Within the support organization at Microsoft we definitely see cases where customers are trying to recover deleted mailboxes. Typically, by the time a customer has contacted us they have tried everything they know as well as suggestions found online to recover the mailbox. It is often a completely avoidable and honest mistake that led to the deletion of the user’s Active Directory account in the first place.
If you ever find yourself having a similarly bad day, then this article is meant to be your guide to not only getting through it, but to also come out of it as a superhero who is able to recover user accounts and mailboxes to a fully functional state without data loss.
The main objective of this article is to help you recover a cloud mailbox after the corresponding on-premises user account has been deleted. If you do not have Directory Synchronization in place, then this article is not for you. With no Directory Synchronization in place you should view this article instead.
There are many different mailbox recovery scenarios you may find yourself in. We will cover the most common scenarios throughout the course of this article to assist you in identifying the best recovery option for your own situation.
All of the above scenarios have the same result. The associated user account in Office 365 becomes deleted due to one of the scenarios above and causes the mailbox to go into a soft-deleted state. Mailboxes in a soft-deleted state are recoverable for a period of 30 days before they are permanently removed from Office 365 and become unrecoverable.
It is extremely important to attempt a proper user account recovery before blindly creating a new user account and merging the mailbox data. If you are able to restore the user account properly you will likely not lose any of the user data from the other services such as OneDrive and SharePoint. In addition, the user impact is pretty much non-existent when the original account is restored. There would be no need to create new profiles, no need to reset passwords, the user could simply log in and resume working from where they left off before.
One of the challenges in restoring a mailbox is knowing which recovery option to use. If you know the recovery option you need, then can jump to it using the hyperlinks below. Otherwise we invite you to follow along with the article and we will guide you to the proper place.
In some of the more complex customer environments it is sometimes beneficial to synchronize only certain Active Directory groups or Organizational Units (OUs) into Office 365. While this is not a common practice for most of our customers the process to configure filtering (if you are not familiar) is documented here. When configured, if a user is moved from an OU that is being synchronized to an OU that is not being synchronized, then Office 365 will see this action as a user account deletion. This causes the user account to be deleted within Office 365 and as a result the user’s mailbox also ends up in the previously mentioned soft-deleted state.
The good news is the recovery for this scenario is quite simple. All you need to do is move the user back into the OU they were originally in. Assuming that the OU the user was previously in is still being synchronized, the next time Directory Synchronization complete the user and all associated data will be restored. By default, directory synchronizations occur every three hours and after you move the user back to the proper OU you will have to wait for the next sync cycle to take place. However, if you are like me and cannot wait, then you can force the synchronization. This article contains the necessary information to force a synchronization to take place immediately.
This scenario is a bit more common than the previous one. Many of our customers have realized the benefits that come with having the Active Directory recycle bin enabled. If you are not familiar with this feature and you are interested in learning more, then you can check it out here. The Active Directory recycle bin works as it sounds, when an object is deleted you can essentially undo the deletion without the kind of complex AD authoritative restoration process we all used and loved in the past.
The good news is if you have the Active Directory recycle bin feature, it is a valid option to recover the deleted user. However, if you deleted the user prior to enabling this feature in your environment, then it will be of no help.
Note: While less common, if you are using Directory Synchronization filtering (explained here), you need to be sure you restore the user to an OU that is within the Directory Synchronization scope.
If you made it this far in the document, you likely are thinking “darn it I should have enabled the recycle bin for Active Directory”. While I agree with that sentiment, all is not lost. You can still recover your user account and mailbox data. In addition, you can still recover the data associated with other services, you just have a more difficult process to follow.
The reason we try so har d to restore the original user account is so all of the data associated with the user is also restored. If you were to recreate a new user account on-premises (even with the same name as the deleted user), when the user syncs to Office 365 it will have a new object GUID. This means that any SharePoint, OneDrive, Exchange, and any other data or permissions associated with the user will be lost.
The last good way to restore a user and all of their associated data may seem a bit backward, but it works and the user will back up and running with their data in no time.
Set-Msoluser -UserPrincipalName firstname.lastname@example.org -ImmutableID “ “
For details on how to install and connect to the Azure AD PowerShell, go here.
If none of the above recovery options are able to work for your situation, then you can still recover the mailbox data. While this process works and is a great way to recover mailbox data that would otherwise be lost, you still lose data associated with other services such and OneDrive and SharePoint. I would treat option as a last resort after all other options have failed.
The steps outlined in this article will take you through a recovery process that involves creating a new user on-premises, synchronizing that user to Office 365, and merging the data from the soft deleted mailbox.
The last scenario we are covering is the inactive mailbox scenario. For those that may not know, an Inactive Mailbox is a mailbox associate with a user that was placed on Litigation Hold then deleted. In order to preserve the data and keep it searchable we retain the mailbox contents and allow you to reuse the license that was previously assigned to the deleted user. More information on Inactive Mailboxes can be found here.
If you accidentally deleted a user that was on Litigation Hold and you needed to restore the user, you can follow the steps below.
It is best to set yourself and your organization up for the easiest possible mailbox and user recovery scenarios. When possible, try to do things like enabling the Active Directory Recycle Bin and educate all of your IT staff on the ramification of deleting users. Also know that in the end there are a lot of ways to recover a user and the associated data, make sure you use the option that fits your needs.
I wanted to thank Timothy Heeney for a lot of help and discussion during the creation of this article.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.