Skip to content

Reviewing the characters of Exchange Online mailbox recovery mistake – New On-Premise Active Directory User Account was created | Part 19#23

In the current article, we describe characters of a typical Exchange Online mailbox restore mistake in Office 365 Directory synchronization environment and describe the characteristics of an optional solution.

  • The restore mistake is – that a NEW Active Directory user created, instead of restoring the original Soft Deleted On-Premise Active Directory user account.
  • The provided solution, based on a concept of “reversing thing back”, to the point in time, before the “Exchange Online mailbox recovery mistake” executed.

The Exchange Online restore mailbox article series

There are two common scenarios, in which a deleted Exchange on-Premises mailbox restore process is implemented Improperly in Office 365 Directory synchronization environment:

  1. Restore Exchange Online Mailbox Mistake 1#2 – Scenario in which a NEW Active Directory user created, instead of restoring the original Soft Deleted On-Premise Active Directory user account.
  2. Restore Exchange Online Mailbox Mistake 2#2 – Scenario in which a Synchronized Soft Deleted Office 365 user account restored, and his Exchange Online mailbox also restored, instead of restoring the original Soft Deleted On-Premise Active Directory user account.

The current article dedicated to the description of “Restore Exchange Online Mailbox Mistake 1#2”.

In the next articles:

We provide a step by step description of – two optional solutions which we can use, for “fixing” the Exchange Online mailbox restore mistake that executed Improperly.

The second common mistake “Restore Exchange Online Mailbox Mistake 2#2”, will be reviewed in the article – Reviewing the characters of Exchange Online mailbox recovery mistake – Soft Deleted Office 365 restored | Part 20#23

Directory synchronization based environment | best practice for recovering Exchange Online mailbox

Before we begin with the description of the specific characters of the “Problematic Exchange Online mailbox restores scenarios” in Directory synchronization based environment, and the possible solutions that can be implemented, let’s start with a quick reminder, about the “best practice” guideline for restoring Exchange Online mailbox in Directory synchronization environment:

Online mailbox in Office 365 Directory synchronization environment are:

  1. Start the restore process, by restoring the Soft Deleted On-Premise Active Directory user account that is “bound” to the Office 365 user account, which considers as the owner of the Soft Deleted Exchange Online mailbox (number 1).
  2. The information about the restored On-Premise Active Directory user reaches the Office 365 Directory that locates the Soft Deleted Office 365 user account that is “bound” to the restored On-Premise Active Directory user. The Azure Active Directory automatically starts the restore process of the Soft Deleted Office 365 user account. The Exchange Online license will also be restored automatically (number 2).
  3. The information about the restored Exchange Online license synchronized to Exchange Online infrastructure. Exchange Online will automatically start the restore process of the Soft Deleted Exchange Online mailbox and the restore Exchange Online mailbox, will be “attached” to the restored Office 365 user account (number 3).
Best practice for restoring Exchange Online mailbox in Directory synchronization -01

The scenario description

To be able to understand better the specific character of the “problematic Exchange on-Premises mailbox restores scenario,” in which a NEW Active Directory user account is created instead of restarting the original Soft Deleted Active Directory user account, let’s use the following scenario:

Organization mail infrastructure

  • An organization uses Office 365 services, and Exchange Online as his mail infrastructure.

Directory infrastructure

  • Directory management is implemented via the On-Premise Active Directory, and Directory synchronization server (Azure AD Connect).
  • The Directory synchronization server is responsible for synchronizing information from the local On-Premise Active Directory to the Office 365 Directory (Azure Active Directory).

The Directory user deletion event

  • Active Directory user account deleted, and the information about the user deletion synchronized to the Office 365 Directory (Azure Active Directory).
  • Azure Active Directory deletes the Office 365 user account that is “bound” to the deleted On-Premise Active Directory user + the Office 365 user Exchange Online license.
  • The information synced to Exchange Online. The outcome is that the Exchange Online mailbox also deleted.

The Active Directory deleted user account details

The deleted Active Directory user account login name is: John@o365info.com

The mission

The organization IT was asked to:

  • Recover the deleted Exchange Online mailbox.
  • Enable the user access to his recovered Exchange Online mailbox and the data stored in the recovered Exchange Online mailbox.

