Skip to content

The special characters of Directory synchronization in an Office 365 environment | Article 2#2 | Part 12#23

In this article, we continue to review the special characters of Office 365 Directory synchronization environment, so we will be able to understand better the “flow of events” in Office 365 Directory synchronization environment.

We will review the events flow of three major scenarios:

  1. The event of – Creating a NEW Active Directory user account
  2. The event of – Deleting an Active Directory user account
  3. The event of – Restoring Soft Deleted Active Directory user account

Another subject that I would like to relate to in this article is – why it is so important to implement the best practice of restoring On-Premise Active Directory user account in case that we want to restore Soft Deleted Exchange Online mailbox in Directory synchronization environment.

The common mailbox deletion scenario in Directory synchronization environment

In the current article series, we will mention the terms: “recovery of Exchange Online mailbox,” and “deletion of Exchange Online mailbox” many times.

It’s important to emphasize that in an Office 365 environment that uses Directory synchronization, although that we use the term “mailbox,” most of the time, we deal with the “User object” that considers as the mailbox owner.

If we want to “complicate the description,” in Office 365 Directory synchronization environment, we need to restore the Active Directory user account, that considers as the “owner” or the “master” of the Office 365 user account, that consider as the owner of the deleted Exchange Online mailbox.

For example

1. The Root cause of Exchange Online mailbox deletion in Directory synchronization environment.

In Office 365 Directory synchronization environment, most of the time, the “real cause” (the Root cause) for the deletion of Exchange Online mailbox is – the “deletion event” of the On-Premise Active Directory user account.

2. Restoring deleted Exchange Online mailbox.

In Office 365 Directory synchronization environment, the recommended restore scenario of Exchange Online mailbox is, to start the restore process by restoring the Soft Deleted On-Premise Active Directory user account, and not “directly” restore the deleted Exchange Online mailbox.

The formula - Directory synchronization environment relating to Exchange Online mailbox deletion

The concept of creating and managing directory objects via the On-Premise Active Directory

In Directory synchronization environment, the task that relates to Directory management, such as creating NEW Active Directory user accounts, should be implemented by via the On-Premise Active Directory, and not the Office 365 directory (Azure Active Directory).

The reason for this recommendation is, because that at the current time, the architecture of Directory synchronization environment based on the model in which the On-Premise Active Directory considers as “source of authority.”

The information about updates that occur in the On-Premise Active Directory is synchronized to the Office 365 Directory (Azure Active Directory) by the Directory synchronization infrastructure (Azure AD Connect) but, the opposite is not true!

For example, in Directory synchronization, in case that we create a NEW user account in the Office 365 Directory (Azure Active Directory), the information is not synchronized to the On-Premise Active Directory.

Office 365 and Directory synchronization environment - Creating and managing directory objects

To understand better the concept of “one-way synchronization” in Office 365 Directory synchronization environment, let’s use some examples that relate to On-Premise Active Directory objects:

1. Creating a NEW On-Premise Active Directory user

In case that a NEW user created in the On-Premise Active Directory, the information is synchronized to the Office 365 Directory (Azure Active Directory).
Thus, a NEW user account also created in the Office 365 Directory (Azure Active Directory).

The Office 365 user account that created in Office 365 Directory (Azure Active Directory) is “attached” to the On-Premise Active Directory user account.

In other words, the Office 365 NEW user account considers as a “replica” or a “twin” of the On-Premise Active Directory user account.

2. Updating On-Premise Active Directory user

In this case, that we update the On-Premise Active Directory user account, the information will be synchronized (by the Azure AD Connect) to the Azure Active Directory.
Azure Active Directory, will be “obliged” to implement the same update to the Office 365 user account that considers as the On-Premise Active Directory user account replica.

The flow of “binding” On-Premise Active Directory user to Exchange Online mailbox

In the following section, I would like the review the process in which we “glue” On-Premise Active Directory user to Office 365 user account and “glue” the Office 365 user account to Exchange Online mailbox.

In Directory synchronization environment, when we create a NEW On-Premise Active Directory user account, the same user is also created in Office 365 Directory (replica).

The On-Premise Active Directory user and the Office 365 user who created (defined as synchronized with Active Directory), will have the same credentials meaning – the same login name + the same password.

In case that we assigned Exchange Online license to the Office 365 user, the Office 365 user, will be considered as the owner of the Exchange Online mailbox.

