SOLVED

Get-AzureADMSDeletedGroup vs. 'Get-UnifiedGroup -IncludeSoftDeletedGroups'

Steel Contributor

Hello, I have a question reqarding deleted Office 365 Groups.

I have the two scenarios:
1st: I run "Get-AzureADMSDeletedGroup | ?{$_.DeletedDateTime -gt $DeletedGroupsStartDate }" and get 5 deleted groups.
2nd: I run "Get-UnifiedGroup -IncludeSoftDeletedGroups | ?{$_.WhenSoftDeleted -gt $DeletedGroupsStartDate}" and get 7 groups.

Is there a difference between the two commands? I expect the two commands should show the same results. I don't understand why the result of the 2 commands is different.

Best regards
Tobias

9 Replies

Well, the first one returns *only* deleted Groups. The second one *includes* deleted Groups, but will also return any *active* Groups that match the query. It's not an -InactiveGroupsOnly parameter 🙂

 

Apart from that, one returns the objects from Azure AD, the other from the ExODS, so they are representing different object classes, with different properties, etc. Technically, the two should be linked, but there can be a slight disconnect, especially if you have recently made changes. But in general the two "representations" should be kept in sync.


@VasilMichev wrote:

Well, the first one returns *only* deleted Groups. The second one *includes* deleted Groups, but will also return any *active* Groups that match the query. It's not an -InactiveGroupsOnly parameter 🙂


Hm, how can be a group active if the group was deleted? 🙂 I checked the 2 groups from the 2nd case, both groups are really deleted. Not available in OWA and the SPO sites are also changed to NoAccess. 

 

First I thought maybe the groups were restored by the owner and the property WhenSoftDeleted not replaced. But it's not the case. After a restore of a deleted test group the property is empty. 

 

Tobias these two cmdlets should return the same results (assuming the data between Azure AD and Exchange has been synched), can you consistently reproduce the issue?

I tested the commands again. Here is a screenshot of the commands and results. It's easy to compare. The Id of Get-AzureADMSDeletedGroup is connected to ExternalDirectoryObjectId of Get-UnifiedGroup. Two Ids are still missing in the deleted groups.

SNAG-28-03-2018-0001.png

 

 

 

 

@Tobias, what I meant was that the Get-UnifiedGroup cmdlet run with this parameter will return both active and deleted groups, which you can easily confirm if you remove the filter. We have the same situation with the Get-Mailbox cmdlets, however for it we also have the -InactiveMailboxOnly which will filter out any active mailboxes.

 

Now, having seen the full code in your screenshot, the Groups returned definitely match the soft-deleted criteria. So you should be seeing the same between Get-UnifiedGroup and Get-AzureADMSDeletedGroup output. Which brings us to the other possible scenario, issue with the sync between ExODS and Azure AD, for which you should open a support case.

Ok, thanks for the clarification. Yes, will open a support case.

I just want to post an update. My case is still in progress. It`s now confirmed the situation is an unknown behavior. In general the 2 commands do the same. What we know is some deleted Office 365 Groups in Exchange Online are synced to the Azure AD recycle bin with a very, very long delay. I can reproduce a delay of min. 5 days. For the last 30 days I have currently 57 deleted groups that have not yet been synchronized from EXO to AAD. The EXO and AAD support teams try to get an official time range, or maybe they have an issue with the sync. 

 

In general all customers should be able to reproduce the situation, at least if you are in the region Europe West.

Definitely sounds like a replication issue, and one that should be taken care of in a timely manner. The SLAs for that sync process should be in the range of hours, definitely not days. Anyway, @Christophe Fiessinger might be able to get right people involved.

best response confirmed by VI_Migration (Silver Contributor)
Solution

Yesterday I found the cause. There are 2 issues preventing the EXO and AAD cmdlets returning the same results for deleted groups.

 

  1. The time zone in AAD is UTC, EXO returns the results in the local time. So I changed the date filter for deleted groups in AAD to UTC.
  2.  The main issue is Get-AzureADMSDeletedGroup does not return all deleted groups by default (and shows not information the results are limited). The cmdlet provides an additional parameter All.

Get-AzureADMSDeletedGroup -all:$true

 

-All
If true, return all group members. If false, return the number of objects specified by the Top parameter

 

Without the parameter Get-AzureADMSDeletedGroup returns just 100 results and the date filter was not applied to all deleted groups in AAD.

I did the same tests, one for the last 5 days and one for 30 days. Both commands include now the same results.

SNAG-08-05-2018-0002.png

 

1 best response

Accepted Solutions
best response confirmed by VI_Migration (Silver Contributor)
Solution

Yesterday I found the cause. There are 2 issues preventing the EXO and AAD cmdlets returning the same results for deleted groups.

 

  1. The time zone in AAD is UTC, EXO returns the results in the local time. So I changed the date filter for deleted groups in AAD to UTC.
  2.  The main issue is Get-AzureADMSDeletedGroup does not return all deleted groups by default (and shows not information the results are limited). The cmdlet provides an additional parameter All.

Get-AzureADMSDeletedGroup -all:$true

 

-All
If true, return all group members. If false, return the number of objects specified by the Top parameter

 

Without the parameter Get-AzureADMSDeletedGroup returns just 100 results and the date filter was not applied to all deleted groups in AAD.

I did the same tests, one for the last 5 days and one for 30 days. Both commands include now the same results.

SNAG-08-05-2018-0002.png

 

View solution in original post