locked
Migrated Shared Mailboxes and Active Directory RRS feed

  • Question

  • Hi,

    This maybe by design but we still have AD user objects for Shared Mailboxes after they've been migrated to Exchange Online. Obviously any new Shared Mailboxes in Exchange Online do not create or need any AD user objects to work, so this creates a false view.

    Is this just the way it is, or is it possible to disconnect and clean up these AD user objects?

    What I do know is if you delete the AD object it deletes the Shared Mailbox in Exchange Online.

    Another thing I noticed was the msExchDelegatedListLink attribute in AD does not get updated by Exchange Online, so is not always an accurate representation of the members. I guess this due to Office 365 not write backing this.

    Andrew


    Andrew France - http://andrewsprivatecloud.wordpress.com

    Tuesday, October 30, 2018 10:31 AM

Answers

  • There is no supported way to "unlink" them, the only thing that Microsoft folks will advise you to do is disable DirSync and clear the immutableID. If you are fine with a small downtime, you can achieve the same by deleting the user from Azure AD, then immediately recovering it from the Recycle bin. This provisions it as a "disconnector" and allows you to clear/change the ImmutableId and break the link.
    • Proposed as answer by Niko.Cheng Wednesday, October 31, 2018 3:11 AM
    • Marked as answer by Andrew France Monday, November 5, 2018 9:54 AM
    Tuesday, October 30, 2018 7:17 PM
  • You cannot remove the ImmutableID before the restore, as the object is still "linked" to the AD. The steps to follow are: delete the user in AD, wait for sync, once it gets deleted in O365 restore it, change/remove the ImmutableID, restore the AD user if needed.

    If you need more details, check a similar scenario in this blog post: https://www.michev.info/Blog/Post/1486/how-to-assign-mailbox-to-a-different-user-with-exchange-online

    • Proposed as answer by Niko.Cheng Friday, November 2, 2018 2:37 AM
    • Marked as answer by Andrew France Monday, November 5, 2018 9:54 AM
    Wednesday, October 31, 2018 6:29 PM

All replies

  • There is no supported way to "unlink" them, the only thing that Microsoft folks will advise you to do is disable DirSync and clear the immutableID. If you are fine with a small downtime, you can achieve the same by deleting the user from Azure AD, then immediately recovering it from the Recycle bin. This provisions it as a "disconnector" and allows you to clear/change the ImmutableId and break the link.
    • Proposed as answer by Niko.Cheng Wednesday, October 31, 2018 3:11 AM
    • Marked as answer by Andrew France Monday, November 5, 2018 9:54 AM
    Tuesday, October 30, 2018 7:17 PM
  • Thanks for the response. I'm interested in the exact steps I would need to take to achieve this.

    Do remove the immutable ID before or after the restore?

    Are you removing the Immutable ID from the Azure AD User account?

    What does it mean to be provisioned as a disconnector?


    Andrew France - http://andrewsprivatecloud.wordpress.com

    Wednesday, October 31, 2018 8:17 AM
  • You cannot remove the ImmutableID before the restore, as the object is still "linked" to the AD. The steps to follow are: delete the user in AD, wait for sync, once it gets deleted in O365 restore it, change/remove the ImmutableID, restore the AD user if needed.

    If you need more details, check a similar scenario in this blog post: https://www.michev.info/Blog/Post/1486/how-to-assign-mailbox-to-a-different-user-with-exchange-online

    • Proposed as answer by Niko.Cheng Friday, November 2, 2018 2:37 AM
    • Marked as answer by Andrew France Monday, November 5, 2018 9:54 AM
    Wednesday, October 31, 2018 6:29 PM
  • Hi,

    I followed through the suggested steps. However after restoring the user I'm left with a blocked account, as it has no licenses assigned, and no Shared Mailbox.

    I shouldn't need to add any licenses as Shared Mailboxes don't require this.

    Am I missing something?


    Andrew France - http://andrewsprivatecloud.wordpress.com

    Friday, November 2, 2018 4:56 PM
  • As I mentioned in the original reply, this method will result in a small downtime. In general, if you do it fast enough the corresponding mailbox will not be disconnected, but if it does, you have to wait for a while for it to reconnect. I also mentioned that this is not supported in any way.
    • Proposed as answer by Niko.Cheng Monday, November 5, 2018 9:19 AM
    Friday, November 2, 2018 5:57 PM
  • OK so to confirm, if you are not an idiot like me this will definitely work!

    I think I worked out what I did wrong, which was to delete the user from Exchange On-Prem, rather than deleting from AD Users and Computers.

    One thing I did notice is you will get an error in AD Connect if you do not remove the Immutable ID.

    Thanks for your help on this Vasil, and apologies for being a bit of a dope!


    Andrew France - http://andrewsprivatecloud.wordpress.com

    Monday, November 5, 2018 9:57 AM