The “real owner” of the Exchange Online mailbox is – the object of the Office 365 user account.

The Office 365 user account that considered as – synced with Active Directory, users the same credentials of the On-Premise Active Directory user account.

In other words, the On-Premise Active Directory and the Office 365 user account replica uses the same credentials.

But it’s important to mention that, the Exchange Online mailbox “doesn’t care” who is the real owner, as long as the entity that access the Exchange Online, has the “right credentials.”

The Exchange Online mailbox is willing to accept user access requests, as long as the entity that needs to access can provide the required credentials.

In the following section, we can review each of the different steps that are involved in a scenario in which a NEW On-Premise Active Directory user account created in Office 365 Directory synchronization based environment:

  • Event 1#7 – a NEW On-Premise Active Directory user account is created. In our example, the login name of the user account is – Alice@o365info.com
  • Event 2#7 – The Directory synchronization server (Azure AD Connect), connect the On-Premise Active Directory (by default, the time interval is three hours), and get the updated information about the event, in which a NEW User account was created.
  • Event 3#7 – The Directory synchronization server (Azure AD Connect), connect the Azure Active Directory, and synchronize the information about the NEW user account.
  • Event 4#7 – Azure Active Directory, is “obliged” to create a NEW Office 365 user account (replicates user) with the same login name, E-mail address, password etc.
  • From now on, the NEW Office 365 user account will be considered as “bound” or as a “replica” of the On-Premise Active Directory user account. Each update in the On-Premise Active Directory user account will be synchronized to Office 365 Directory and will impact the Office 365 “replica” user account.
The flow of events - Binding On-Premise Active Directory user to è Exchange Online mailbox -01
  • Event 5#7 – Exchange Online license is assigned to the NEW Office 365 user account.
  • Event 6#7 – Azure Active Directory synchronized the information to the Exchange Online infrastructure.
  • Event 7#7 – Exchange Online create a NEW Exchange Online mailbox, and “bind” the mailbox to the Office 365 user account.
The flow of events - Binding On-Premise Active Directory user to è Exchange Online mailbox -02

The “object deletion flow” in Office 365 and Directory synchronization environment

In this section, I would like to review each of the “steps” takes place, in a scenario in which we delete On-Premise Active Directory user account in Office 365 Directory synchronization environment.

In our example, the deleted Grace user account has an Office 365 user “replica,” and the Office 365 user had an Exchange Online license (consider as the owner of an Exchange Online mailbox).

  • Event 1#7 – On-Premise Active Directory user account named – Grace@o365info.com is deleted.
  • Event 2#7 – When the Grace Active Directory user account is deleted, the deleted user account status is updated to – “Soft Deleted” user account. The user account is “sent” to the Active Directory recycle bin (the user account will be saved in the Active Directory recycle bin for a period of 180 days).
  • Event 3#7 – The Directory synchronization server (Azure AD Connect), connect the On-Premise Active Directory (by default, the time interval is three hours), and get the updated information about the event, in which a Grace User account was deleted.
Deletion of a Synchronized On-Premise Active Directory User -01
  • Event 4#7 – The Directory synchronization server (Azure AD Connect), connect Windows Azure Active Directory, and synchronize the information about the event in which the On-Premise Active Directory user account deleted.
  • Event 5#7 – Windows Azure Active Directory get the update, and search in her database.
    In our example, the Azure Active Directory finds that there is an existing Office 365 user account that considers as “bounded” to the On-Premise Active Directory user account that deleted.
  • The Azure Active Directory “understand” that there is a “connection” between the two Directory user accounts entities because, the Office 365 ImmutableID value of Grace Office 365 user account, is identical to the GUID value of Grace On-Premise Active Directory deleted the user account.
  • The Azure Active Directory is “obliged” to delete the Office 365 user account.
  • The Office 365 user account will be sent to the Azure Active Directory recycle bin. The Office 365 user account will consider as a ”Soft Deleted,” and it will be kept in the Azure Active Directory recycle bin, for 30 days. At the end of the 30 day period, the User mailbox will be deleted permanently (Hard Deleted).
  • When the Office 365 user account deleted, the Exchange Online license that was “attached” to the user account is also “deleted” (removed).
  • Event 6#7 – Azure Active Directory “inform” (synchronize the information) the Exchange Online infrastructure, about the event in which the Exchange Online license removed.
  • Event 7#7 – Thus, Exchange Online will delete the User mailbox that associated with the Office 365 user account. The deleted Exchange Online User mailbox will be sent to the Exchange Online recycle bin and stay there for 30 days. At the end of the 30-day period, the User mailbox will be deleted permanently (Hard Deleted).
Deletion of a Synchronized On-Premise Active Directory User -02

