Secrets of Exchange Online Mailbox Provisioning

The most prominent example of this is Microsoft Teams. What exactly happens when Exchange Online provisions a mailbox depends on different factors. Especially when using hybrid identities synchronized with Azure AD Connect, there are essential points to consider.

Mailbox Overview

Exchange Online (EXO) uses multiple mailbox types for different purposes; these include:

• User mailbox - This is the classic mailbox with an inbox that a user accesses with an email client. A user mailbox always requires a license assignment.
• Shared mailbox - This is a mailbox assigned to a disabled user account. Instead, selected users have full access to the mailbox. This configuration makes the shared mailbox appear automatically in the Outlook client for use. A shared mailbox does not usually require a license assignment. A license assignment is necessary, e.g., if a direct login to the mailbox is needed or the mailbox size exceeds 50GB.
• Room and resource mailbox - A mailbox of this type uses a disabled user account with no direct login; a room or resource is invited and reserved as part of an appointment booking. The same license dependencies apply to these mailbox types as to shared mailboxes.

In addition to these "standard" mailbox types, there are other mailbox types in Exchange Online that do not appear directly as mailboxes.

• Group mailbox - This mailbox type belongs to Microsoft 365 Groups. A Microsoft 365 group is, simply speaking, a distribution list with a mailbox and a SharePoint Online Team site. The "flat" inbox is primarily used for group-based communication.
• Shard mailbox - This mailbox type does not appear visibly. Some documentation refers to this mailbox type as a shadow mailbox. Exchange Online provisions a shard mailbox for a user who has a primary mailbox in an on-premises Exchange organisation. This mailbox is only accessible for selected Microsoft backend services, such as Microsoft Teams, to store or read data.

Public folder mailboxes are not relevant in this blog post.

Mailbox Provisioning

The provisioning behavior of Exchange Online mailboxes is primarily determined by whether the associated user account is a cloud-only or hybrid identity synchronized from an on-premises Active Directory environment. Azure AD Connect offers a configuration for Exchange Hybrid. Depending on the setting, information from the on-premises Exchange organization may or may not be transferred to Exchange Online. This directly affects the provisioning of Exchange Online mailboxes.

Two different directory services in Microsoft 365 are involved in provisioning. One is the Microsoft Online Directory Service (MSODS) and the Exchange Online Directory Service (EXODS). Regular synchronization takes place between the two.

Before we look at the creation of mailboxes, we will first look at the deactivation and deletion of mailboxes in Exchange Online.

Deactivation

You deactivate Exchange Online mailboxes with an EXO license by removing the license in MSODS. This primarily affects user mailboxes. In rare cases, other mailbox types, insofar as the associated accounts use a license.

Cloud-only user objects without an EXO license are deactivated directly using the Exchange Online cmdlet Disable-Mailbox. By default, unlicensed entities include shared mailboxes or room and resource mailboxes.

The situation is different for Exchange Hybrid. In this case, you always deactivate the mailbox in the on-premises Exchange organization using the Disable-RemoteMailbox cmdlet. In addition, you must remove the EXO license from the synchronized MSODS object.

The user object remains in MSODS in Active status and is still visible in the active users list. In Exchange Online, on the other hand, the mailbox changes to Disconnected status for 30 days and is then deleted. As part of the status change, Exchange Online stores the last valid mailbox state in the user attributes msExchPreviousRecipientTypeDetails, msExchPreviousMailboxGuid, and msExchPreviousHomeMDBSL. After deleting the mailbox, a background process clears the attributes. Unfortunately, this does not always work. In such a case, you must clean up the user object manually.

Deletion

You delete an Exchange Online mailbox for a cloud-only user either by deleting the MSODS object or running the EXO cmdlet Remove-Mailbox.

With Exchange Hybrid, you delete the mailbox in the on-premises Exchange organization with a subsequent transfer to MSODS via Azure AD Connect. Remove any assigned EXO license from the MSODS object beforehand.

When you delete a mailbox, the user object remains visible in MSODS in Active status for 30 days. As with deactivation, Exchange Online saves the previous mailbox state and cleans the user object after the final mailbox deletion. The clean-up process can fail as well. In such cases, manual clean-up will help you.

Get-Mailbox User@varunagroup.de -SoftDeletedMailbox | Remove-Mailbox - PermanentlyDelete -Force

Set-User User@varunagroup.de -PermanentlyClearPreviousMailboxInfo

Mailboxes with active hold

Deactivating and deleting mailboxes in Exchange Online is straightforward. It only gets complicated when the affected mailboxes have an active hold, i.e., an active eDiscovery hold. In such a case, the behavior of MSODS and EXODS differs from that described above.

