Forum Discussion
Azure AD Password Hash Sync & Shared Mailboxes
- Oct 03, 2018Hello Boon Leong Ong, There are a few ways you can go about handling this. 1. Using a Hybrid exchange server/manually changing the msExchangerecipienttypedetails value. This is one of the values that O365 looks at to determine what type of object you have. If you change this value, and then re-sync the user object, it should convert over to a shared mailbox. At that point the password in O365 does not matter, you can then change the password to your local ad (or lock it) and it should work. You cant disable/delete the AD account, but you can effectively block it out and keep the object in o365. You MAY need to do a full sync to get the type to change, as sometimes O365 is notoriously stubborn at picking up a recipient type change. Once they have been converted to a shared mailbox, you can remove their license. http://techgenix.com/msexchangerecipienttypedetails-active-directory-values/ 2. Disable/remove the account in local AD, restore it through the recycling bin - You are correct after 30 days the account is removed once a local AD is deleted. This is just a function of how AADC works. However, since you have that 30 day window, you can choose to go restore the user, and you can restore them as a cloud object. This will provision them out as a cloud object not linked to your AD, you will also want to make sure you re-license them so that the exchange mailbox comes back. Once that is back (and now a cloud user), you can go through the exchange GUI and convert the user mailbox to a shared mailbox. Once that is done you can unlicense the user. Their exchange data will be saved as a shared mailbox. *Note any data in Onedrive or other applications for this user will however be lost. 3. Export and Import - This is the longest option, but probably the "safest" from a process stand point. (assuming you control the steps properly). When a user is going to leave that is currently licensed, you can use the security and compliance center to export their data for you. You just create a search for that user (mail to and from) and then export it to a PST. Go in and create a shared mailbox, this can be a cloud object or a fresh AD account. Then import that data in. Once you are comfortable with your work, delete the user account, purge the data from deleted items in O365 (to free up the email address), and add their email address to the shared mailbox you created. Personally I did mostly 1 or 2 with my clients based on if they wanted their shared mailboxes to have objects in AD or not. If they did, I would do 1, if they did not and were fine with them being cloud objects (and thus having no reference in AD) I would do 2. Adam 
For such scenarios, the recommended solution is to use Inactive mailboxes: https://docs.microsoft.com/en-us/office365/securitycompliance/create-and-manage-inactive-mailboxes
They are free, allow you to keep the data immutably and indefinitely, and don't rely on the AD user object. Now, if you need "online" access to the data of the departed user, they are not as convenient as Shared mailboxes to use. There are few other factors to consider as well, as detailed here: https://practical365.com/exchange-online/shared-mailboxes-vs-inactive-mailboxes-departed-users/
- Boon Leong OngOct 05, 2018Copper ContributorThank you. But looks like it requires Exchange Online Plan 2 for it to work. We are on Plan 1.