Phantom Account

Silver Contributor

I have this account in my tenant that goes to more than one person.  If you try to find it in the admin center, it doesn't show as a user, contact, group, shared mailbox or a resource.  If I go into Powershell it shows but I'm not sure how to find out what it is or where it goes.  It is mail enabled with allowing external users to email it and it goes to me and at least one more person.  I'm clueless as to where it is and can't find it.  It doesn't seem to be an alias for a user, group, resource or shared mailbox either.  When I see the name I see a string of numbers afterwards in Powershell.  I also can't find it in Azure AD.  Any ideas????

10 Replies
Do you have Mailbox retention / preservation on? Usually this is the mailbox is still around that used to be tied to a user account, maybe you had forward on at some point to you? Do you reconize the name of the box thou?

We have mailbox retention on but not for this account.  The account is a generic account that seems to come to me but was not setup by me.  You can see it in the addressbook and you can send to it and I will receive it but can't seem to find out what type of object it is.  It is not an alias for me.  Totally confused.

Do you find this user in local AD? It seems to be a synced user, right?


Quadrotech - Management, Reporting and Migration for Office 365

Several types of mailboxes are not displayed in the EAC and/or Office 365 Admin center, for example Discovery mailboxes, Scheduling mailboxes, Site mailboxes, etc. PowerShell can give you all the information you need for the mailbox though, simply query the relevant properties: RecipientTypeDetails, UserPrincipalName, EmailAddresses, Forwarding settings, etc.

Thanks! I guess I don't know enough about Powershell to even run some of these as I've spent two hours trying to get some of these properties and keep getting errors. When will MS do away with PS and make everything GUI?

I think I've located the phantom account.  I believe it is a part of a Public Folder mailbox but that folder has a different name and doesn't list details in the Exchange Admin Console.  

I was wrong it isn't a public folder.  I did some more research and what is a SchedulingMailbox?  This might be that and if so can it be converted to a regular mailbox?

We had a very similar case. I have found a strange address in our global address book, which actually had a typo in it, so at first i thought emails go nowhere. But once i have typed the correct address, say company@domain.com, it actually forwarded the email to another user user@domain.com. Nobody new what was this address, nor that user, nor me. Maybe at some point somebody was experimenting with forwarders. Anyway, this SMTP address existed, but no user tied to it (not in local AD nor ir Azure AD).

 

get-mailbox -identity company@domain.com was returning result with user@domain.com in ForwardingSmtpAddress line.

 

But trying to delete that mailbox with PermanentlyDelete switch gave error that user still exists, although it couldn't find the user. With the help of MS support we were able to remove it finally.

Everything was done via PoweShell. It went like this:

 

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
Connect-msolservice
$a = get-msoluser -all  
$b = get-msoluser -all -returndeletedusers  
$c = get-msolgroup -all  
$d = get-msolcontact -all  
$e = get-recipient -resultsize unlimited  
$all = $a+$b+$c+$d+$e  
$search = "company@domain.com"  
$all | ?{$_.emailaddresses -match $search -or $_.emailaddress -match $search -or $_.userprincipalname -eq $search -or $_.proxyaddresses -match $search}
remove-mailbox -identity company@domain.com

 

Not sure why it didn't work with simple remove-mailbox command. But it was removed and disappeared from global list, so the ticket was resolved.

Since you've already confirmed that the object is returned by Get-Mailbox, simply rerun the cmdlets to get all the relevant properties:

 

Get-Mailbox address@domain.com | ft Name,UserPrincipalName,EmailAddresses,RecipientTypeDetails

 

or you can do a simple:

 

Get-Mailbox | fl *

 

to get all the properties. In general, the Get-Recipient cmdlet is the best way to find a matching object, as it covers all valid recipient types, but it might not return as many properties compared to Get-Mailbox.

Since it was a scheduling mailbox, I deleted it and made a shared mailbox with that name as it was an email address listed as a general mailbox by my assistant before she checked to see if that address belonged to anything else.