A mailbox can be subject to the following hold configurations:

• Litigation Hold – Hold enabled for the entire mailbox in EXO
• In-Place Hold – Rule-based Exchange Online In-Place Discovery & Hold This variant can no longer be applied since H2 2020 Dies Variante kann seit H2 2020 nicht mehr neu aktiviert werden
• eDiscovery Hold – Rule-based Purview eDiscovery hold
• Microsoft 365 Retention Policy – either as an organization-wide retention policy or as a selected storage location hold
• Microsoft 365 Retention Label – Retention for labeled mailbox content as part of a unified labeling configuration

If one of these holds applies to a mailbox, the ComplianceTagHoldApplied attribute is TRUE. Deletion of the corresponding user object results in an inactive mailbox. A mailbox deactivation is then not possible. The longest applicable retention always wins before deletion of content. This applies identically to the primary and an existing archive mailbox.

After deletion, the user object appears in the list of soft-deleted accounts in MSODS for 30 days. Exchange Online set the mailbox to Inactive for the duration of the longest hold configuration. You can check the list of soft-deleted mailboxes:

Get-Mailbox -InactiveMailboxOnly User | ft -AutoSize Name, IsInactiveMailbox, IsSoftDeletedByRemove

Name    IsInactiveMailbox    IsSoftDeletedByRemove
----    -----------------    ---------------------
User    True                 True

You receive a validation error when you attempt to deactivate a mailbox with an active hold.

"Exchange can't disable the mailbox "EURPR01A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/contoso.onmicrosoft.com/UserWithHold" because it is on litigation hold."

The user object remains in the Active status in MSODS. Exchange Online keeps the user object as UserMailbox until you resolve the "error." You can check the error details is possible via PowerShell.

(Get-MSOLUser -UserPrincipalName
User@varunagroup.de).Errors.ErrorDetail.ObjectErrors.ErrorRecord

MSODS and EXODS do not synchronize an MSOLUSer object with such an error. Changes in one service are not visible in the other.

Reconnect / New Mailbox

You can reconnect a non-licensed cloud-only mailbox by using the EXO cmdlet Enable-Mailbox. The size of the original mailbox must be less than 50 GB. Otherwise, you must assign an EXO license.

What happens when a mailbox requiring a license is connected?

The assignment of an EXO license automatically triggers the connection of a mailbox in soft-deleted status. The reconnection process performs two checks:

1. In EXODS, the process checks whether the attribute msExchPreviousRecipientTypeDetails is set to UserMailbox for the object.

If this is the case, Exchange Online tries to find and connect the mailbox based on the attribute information msExchPreviousMailboxGuid and msExchPreviousMailboxGuid.

If this does not succeed, the second check takes place:

2. Is the attribute ExchangeGuid synchronized from on-premises?

1. If the attribute is not synchronized, Exchange Online creates a new mailbox.
2. If the on-premises GUID is synchronized, you see the following provisioning error message in the Microsoft 365 Admin Center

This user's on-premises mailbox hasn't been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed.

The second check when connecting a mailbox applies identically to creating an entirely new mailbox. The synchronized or unsynchronised ExchangeGuid decides whether to create a new Exchange Online mailbox or wait for the migration of an existing mailbox.

The interesting point is that the Microsoft 365 Admin Center message is technically an Exchange Online provisioning error.

Note

The standard SLA for provisioning or de-provisioning a mailbox in Exchange Online is 24h. We have become accustomed to a mailbox being provisioned or de-provisioned relatively quickly. This behavior is more by chance than by design. As Exchange administrators, we must always remind ourselves when it takes longer than expected. With the following cmdlet, you can repeat the provisioning attempt:

Redo-MsolProvisionUser -ObjectId (Get-MSOLUser -UserPrincipalName User@varunagroup.de).ObjectID

Links

• Cmdlet Redo-MsolProvisionUser
• Cmdlet Disable-Mailbox
• Cmdlet Disable-RemoteMailbox
• Cmdlet Remove-Mailbox
• How to identify the type of hold placed on an Exchange Online mailbox
• How to work with Inactive Mailboxes
• Permanently Clear Previous Mailbox Info
• "Setting up..." messages in the Microsoft 365 admin center

Enjoy Exchange Online.

Exchange Hybrid and Office 365 Monitoring and Reporting

On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages. By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.

Access your free 14-day trial of ENow’s Exchange Hybrid and Office 365 Monitoring and Reporting today!