Wash the "unclean". Fixing mailbox enabled cloud-only user accounts in Office 365 for hybrid migrations.

Thursday, January 18, 2018
I've come across the following scenario in a number of migration projects. The customer creates a new tenant with or without AAD Connect with the intention of "kicking the tires" in Office 365. They create several cloud-only accounts and assign them licenses. Since these cloud-only accounts don't have an ExchangeGUID tying them back to on-prem Exchange, they are given a new mailbox in Exchange Online.

Later, the customer decides to perform a hybrid migration of all or some mailboxes to EXO. AAD Connect is configured with the Exchange Hybrid setting and Azure AD is able to "soft-match" the cloud users to the on-prem user accounts. Now we have the same user object with two mailboxes, one on-premises and the other in the cloud. This is bad. Mail flow will be affected and we will be unable to migrate the user mailbox to EXO because a mailbox already exists. To fix it, we need to delete the cloud mailbox so that Exchange hybrid can create a new (empty) mailbox to migrate to when we're ready.

If we unlicense the user in Office 365 it will soft-delete the cloud mailbox, but when we license it again Office 365 will automatically reconnect the soft-deleted mailbox back to the user account. It does this because the PreviousRecipientTypeDetails property on user account is set to "UserMailbox". When this property is set, the user account is "unclean" and Exchange Online will always want to reconnect the soft-deleted mailbox. Even if we manage to permanently delete the cloud mailbox, EXO will create another new cloud mailbox when the user is re-licensed.

Previously, the only way to correct this was to permanently delete the cloud user account using Remove-MsolUser and Remove-MsolUser -RemoveFromRecycleBin remote PowerShell cmdlets, and then sync the object back from on-prem AD. The problem with this is that it's cumbersome to do and, more importantly, also deletes any prior SharePoint and OneDrive data that the cloud user may have accumulated.

A normal synced user in a hybrid scenario before migration to EXO

In the coming days, Microsoft is rolling out a new switch for the the Set-User remote PS cmdlet which addresses this issue. Running Set-User -PermanentlyClearPreviousMailboxInfo in remote PowerShell will clear the PreviousRecipientTypeDetails property and return the user account to a "clean" condition. This will prevent EXO from creating a cloud mailbox, as shown above. The new command disconnects the cloud mailbox without affecting other data stored in Office 365, such as SharePoint or OneDrive data.

Note that this will permanently delete the cloud mailbox, so you should have the user save any important emails first or export the mailbox to a PST.

by at
Tags , , , , , ,

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.

Subscribe to: Post Comments (Atom)