Restoring a Soft Deleted On-Premise Active Directory user account flow” in Office 365 and Directory synchronization environment

In the following section, I would like to review the subject of – “Restoring a Soft Deleted On-Premise Active Directory user account flow,” in Office 365 and Directory synchronization environment.

I would like to review each of the “steps” takes place, in a scenario in which we restore the On-Premise Active Directory user account in Office 365 Directory synchronization environment.

In our example, the On-Premise Active Directory user account of a user named Grace was deleted.

The Grace user account had an Office 365 user “replica,” and the Office 365 user had an Exchange Online license (was the owner of an Exchange Online mailbox).

  • Step 1#6 – When we restore a Soft Deleted user account from the On-Premise Active Directory recycle bin, the user account is “sent back” to the “active” directory user’s database.
  • Step 2#6 – The Directory synchronization server (Azure AD Connect), connect the On-Premise Active Directory (by default, the time interval is three hours), and get the updated information about the event, in which a Grace User account was restored.
Restoring Synchronized On-Premise Active Directory User -01
  • Step 3#6 – The Directory synchronization server (Azure AD Connect), connect Windows Azure Active Directory and synchronize the information about the event in which the On-Premise Active Directory user account restored.
  • Step 4#6 – Windows Azure Active Directory get the update and search in her database.
    In our example, the Azure Active Directory finds that there is an existing Office 365 user account that considers as “bounded” to the On-Premise Active Directory user account.
  • The Azure Active Directory “understand” that there is a “connection” between the two Directory user account entities because, the Office 365 ImmutableID value of Grace Office 365 user account, is identical to the GUID value of the On-Premise Active Directory restored user account.
  • The Azure Active Directory is “obliged” to restore the Office 365 user accounts. Azure Active Directory “fetch” the Soft Deleted Office 365 user account from the Azure Active Directory recycle bin, and the user account considers as “active.”
  • As part of the user account restore process, the Exchange Online license that assigned to the Office 365 user, is also restored. In other words, the Office 365 user account + his Exchange Online license.
  • Step 5#6 – Azure Active Directory “inform” (synchronize the information) the Exchange Online infrastructure, about the event in which Exchange Online license restored.
  • Step 6#6 – Thus, Exchange Online will restore the Soft Deleted user mailbox and the Exchange Online mailbox associated with the restored Office 365 user account.
Restoring Synchronized On-Premise Active Directory User -02

Why is it so important to restore the original On-Premise Active Directory user account in Directory Synchronization environment?

Let’s repeat a very basic concept in a scenario of – “restoring Exchange Online mailbox in Directory synchronization based environment.”
Most of the time, when we use the term “Restore Exchange Online mailbox,” we mean –

  • Restore the On-Premise Active Directory user account.
  • Restore the Office 365 User Account that considered as Exchange Online mailbox owner.

Restoring the “original Active Directory user account,” is the “key” to a successful restore Exchange Online mailbox process!

The importance of restoring the Soft Deleted original Active Directory user account

When we relate to the task of – “restoring the user who considers as the owner of the Soft Deleted Exchange Online mailbox, there are two different scenarios.

Scenario 1 – cloud only (fully hosted)

In a scenario, which I describe as “cloud only” environment, the restore process of the Exchange Online mailbox, is implemented by restoring the Office 365 Soft Deleted user account that considers as the Exchange Online mailbox owner.

The element that stores the Soft Deleted user account, and serves as “source of authority” for this user account is – the Office 365 directory meaning – Active Directory Azure.

Scenario 2 – Directory synchronization environment

I use the term ” Directory synchronization environment,” for describing a scenario in which we use a combination of two different “Directories” – the
On-Premise Active Directory and the Azure Active Directory.
In this case, the On-Premise Active Directory considered as “source of authority,” and the Azure Active Directory gets a “read only” copy of the user accounts that synchronized to the cloud from the On-Premise Active Directory.

