O365 and on-premise Exchange servers in Hybrid-configuration can cause many issues especially when something went wrong with the synchronisation. We encountered a problem where an account would have an on-premise Exchange mailbox and an online Exchange mailbox. The account should only have an on-premise mailbox and not an online mailbox. It should not be possible to have both mailboxes, but there you go, this impossibility did occur.
We first tried to just delicense the account, and indeed the online mailbox disappeared while the on-premise mailbox remained. Unfortunately when an account is delicensed the online mailbox is not soft-deleted nor hard-deleted, but it is disabled. This means when you license the account again the online mailbox is just restored. Off course you could wait 30 days and the mailbox would be permanently deleted, but your account/user would be unlicensed for 30 days. This was not an option for us.
The difference between soft/hard-deleted and disabled is that you cannot use the command Get-Mailbox -SoftDeletedMailbox. Well you can use it but the result is off course 0. Same with the command for hard-deleted. I haven’t been able to find a command that would reveal the disabled mailboxes nor the command to delete permanently the disabled mailboxes. Through trial and error I managed to delete the online mailbox without losing the on-premise mailbox and being able to license the account again.
Move the account to an un-synced OU
The first step is moving the account/user to an OU that is not synced to Azure. Effectively after a sync the user is deleted from Azure. I created an OU called “LostAndFound” and made sure that that OU was not synced in the Azure AD Connect. I then forced an update with the Powershell command:
Start-ADSyncSyncCycle -PolicyType Delta
Make sure you have imported the module into Powershell (doesn’t have to be the latest Powershell). Also make sure that you do the commands on the server where Azure AD Connect is installed. You won’t need to authenticate to anything just run the command on the Powershell where you have Azure AD Connect installed and running. To import the module:
Import-Module ADSync
Login to Azure (https://portal.azure.com) and wait till you see that user/account has disappeared from the list of all users.
Delete the account from “Deleted Users”
In Azure you can see the account now under “Deleted users”. When you login on your on-premise ECP you will notice that the on-premise mailbox has also disappeared. When you login to your online Exchange Admin Center (https://admin.exchange.microsoft.com/) you will also see under your mailboxes that the online mailbox has been deleted. So the account seems to be deleted with all mailboxes, both on-premise and online. Because you moved the account into an OU that is not synced, the account is off course delicensed too.
Deleted users remain in the “recycle bin” for 30 days and in both Azure and Microsoft 365 admin center there is no way to empty this recycle bin. You have to do this via Powershell. This can only be done in Powershell version 6 or lower – so not in the latest Powershell 7. Import in your Powershell 2 modules:
Install-Module PowershellGet -Force Install-Module MSOnline
Now you can first check if the deleted accounts are in the bin:
Get-MsolUser -ReturnDeletedUsers
Your deleted account should be listed there, along with other accounts that have been deleted in the past 30 days. To delete permanently the user account (or remove it from the recycle bin):
Remove-MsolUser -UserPrincipalName "[email protected]" -RemoveFromRecycleBin
With this command you delete both the account and the attached online mailbox permanently.
Restore the account to the OU that is synced
Now you can restore the account to the OU that is synced with with the Azure AD Connect. Then force an update in the Powershell that is on the server where Azure AD Connect is running:
Start-ADSyncSyncCycle -PolicyType Delta
Login to Azure (https://portal.azure.com) and wait till the user/account is restored. As soon as you see the account in Azure you can check in your on-premise ECP that the user has been returned too, with the on-premise mailbox! Next you can restore the proper license to the account. When you login to your online Exchange Admin Center (https://admin.exchange.microsoft.com) you will notice that the online mailbox, has not returned. Your account/user has now only an on-premise mailbox and no online mailbox.
In summary
The difficulty with Exchange online is that it is intrinsically connected with Azure AD. Online mailboxes are linked to the licenses that accounts get. Once an account is assigned an Exchange enabled license, the account can have a mailbox. Removing the license does not delete (hard or soft) the mailbox, but disables it till the license has been restored. Deleting users from Azure will actually delete mailbox associated with it too. On-premise nothing seems to be affected, even though the mailbox temporarily disappears, only to return when your account has been restored in Azure.
This has taken me a long time to figure out, with off course the constant fear that we would lose the content of the on-premise mailbox. Making a backup of the on-premise mailbox is always a good idea, to make sure you don’t lose any emails.