Deleting a user is broken

Copper Contributor

Deleting a user and assigning their Exchange mailbox doesn't delete them any more.

The previous/expected process:

  1. Delete user in Office365 Admin Center
  2. Convert their mailbox to shared and assign to another user
  3. User is moved from "Active users" section to "Deleted Users"
  4. Deleted user has no access to Office365 or their Exchange mailbox.
  5. User is deleted after 30 days

The actual process/experience"

  1. Delete user in Office365 Admin Center
  2. Convert their mailbox to shared and assign to another user
  3. User remains in "Active users" with their licence/s unassigned
  4. User can still sign into Office365. There's no applications available, but if they navigate to outlook.office.com they have full access to their Exchange mailbox and can send/receive emails.
  5. User cannot be restored, as they are still in "Active Users". I suspect this also means they won't be deleted after 30 days.

This process works correctly if you do not reassign the mailbox, so it appears something in that process has broken. I would guess that confidentiality is a huge concern amongst those deleting former employees, and having access to company email is a major concern so I hope this is addressed ASAP.

9 Replies
I should add that this bug has been replicated by a member of the Office 365 Support Team, but no satisfactory solution has been found.
Converting the mailbox to shared always required you to keep the underlying user object, if it gets deleted the mailbox would be deleted as well. There is no way to "unlink" a user from the mailbox, at least not a supported way. The "assign" part from that wizard is simply granting Full Access permissions, the "original" user account will still have access.
You can easily test this yourself - create a user mailbox, then convert it to Shared from within the EAC or PowerShell. You will notice that the user object remains as is. If you then delete the user object, the shared mailbox will be gone too.

As for any changes in the wizard behavior, @Nino_Bilic might have some info.

This very thing. Deleting the user would always result in mailbox being disconnected (therefore loss of access to the mailbox). Shared mailboxes in Exchange Online must have the user account associated with them; by default this user account will not be enabled for direct logon but user account has to exist whether the shared mailbox was created anew or the user mailbox has been converted to a shared mailbox. This is expected design. The mailbox cannot exist on it's own without a user account. Note also that if the mailbox is converted from user to shared, the password for the user account should be reset too.

Hi guys, thanks for the responses, hopefully I can clear a few things up so we're on the same page:

 

@VasilMichev "Converting the mailbox to shared always required you to keep the underlying user object"

I agree; previously this user would be kept as a "Deleted User", which would allow you to "Restore" the user if you'd deleted them by mistake or something similar. That's not currently happening.

 

"There is no way to "unlink" a user from the mailbox, at least not a supported way."

I understand what you're saying, however this used to work. I'm not sure what else to tell you here.

 

"The "assign" part from that wizard is simply granting Full Access permissions, the "original" user account will still have access."

Yes, however there are clearly steps after this portion of the wizard that would then remove sign in access and shift the user to "Deleted Users" and whatever else.


"You can easily test this yourself - create a user mailbox, then convert it to Shared from within the EAC or PowerShell. You will notice that the user object remains as is. If you then delete the user object, the shared mailbox will be gone too."

I understand, however the previous behaviour of deleting the user from the Office 365 Admin Console was different to how it is now. I'm not suggesting that it straight away deleted all objects, but the process used to be as I described in my post.

 

@Nino_Bilic "Deleting the user would always result in mailbox being disconnected (therefore loss of access to the mailbox)."

I don't know what to tell you. Like I said, deleting the user in the Office 365 Admin Console would give you the option to convert the mailbox to shared and assign it to another user, then move the user to "Deleted Users" where they would no longer have access to their Office 365 sign in or Exchange mailbox. After 30 days, both would be deleted.

 

"Shared mailboxes in Exchange Online must have the user account associated with them; by default this user account will not be enabled for direct logon but user account has to exist whether the shared mailbox was created anew or the user mailbox has been converted to a shared mailbox. This is expected design. The mailbox cannot exist on it's own without a user account."

Agreed, however the handling of it has changed. The user account used to be in "Deleted Users", where the end user had no access to it, and eventually it would be removed, however that has changed or is broken. Now the Office 365 user remains active, and they would still have access to their mailbox. Just as importantly, this user will not be deleted, ever. They remain an Active User, so clearly the "Delete User" function is broken.

 

"Note also that if the mailbox is converted from user to shared, the password for the user account should be reset too."

Why? The whole point of the user being deleted is that it removes access for the user. This is a point I tried to make; deleting a user used to encompass all the termination process and was very useful. If this is no longer the case, these functions and wizards are completely useless.

Ah, now I get it; I understand what you are referring to; thanks for added detail!
You are referring to a "wizard" that is available when when you delete the user with a mailbox in Microsoft 365 Admin Portal. Basically go to Active users for a licensed user with a mailbox, and then un the user flyout select Delete user. Then on the next page with options, you get an option to "Give another user access to (user you are deleting) mailbox. You get a guided experience which would allow you to essentially "move" the mailbox ownership to another account. I do not think it is right though that it would do it in a way that would result in no account; yes, the account is disabled for logon and the mailbox is 'delegated' to another person by giving them full rights. But the user account is still needed, and if deleted, that mailbox would "go away". I am sorry I simply do not know of any way that a mailbox can exist (or eve did exist) with no account because there is no "anchor account" for it.
BTW What Vasil was referring to was a way to convert the user to a shared mailbox via Exchange Admin Center (EAC) or Exchange PowerShell. But all of those ways require a shared mailbox to have an account.
"Basically go to Active users for a licensed user with a mailbox, and then un the user flyout select Delete user. Then on the next page with options, you get an option to "Give another user access to (user you are deleting) mailbox. You get a guided experience which would allow you to essentially "move" the mailbox ownership to another account." This part works, the user that you nominate gets access to the shared mailbox, however the would-be deleted user doens't get moved to "Deleted Users", which is not the expected behaviour. What this also means is you can't use the "restore user" action to undo it all. It also means that you can go through the "Delete User" function infinite times, which can't be correct! "I do not think it is right though that it would do it in a way that would result in no account; yes, the account is disabled for logon and the mailbox is 'delegated' to another person by giving them full rights. But the user account is still needed, and if deleted, that mailbox would "go away"." Yes, I agree with this, and I believe that's why the "Deleted User" section exists; it keeps the user and "anchors" the mailbox (if I'm using that term correctly), then after it has been in that state for 30 days, they are fully deleted, including the shared mailbox. I'm not sure if I got this across clearly before, but if I delete a user and do not convert their mailbox, they go directly to the "Deleted Users" section to be removed in 30 days. This is how it used to work for ALL users, converted mailbox or not. This is why it's so frustrating because it used to work but is now broken for some reason.
I've never been a fan of this wizard, so I might be missing some detail on how things worked previously, but the bottom line here is that you need the user account. The only way you can end up with a mailbox without a user account is when the Inactive mailboxes functionality is involved, or generally speaking the mailbox is on hold.
No problem, I believe I can fill in the gaps. It appeared to keep the user and mailbox attached but just in a different state for 30 days before deleting both. What it's doing now is keeping the user as fully active (just unlicenced) which obviously issues, because I'm not even sure the user will be deleted at the end of the 30 days.