How to resolve the following issue: you re-enable an account of a returning employee, you assigned a license, but the mailbox is not provisioning.
A lot of customers open cases with Office 365 support saying: the mailbox is not provisioning. In this article I will explain how this can happen and what can we do to solve the situation.
We have the following scenario:
- we have a Hybrid Exchange Configuration, Local AD, local Exchange Server, DirSync, Office 365 tenant;
- we have a new employee;
- in Local AD we created a new user for it, synced it to the cloud;
- because the authority in in on-premises, we must create the mailbox from local Exchange Server (it is very important for free/busy, permissions and other features);
- we have 2 possibilities:
- create the mailbox in on-premises and migrate it to the cloud;
- Enable-RemoteMailbox from the local Exchange Server to create the mailbox directly in cloud;
- now we have a user and a mailbox perfectly functional in a Hybrid Environment;
- from the local Exchange server we can verify the RemoteMailbox status:
User left the company.
In this cases, the typical steps are:
- disable the user;
- backup the mailbox content and all other customer specific procedures;
- move the user in local AD to a OU reserved for "former employees";
What will happen next?
Because the user was moved out of DirSync scope, the DirSync will not find the user in Local AD and will assume that we deleted it. The deletion will be synced into the cloud and MsolUser will be deleted. The user will remain in "deleted user" state for 30 days. "Cloud AD" = Azure AD and "Cloud Exchange" = Exchange Online (EXO) are synced between each other every 15 minutes. If EXO will see that the user is "deleted", will update the mailbox and will bring it in a soft-deleted state. If the mailbox is placed on hold with Litigation Hold, the mailbox will enter in an Inactive State.
More than 30 days passed, Azure AD user is deleted permanently, the mailbox will be purged (unless placed on hold), assigned license is back in available licenses pool.
But, HEY, our departed employee is back in the business and wants his accounts back. What should we do?
We will enable his account in Local AD, will move his account back from "former employees" to the OU where he belongs, we sync him to the cloud, we assign him a license ... and .... SUPRISE: a new cloud mailbox is not provisioned.
Why this happens?
When the user was moved in local AD from a synced OU to a non synced OU, he retained all his exchange properties and ExchangeGuid shows that he has a mailbox:
Even if the mailbox from the cloud was soft-deleted and then purged, the change was not synced in local AD. After the local user was re-enabled and moved in proper OU, he will be synced into the cloud:
The CloudExchangeRecipientDisplayType shows us: -2147483642 = SyncedMailboxUser.
The mailbox will not provision. Why? Because cloud sees that on-prem user has an ExchangeGuid and that means that we already have a mailbox. What should we do next? We must follow the steps:
- IMPORTANT: talk with affected user before deleting the MsolUser. If he already used Skype / SharePoint / OneDrive, MsolUser deletion will affect the experience with these products. Please make sure you have affected user's permission to perform next steps. In this way you will be sure no data will be lost.
- remove customer from DirSync scope;
- force the DirSync > MsolUser from the cloud will be deleted;
- run: Get-MsolUser -UserPrincipalName firstname.lastname@example.org ### should return error like:
Get-MsolUser : User Not Found. User: email@example.com.
At line:1 char:1
+ Get-MsolUser -UserPrincipalName firstname.lastname@example.org
+ CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
- Get-Msoluser -ReturnDeletedUsers ### email@example.com should be listed;
- Remove-MsolUser -RemoveFromRecycleBin -UserPrincipalName firstname.lastname@example.org ### delete from RecycleBin;
- Get-MsolUser -ReturnDeletedUsers ### email@example.com should not be listed. Now we are sure that MsolUser was completely deleted;
- wait 15 minutes;
- Get-MailUser -SoftDeletedMailUser ### should see firstname.lastname@example.org here;
- Remove-Mailuser -PermanentlyDelete email@example.com ### delete mailuser from soft deleted mailusers;
- verify with: Get-MailUser firstname.lastname@example.org and Get-MailUser -SoftDeletedMailUser email@example.com that mail user was deleted;
- go in on-prem Exchange Server;
- Get-RemoteMailbox firstname.lastname@example.org | FL Name, ExchangeGuid ### should see something like: b6e89b85-7279-450d-a84c-3c5ccc639c27
- Set-RemoteMailbox email@example.com -ExchangeGuid "00000000-0000-0000-0000-000000000000" ### erase the proof that user have a mailbox;
- Get-RemoteMailbox firstname.lastname@example.org | FL Name, ExchangeGuid ### should see: 00000000-0000-0000-0000-000000000000
- move again the user in DirSync scope. Force DirSync;
- wait to see in cloud in Office 365 Admin that user appeared and assign license to it;
Mailbox should be created.