Notice that we mention that – we need to recover the Exchange Online mailbox, and enable the user to access the Exchange Online mailbox.

We didn’t provide any instructions or guideline regarding the “user account,” that will be “attached” to restored Exchange Online mailbox.

Mistake 1 – New On-Premise Active Directory User Account was created and synchronized to the cloud

New On-Premise Active Directory User Account was created and Synchronized to the cloud -02

The mistake flows description

  1. The Administrator, create a NEW Active Directory user account with the same details as the deleted user – same login name, same E-mail address and so on.
  2. The information about the NEW Active Directory user synchronized to the cloud.
  3. A NEW Office 365 created, but the Administrator “believe” that the Office 365 user account is, the Soft Deleted Office 365 that restored.

Note that in reality, the Soft Deleted Office 365 was not restored, and instead; he is still located in the Azure Active Directory recycle bin.

  1. The Administrator, assign the “seemingly restored” Office 365 user account, an Exchange Online license (I use the term “seemingly” because, the Office 365 is not a restored user account but instead, a NEW Office 365 user without a license).

The cause of the “restore misconception” procedure

The basic assumption of the Administrator is that because the “NEW On-Premise Active Directory user” has identical identifiers (same login name and the same E-mail address) as the previously deleted user, the Directory synchronization will execute the process of Soft match mechanism.

The Directory Synchronization Soft Match will lead to the following:

  • Automatic restore of the Office 365 Soft Deleted user account.
    Automatic “binding” of the restored Office 365 user account to his “master” meaning the NEW On-Premise Active Directory user that was created.
  • Automatic recovery of the Exchange Online license assigned to the Soft Deleted Office 365 user account
  • Automatic restore process of the Exchange Online mailbox that is associated with the restored Office 365 user.

The reason for the Soft Deleted failure

In reality, the Directory Synchronization Soft match process which supposed to automatically “bind” between the NEW On-Premise Active Directory user account, and the Soft Deleted Office 365 user account is not implemented!

The Directory Synchronization “Soft matches” process will not be activated because, the Soft Deleted Office 365 user account ImmutableID value, is already populated with the GUID value of the “original Active Directory user account” (the original Active Directory user who deleted).

The Directory Synchronization “Soft match” mechanism is not configured to “ignore” this information, and “run over” the existing value of the ImmutableID!

New Active Directory user account - Directory Synchronization Soft match will Take place -03

You can read more detailed information about this subject in the article – The special characters of Directory synchronization in an Office 365 environment | Article 1#2 | Part 11#23

The outcome

The outcome is a “mess.”

Now, we will have “two sets” of user accounts, and two sets of Exchange Online mailboxes.

  • The action of creating a NEW On-Premise Active Directory user account will lead to a scenario, in which a NEW Office 365 user account will create (instead of the original intent, that the Soft Deleted Office 365 user account will be restored).
  • When an Exchange Online license assigned to the NEW Office 365 user account, a NEW empty Exchange Online mailbox will be created.

Also, a “layer” of Soft Deleted objects, will continue to exist in the various recycle bins:

  • The original Soft Deleted Active Directory user will continue to be stored in the Active Directory recycle bin.
  • The Soft Deleted Office 365 user account that is “bound” to the Active Directory user will continue to be stored in the Azure Active Directory recycle bin.
  • Soft Deleted Exchange Online mailbox, will continue to be stored in the Exchange Online recycle bin.

Note – in an Office 365 based environment, the Soft Deleted user account, and the Soft Deleted Exchange Online mailbox will be kept in the Office 365 recycle bin for 30 days.
At the end of this period, the Soft Deleted objects will be will be permanently deleted.

The main issue

When the user tries to access his Exchange Online mailbox, he finds that the mailbox is empty!

