Things can sometimes get tricky when it comes to managing archives for migrated mailboxes in Exchange hybrid environments. In this blog post, we cover the details of what happens when you enable and disable the archive mailbox for a mailbox that has been migrated to Exchange Online, and some troubleshooting scenarios.
Provisioning an archive for a mailbox in Exchange Online
For synced users, all provisioning actions are initiated from on-premises and then synchronized to Exchange Online via Azure AD Connect.
Run Disable-RemoteMailbox <mailbox> -Archive from on-premises and wait for the changes to synchronize to Azure AD which involves passing the DeprovisionArchive status to the Exchange object and disabling the cloud archive.
RemoteRecipientType and archive properties (ArchiveGuid and ArchiveName) are the property values that trigger the change in the provisioning status of archive mailbox in a hybrid environment.
Archive deprovisioning/disablement flow
When an admin disables an archive using the on-premises Exchange admin center or Exchange Management Shell, this clears the ArchiveGUID and ArchiveName and writes the current ArchiveGUID value to DisabledArchiveGUID:
Directory synchronization deletes ArchiveGUID and ArchiveName from the account in Azure AD.
Exchange Online consumes these changes from Azure AD and disables the cloud archive by clearing the values for ArchiveGuid and ArchiveName:
Common Issues when enabling/disabling an archive for migrated user
Issue 1: When you try to enable or disable an archive for mailboxes hosted in Exchange Online using Exchange Online management tools, you encounter the following error:
"The operation on Identity "<mailbox>" failed because out of the current user's write scope. The action Disable-Mailbox/Enable-Mailbox, 'Archive', can't be performed on the "<mailbox>" because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization".
Cause: This occurs when you are synchronizing user objects from on-premises Active Directory using Azure AD Connect, and you are trying to change properties in Exchange Online which is not possible since the Source of Authority is on-premises Active Directory. You must manage the user’s properties in Active Directory and changes will be synchronized to Exchange Online.
Resolution: The correct way to do this is initiating the changes from on-premises Exchange environment and then letting them synchronize to Exchange Online.
If enabling archive:
Run Enable-RemoteMailbox <mailbox> -Archive from on-premises.
Run Delta sync.
Verify that RemoteRecipientType has a value of ProvisionArchive. ArchiveGuid and ArchiveName will also appear with an ArchiveStatus of Active. If that is not the case, wait for the changes to sync to Exchange Online and check for any sync issues.
If disabling archive:
Disable-RemoteMailbox <mailbox> -Archive from on-premises.
Run Delta sync.
Once the sync is complete, run the following command in Exchange Online PowerShell:
Get-Mailbox <mailbox>|fl *recipient*,*archive*
Look for RemoteRecipientType –DeprovisionArchive. Also, ArchiveGuid and ArchiveName will be removed.
Admins may encounter validation errors that prevent them from provisioning an archive for a migrated mailbox after following the steps above. Probable reasons are:
A soft-deleted mailbox or mailuser with same archive GUID already exists in Microsoft 365 because they were not properly removed (for example, removing license from a user without clearing holds on their mailbox).
An inactive mailbox exists with the same archive GUID.
In this case, get rid of any conflicting objects and then the archive can be provisioned.
Issue 2: You are unable to disable an online archive, even when it shows as disabled on the corresponding on-premises object.
Cause: This occurs when the mailbox is on hold. Disabling the archive fails, and the admin will see this error.
Resolution: To resolve this, remove all holds from the mailbox. See this article for more details.
Note: Removing holds from the mailbox may result in data being permanently deleted. Make sure you understand this to avoid possible unwanted data loss.
Issue 3: You get an ArchiveGUID mismatch error on affected user accounts in the Microsoft 365 admin center, which prevents changes like title/manager/HiddenFromGAL/proxyaddress on synced users object. You might see an error like the following:
Failed to Sync the Archive Guid <00000000-0000-0000-0000-000000000000> of mailbox because one cloud archive <guid> exists.
Cause: This is due to the on-premises object being inconsistent with the cloud object. In this case, the on-premises object does not reflect a provisioned remote archive.
Resolution: To resolve this, configure the on-premises object to reflect a provisioned cloud archive and ensure the on-premises ArchiveGuid matched the cloud ArchiveGuid.
Use the following command to set ArchvieGuid and ArchiveName: Get-RemoteMailbox email@example.com | Set-RemoteMailbox -ArchiveGuid “ <Archiveguid value from Exchange Online mailbox>” -ArchiveName "<same from Exchange Online mailbox>"
Run Delta sync.
Issue 4: When you try to deprovision an archive, you receive this error:
ExchangeValidationError “Failed to disable the archive of mailbox <guid> due to a conflict in directory settings. To disable this archive, first run Enable-RemoteMailbox -Archive on-premises. After the next Dirsync sync cycle, run Disable-RemoteMailbox -Archive on-premises to disable this archive “
Cause: This can occur when RemoteRecipientType in Exchange Online is out of sync with the on-premises object and has a DeprovisionArchive value from a recent archive deprovisioning.
Resolution: Enable the archive from on-premises and run Delta sync. This will reset RemoteRecipientType to "provisionArchive" in Exchange Online.
IMPORTANT: Make sure to confirm RemoteRecipientType as ProvisionArchive in Exchange Online.
After that, disable the archive from on-premises and run Delta sync. Exchange Online will pick up those changes and disable the cloud archive.