – “Encourage the Directory Synchronization Soft Match process.”

I use the term “Encourage” because, in our scenario, the Soft Match between the NEW Active Directory user account and the restored Office 365 user account will not occur by default!

To be able to “trigger” the Directory Synchronization Soft Match process, we will use the following trick:

Step 1#2 – Removing the ImmutableID (sourceAnchor attribute) value of the Office 365 user account.

We will access the properties of the restored Office 365 user account (by using PowerShell), and delete the value of the ImmutableID attribute.

The outcome is that now we have Office 365 user without a value of ImmutableID attribute (empty value).

Encourage the Directory Synchronization SOFT Match process - Step 1-2

Step 2#2 – Activate the Directory Synchronization

In this step, all we need to do is – just activates the Directory synchronization process.

After a short period, we will see that the Active Directory user account is “bounded” to the Office 365 user account.

In case that you are wondering how the hell this “magic” happened, the answer is as follows:

When the Directory synchronization service synchronized the information about the NEW Active Directory user whom his login name identity is– John@o365info.com, the Directory Synchronization “notice” that the Azure Active Directory, also include a user with the identical login name.

The Directory synchronization process “understand” that the two user accounts are related to each other, and probably need to be connected.

The Directory synchronization will activate the Soft Match process.

After the user account is “bound” to each other, and after the Directory synchronization will complete the synchronization process, the GUID value of the NEW Active Directory user account will be converted (to a 64-bit value), and saved as the ImmutableID attribute of the restored Office 365 account.

In case that you wonder why we need to implement all this complicated step, the answer is that before we remove the ImmutableID value of the Soft Deleted Office 365 users, the Directory synchronization could not activate the process of Soft Match because, because the Directory synchronization cannot decide by herself to remove an existing ImmutableID value.

Encourage the Directory Synchronization SOFT Match process - Step 2-2

The article – Solving an Exchange Online mailbox restore mistake Office 365 user was restored – removing the ImmutableID value | Part 23#23, include as step by step description of the proposed solution.

The next article in the current article series

Solving an Exchange Online mailbox restore mistake by Restoring the original Soft Deleted Active Directory user | Part 21#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *