Enabling Exchange Online Organization Customization
Customizing and configuring an Exchange organization has been a daily task for Exchange...
Exchange Online has different ways to provision mailboxes. Exchange Online is a standard service within Microsoft 365, which in the simplest case provides a mailbox. However, an Exchange Online mailbox also serves as a storage location for user-related data from other Microsoft 365 services.
The most prominent example of this is Microsoft Teams. What exactly happens when Exchange Online provisions a mailbox depends on different factors. Especially when using hybrid identities synchronized with Azure AD Connect, there are essential points to consider.
Exchange Online (EXO) uses multiple mailbox types for different purposes; these include:
In addition to these "standard" mailbox types, there are other mailbox types in Exchange Online that do not appear directly as mailboxes.
Public folder mailboxes are not relevant in this blog post.
The provisioning behavior of Exchange Online mailboxes is primarily determined by whether the associated user account is a cloud-only or hybrid identity synchronized from an on-premises Active Directory environment. Azure AD Connect offers a configuration for Exchange Hybrid. Depending on the setting, information from the on-premises Exchange organization may or may not be transferred to Exchange Online. This directly affects the provisioning of Exchange Online mailboxes.
Two different directory services in Microsoft 365 are involved in provisioning. One is the Microsoft Online Directory Service (MSODS) and the Exchange Online Directory Service (EXODS). Regular synchronization takes place between the two.
Before we look at the creation of mailboxes, we will first look at the deactivation and deletion of mailboxes in Exchange Online.
You deactivate Exchange Online mailboxes with an EXO license by removing the license in MSODS. This primarily affects user mailboxes. In rare cases, other mailbox types, insofar as the associated accounts use a license.
Cloud-only user objects without an EXO license are deactivated directly using the Exchange Online cmdlet Disable-Mailbox. By default, unlicensed entities include shared mailboxes or room and resource mailboxes.
The situation is different for Exchange Hybrid. In this case, you always deactivate the mailbox in the on-premises Exchange organization using the Disable-RemoteMailbox cmdlet. In addition, you must remove the EXO license from the synchronized MSODS object.
The user object remains in MSODS in Active status and is still visible in the active users list. In Exchange Online, on the other hand, the mailbox changes to Disconnected status for 30 days and is then deleted. As part of the status change, Exchange Online stores the last valid mailbox state in the user attributes msExchPreviousRecipientTypeDetails, msExchPreviousMailboxGuid, and msExchPreviousHomeMDBSL. After deleting the mailbox, a background process clears the attributes. Unfortunately, this does not always work. In such a case, you must clean up the user object manually.
Set-User User@varunagroup.de -PermanentlyClearPreviousMailboxInfo
You delete an Exchange Online mailbox for a cloud-only user either by deleting the MSODS object or running the EXO cmdlet Remove-Mailbox.
With Exchange Hybrid, you delete the mailbox in the on-premises Exchange organization with a subsequent transfer to MSODS via Azure AD Connect. Remove any assigned EXO license from the MSODS object beforehand.
When you delete a mailbox, the user object remains visible in MSODS in Active status for 30 days. As with deactivation, Exchange Online saves the previous mailbox state and cleans the user object after the final mailbox deletion. The clean-up process can fail as well. In such cases, manual clean-up will help you.
Get-Mailbox User@varunagroup.de -SoftDeletedMailbox | Remove-Mailbox - PermanentlyDelete -Force
Set-User User@varunagroup.de -PermanentlyClearPreviousMailboxInfo
Deactivating and deleting mailboxes in Exchange Online is straightforward. It only gets complicated when the affected mailboxes have an active hold, i.e., an active eDiscovery hold. In such a case, the behavior of MSODS and EXODS differs from that described above.
A mailbox can be subject to the following hold configurations:
If one of these holds applies to a mailbox, the ComplianceTagHoldApplied attribute is TRUE. Deletion of the corresponding user object results in an inactive mailbox. A mailbox deactivation is then not possible. The longest applicable retention always wins before deletion of content. This applies identically to the primary and an existing archive mailbox.
After deletion, the user object appears in the list of soft-deleted accounts in MSODS for 30 days. Exchange Online set the mailbox to Inactive for the duration of the longest hold configuration. You can check the list of soft-deleted mailboxes:
Get-Mailbox -InactiveMailboxOnly User | ft -AutoSize Name, IsInactiveMailbox, IsSoftDeletedByRemove
Name IsInactiveMailbox IsSoftDeletedByRemove
---- ----------------- ---------------------
User True True
You receive a validation error when you attempt to deactivate a mailbox with an active hold.
"Exchange can't disable the mailbox "EURPR01A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/UserWithHold" because it is on litigation hold."
The user object remains in the Active status in MSODS. Exchange Online keeps the user object as UserMailbox until you resolve the "error." You can check the error details is possible via PowerShell.
(Get-MSOLUser -UserPrincipalName
User@varunagroup.de).Errors.ErrorDetail.ObjectErrors.ErrorRecord
MSODS and EXODS do not synchronize an MSOLUSer object with such an error. Changes in one service are not visible in the other.
You can reconnect a non-licensed cloud-only mailbox by using the EXO cmdlet Enable-Mailbox. The size of the original mailbox must be less than 50 GB. Otherwise, you must assign an EXO license.
What happens when a mailbox requiring a license is connected?
The assignment of an EXO license automatically triggers the connection of a mailbox in soft-deleted status. The reconnection process performs two checks:
1. In EXODS, the process checks whether the attribute msExchPreviousRecipientTypeDetails is set to UserMailbox for the object.
If this is the case, Exchange Online tries to find and connect the mailbox based on the attribute information msExchPreviousMailboxGuid and msExchPreviousMailboxGuid.
If this does not succeed, the second check takes place:
2. Is the attribute ExchangeGuid synchronized from on-premises?
This user's on-premises mailbox hasn't been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed.
The second check when connecting a mailbox applies identically to creating an entirely new mailbox. The synchronized or unsynchronised ExchangeGuid decides whether to create a new Exchange Online mailbox or wait for the migration of an existing mailbox.
The interesting point is that the Microsoft 365 Admin Center message is technically an Exchange Online provisioning error.
The standard SLA for provisioning or de-provisioning a mailbox in Exchange Online is 24h. We have become accustomed to a mailbox being provisioned or de-provisioned relatively quickly. This behavior is more by chance than by design. As Exchange administrators, we must always remind ourselves when it takes longer than expected. With the following cmdlet, you can repeat the provisioning attempt:
Redo-MsolProvisionUser -ObjectId (Get-MSOLUser -UserPrincipalName User@varunagroup.de).ObjectID
Enjoy Exchange Online.
On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages. By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.
Access your free 14-day trial of ENow’s Exchange Hybrid and Office 365 Monitoring and Reporting today!
Customizing and configuring an Exchange organization has been a daily task for Exchange...
"Exchange Hybrid options? There are none. Just go Full Monty." - undisclosed Exchange consultant
...