ExternalDirectoryObjectID missing on EXO mailbox after msol user was accidentally hard deleted - Restoring the mailbox back.
As an Office365 admin you might have come across situations wherein the Msol-User was accidentally hard deleted, which resulted in the mailbox moving to Inactive state and not reconnecting back. Additionally, a new mail-user or cloud only mailbox is found for the user in EXO.
In a Hybrid Deployment with Multi forest sync or an Exchange resource forest environment where AD attributes & Custom attributes are synced from one forest and exchange attributes from the other to collectively provision a single user in O365, And if that msol-user is hard deleted in the organisation, the "ExternalDirectoryObjectID" of EXO mailbox that is linked to "Objectid" attribute of MSOL user in Azure AD is permanently lost resulting in the mailbox moving to Inactive state which can also be called as an Orphaned mailbox. Due to this the mailbox never re-connects even after AAD-C syncs a new object to O365 a it generates a new ExternalDirectoryObjectID which does not match with the Inactive mailbox. There is no way you can reconnect the same mailbox back to a new msol-user in O365. You will have to do a mailbox restore which can be done in multiple ways.
To resolve this issue, one of the option that everyone familiar with is to create a new user account with new on-premises mailbox and migrate it to cloud followed by a New-MailboxRestore request, as it is not possible to create a new on-premises mailbox on the same object which already has a remote mailbox. However, please note it will be a completely new account where group membership and custom attribute stamping will have to be done manually. Also, the newly created account will not join with the existing AD account in other forest to collectively sync as an O365 user. To avoid these complications the best way is to enable litigation hold and to disable the Inactive mailbox using Disable-RemoteMailbox powershell command, followed by creating a new remote mailbox on the same source AD object as the command will only remove a cloud-based mailbox but keep the associated on-premises user account. Please note that it not as easy as it sounds as one has to perform each step in sequence mentioned below to avoid any issues and to restore the full mailbox along with Archive.
Below steps to be followed in sequence:
➤Enable Litigation hold on the Inactive mailbox and Export proxyaddress values, ExchangeGUID & ArchiveGUID to a .txt or csv file.
➤ Remove O365 license of the Inactive Mailbox.
➤ Check if there is a mailuser found or a cloud only mailbox found for the same account because, soon after directory sync when the msol-user was deleted AAD-C will try creating a new object in O365. If mailuser for the same account is found, then verify and remove-msoluser from recycle bin as well. You will have to confirm in EXO if there is no mailuser found in Softdeleted as there are instances where msol user was removed, however, the mailuser was still found in –includesoftdeletedrecepients resulting in ArchiveGUID sync errors. Please remove-mailuser –permanentlydelete if found and follow next step immediately without waiting for directory sync. Incase a cloud only mailbox is found for the same account then that too needs to be rectified.
➤ Disable remote mailbox archive and wait for directory sync.
➤ Disable remote mailbox (primary) and wait for directory sync.
➤ Mailuser should now be converted to a user on-premises: Mail enable the user object, add the primarysmtpaddress, remoteroutingaddress and wait for directory Sync.
➤ Assign O365 license - Once the mailuser is synced to Cloud along with the new ExchangeGUID, proxyaddresses and after validating that the PreviousRecipientTypeDetails for the user are set as None on EXO.
➤ Enable remote mailbox (primary) and wait for Directory sync.
➤ Enable remote mailbox (Archive).
➤ Restore data from Inactive primary mailbox on newly created primary mailbox using ExchangeGUID.
➤ Restore data from Inactive archive mailbox on newly created archive mailbox using ArchiveGUID.
➤ Remove the Litigation hold from Inactive mailbox or add user to exclusion list of O365 retention using Connect-IPPSSession if retention enabled.
➤ Added all the proxyaddress values to the new mailbox.
Detailed steps along with Powershell command are as below:
Please follow Step1 only if Litigation hold or O365 retention hold is not already enabled on the mailbox, if already enabled then start with step2.
Step1: i. Enable Litigation hold by using below powershell command on EXO.
Command: Set-Mailbox "emailaddress" -InactiveMailbox -LitigationHoldEnabled:$True
Step1: ii. Export proxyaddress values, ExchangeGUID and ArchiveGUID of the softdeleted mailbox to a .txt or .csv file as we will need these details to verify mailbox on cloud as well as during restoration..
Step2: Remove O365 license for the mailbox from Azure Portal or from Source AD security group if inherited.
Step3: Verify if any mailuser\cloud only is mailbox found for same account. If found remove it permanently from MSOL\AAD and EXO.
Step4: i. Disable mailbox archive using below powershell command on EXO, and wait for Directory Sync before going for Step3 because as per Microsoft, Attempting to disable both the online archive and cloud mailbox without a sync between them may result in an ArchiveGuid mismatch and validation error.
Command: Disable-RemoteMailbox “emailaddress” –archive
Step4: ii. Check if the "RemoteRecipientType" in Exchange Online has been changed to "Migrated, DeprovisionArchive" and if the ArchiveGUID value is now seen as “00000000 00000000”. Proceed for disabling primary mailbox and wait for directory sync. *Incase archive is not deprovisioned yet then please wait for one more directory sync before disabling primary mailbox.
Step5: Disable primary mailbox using below powershell command, Mailuser will then be converted to a user on-premises. Post Directory Sync users remote mailbox should no more be found.
Command: Disable-RemoteMailbox “emailaddress”
Step6: Mail enable the user object, add the primarysmtpaddress and wait for directory Sync.
Command: Mail-enable “samaccountname” –primarysmtpaddress “emailaddress”
Step7: Assign O365 license only after validating that the mailuser is synced to Cloud along with the ExchangeGUID, proxyaddresses and after validating that the PreviousRecipientTypeDetails for the user are set as None on EXO. Exchange GUID should not be blank otherwise; it seems to be an already existing object conflict, please follow Step3 again.
Step8: Enable remote mailbox (primary) using below powershell command for creating primary mailbox and wait for Directory sync.
Command: Enable-Remotemailbox “emailaddress” -RemoteRoutingAddress “firstname.lastname@example.org”
Step9: Enable remote mailbox (Archive) using below powershell command.
Command: Enable-Remotemailbox “emailaddress” –archive
Step10: Restore data from Inactive primary mailbox to newly created primary mailbox using ExchangeGUID.
Command: New-MailboxRestoreRequest –SourceMailbox “InactiveMBXExchangeGUID” –TargetMailbox “NewMBXExchangeGUID” –Name “User-Primary”
New-MailboxRestoreRequest –Sourcemailbox “InactiveMBXExchangeGUID” –Targetmailbox “NewMailboxExchangeGUID” -AllowLegacyDNMismatch
Step11: i. Restore data from Inactive archive mailbox on newly created archive mailbox using ArchiveGUID.
Command: New-MailboxRestoreRequest –SourceMailbox “InactiveMBXArchiveGUID” –TargetMailbox “NewMBXArchiveGUID” SourceIsArchive –Name “User-Archive”
Step11: ii. Monitor the restore request using “Get-MailboxRestoreRequest” powershell command.
Step12: Remove the Litigation hold from Inactive mailbox using below powershell command.
Command: Set-Mailbox "emailaddress" -InactiveMailbox -LitigationHoldEnabled:$False
Step13: Add the proxyaddress values to the new mailbox.
Step13: Add the proxyaddress values to the new mailbox.