In a scenario in which we want to restore an Exchange Online mailbox, the “original User account” that we need to restore is the On-Premise Active Directory User account.

It’s true that the Exchange Online mailbox is associated directly with the entity of the Office 365 user account, and not with the On-Premise Active Directory “original user account.”

But, it’s important to understand that in Directory Synchronization environment, the Office 365 user account that is “bound” to the On-Premise Active Directory, is entirely depended on and “controlled” by On-Premise Active Directory user account. For this reason, the “user restores processed” is related to the On-Premise Active Directory user account and not to the Office 365 user accounts.

Restore emphasis on different Office 365 environments

So now, let’s go back to the question that we need to answer “Why is it so important to restore the original On-Premise Active Directory user account in Directory Synchronization environment?

A1 – The first answer to the questions is – take advantage of the automatic recovery mechanism, that is implemented in an Office 365 based environment.

When we restore the “original On-Premise Active Directory user account” (the “Root User account”), the
On-Premise infrastructure and Office 365 infrastructure “know by them self,” how to automatically complete all the required steps such as:

  • Synchronize the information to the Office 365 Directory (Azure Active Directory).
  • Restore the Soft Deleted Office 365 user account.
  • Restore the Exchange Online license.
  • Restore Soft Deleted Exchange Online mailboxes.
  • Bind the restored Exchange Online mailbox to her “owner.”

And so on.

The “magic” of the automatic restore process in Office 365 Directory synchronization environment, is implemented by using a “Hard Match” mechanism that relies on the On-Premise Active Directory user GUID value and the adjusted Office 365 ImmutableID value.

additional information about the concept of Hard Match appear in the article – The special characters of Directory synchronization in Office 365 environment | Article 1#2 | Part 11#23

In case that we don’t restore the original Active Directory and instead, create a NEW On-Premise Active Directory user account with seeming properties such as the login user name, etc., the automatic restore process will not be implemented.
The reason is that because the Office 365 (Azure Active Directory) doesn’t know how to “bind” the Soft Deleted objects (the Office 365 user account + the Exchange Online Soft Deleted mailbox) to the NEW synchronized user account.

We will relate to this type of Exchange Online restore mistake in the article – Reviewing the characters of Exchange Online mailbox recovery mistake – New On-Premise Active Directory User Account was created | Part 19#23

A2 – The second answer to the question is, that when we say that we need to restore an Exchange Online mailbox, we also mean that we need to restore the “accompanying entities” such as the On-Premise Active Directory user account, and the Office 365 user account, that consider as the Exchange Online mailbox owner.

Besides of the important data that stored in the Exchange Online deleted the mailbox, there is “additional important data” that is “stored” in the involved Directory user accounts.

The involved Directory user accounts have properties and relationship with other objects and infrastructure in the Active Directory environment and Office 365.

For example

1. On-Premise Active Directory user account includes many properties begging with user password, office address, phone numbers and so on.

Most of the time, the User account, consider as a member of Distribution groups or Security groups.

Most of the time, the security group assigned with permissions to other resources such as File servers and so on.

Why it’s so important to restore the original User account - Office 365 User account -01

2. Office 365 user account

In Office 365 based environment, many times, the Office 365 user account is “bound” (have Office 365 license) to many other Office 365 services such as – SharePoint online, One Drive, Skype for business and more. This Office 365 infrastructure storing private data of the Office 365 user, such as the one drive store.

Why it’s so important to restore the original User account - Office 365 User account -02

So, what is my point?

My point is that in a scenario in which an On-Premise Active Directory user account deleted and thus, the Exchange Online mailbox also deleted, it’s very important that we restore the “original On-Premise Active Directory User account” that was Soft Deleted.

Only when restoring the original On-Premise Active Directory User account, we can restore all the information that was “attached” to the On-Premise Active Directory user account such as the user property, Group memberships, and so on,

The restore process of the original On-Premise Active Directory user account will lead to the automatically restore process of the Office 365 user account + his Exchange Online license and other Office 365 licenses and enable us to

  • Restore the “connection” that the Office 365 user account had to another Office 365 infrastructure.
  • Restore the Exchange Online mailbox that connected to the restored Office 365 user account.

The next article in the current article series

Deleted Active Directory User account and the Deleted object store | Basic introduction | Article 1#4 | Part 13#23

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.