The outcome of Problematic Exchange Online mailbox restore scenario - Mistake 1 -01

In the following diagram, we can see an illustration to the “mess” that created when a NEW Active Directory user account created, the outcome is that now we have:

  • One “set” of Soft Deleted objects: Soft Deleted On-Premise Active Directory user account; Soft Deleted Office 365 user account and Soft Deleted Exchange Online mailbox (set A in the diagram).
  • One “set” of NEW directory objects: NEW On-Premise Active Directory user account, NEW Office 365 user account and NEW Exchange Online mailbox (set B in the diagram).
Problematic Exchange Online mailbox restore scenario -02

Solution 1#2 – Delete the New On-Premise Active Directory User Account, and restore the “Original” On-Premise Active Directory User account

To be able to deal with the “Exchange Online mailbox recovery mistake,” in which a NEW On-Premise Active Directory user account created, we will implement a solution, which I describe as “revert the Exchange Online restore mistake.”

In this solution, we need to reverse thing back, to the point in time, before the “Exchange Online mailbox recovery mistake” executed.

Our “secret mission” is to turn back the time, to the point before the NEW On-Premise Active Directory user account created.

After we are successfully complete to phase of – returning to the “earlier point in time” (before the recovery mistake done), we will need to implement the “right” procedure of restoring Exchange Online mailbox in Directory synchronization.

The meaning is – restore from the On-Premise Active Directory recycle bin; the “original” Soft Deleted user account.

Optional solution Delete the new on premise active directory user account

Note: Another option for dealing with this type of Exchange Online mailbox restore mistake can be implemented by copying the content of the Soft Deleted Exchange Online mailbox to the NEW empty Exchange Online mailbox that created.

We will review this type of solution in the article – Restoring Exchange Online mailbox content to another mailbox using PowerShell command New-MailboxRestoreRequest | Part 22#23

Solution 1 – “Revert” the recovery mistake – flow of events

To be able to fix the recovery mistake, we will need to

  • Remove (delete) all the “NEW objects” that were created.
  • In the next phase, restore the original On-Premise Active Directory user account.

We will start the phase of deleting the NEW set of objects, by deleting the NEW On-Premise Active Directory user account that created, and then, synchronize the information to the Office 365 Directory (Azure Active Directory).

When Azure Active Directory gets the information about the deletion of the NEW On-Premise Active Directory user account that is “bound” to the NEW Office 365 user account, the NEW Office 365 account will also delete.

The deletion of the NEW Office 365 user account will also have deleted the Exchange Online license that attached to the user account.

When Azure Active Directory synchronizes the information to Exchange Online, Exchange Online will delete the NEW Exchange Online mailbox; that associated with the deleted Office 365 user account.

Delete the NEW On-Premise Active Directory user account - Step 1-2

If you want to get a more detailed description of the chain of events when we deleted On-Premise Active Directory user account in Directory synchronization environment, you can read the article – The special characters of Directory synchronization in an Office 365 environment | Article 2#2 | Part 12#23

After we have reverted the “recovery mistake” (the creation of the NEW On-Premise Active Directory user account), we can continue with the – “best-practice practice solution” for recovering Exchange Online mailbox in Directory synchronization environment.

The recovery of the “Original “Exchange Online mailbox will be implemented in the following way:

  • Restore the “original” Soft Deleted On-Premise Active Directory user account from On-Premise Active Directory Recycle bin.
  • The information about the restored On-Premise Active Directory user account synchronized to the Office 365 Directory (Azure Active Directory).
  • Azure Active Directory “understand,” that she needs to recover the associated Soft Deleted Office 365 user account from the recycle bin + the Exchange Online license that assigned to the Office 365 user account.
  • Azure Active Directory synchronizes the information to the Exchange Online infrastructure.
  • Exchange Online “understand” that he needs to recover from the Recycle bin, the Soft Deleted mailbox, that associated with the Office 365 user account that recovered (which his Exchange Online license recovered).
Restore the NEW On-Premise Active Directory User account - Step 2-2

In the article – Solving an Exchange Online mailbox restore mistake by Restoring the original Soft Deleted Active Directory user | Part 21#23, we provide a detailed step by step description of the offered solution (deleting the NEW Active Directory user account the created and restore the original Soft Deleted On-Premise Active Directory user).

The next article in the current article series

Reviewing the characters of Exchange Online mailbox recovery mistake – Soft Deleted Office 365 was restored | Part 20#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *