Mar 27 2018 09:07 AM
Hello, I have a question reqarding deleted Office 365 Groups.
I have the two scenarios:
1st: I run "Get-AzureADMSDeletedGroup | ?{$_.DeletedDateTime -gt $DeletedGroupsStartDate }" and get 5 deleted groups.
2nd: I run "Get-UnifiedGroup -IncludeSoftDeletedGroups | ?{$_.WhenSoftDeleted -gt $DeletedGroupsStartDate}" and get 7 groups.
Is there a difference between the two commands? I expect the two commands should show the same results. I don't understand why the result of the 2 commands is different.
Best regards
Tobias
Mar 27 2018 10:50 AM
Well, the first one returns *only* deleted Groups. The second one *includes* deleted Groups, but will also return any *active* Groups that match the query. It's not an -InactiveGroupsOnly parameter 🙂
Apart from that, one returns the objects from Azure AD, the other from the ExODS, so they are representing different object classes, with different properties, etc. Technically, the two should be linked, but there can be a slight disconnect, especially if you have recently made changes. But in general the two "representations" should be kept in sync.
Mar 27 2018 01:43 PM
@VasilMichev wrote:
Well, the first one returns *only* deleted Groups. The second one *includes* deleted Groups, but will also return any *active* Groups that match the query. It's not an -InactiveGroupsOnly parameter 🙂
Hm, how can be a group active if the group was deleted? 🙂 I checked the 2 groups from the 2nd case, both groups are really deleted. Not available in OWA and the SPO sites are also changed to NoAccess.
First I thought maybe the groups were restored by the owner and the property WhenSoftDeleted not replaced. But it's not the case. After a restore of a deleted test group the property is empty.
Mar 27 2018 10:12 PM
Tobias these two cmdlets should return the same results (assuming the data between Azure AD and Exchange has been synched), can you consistently reproduce the issue?
Mar 27 2018 11:09 PM
I tested the commands again. Here is a screenshot of the commands and results. It's easy to compare. The Id of Get-AzureADMSDeletedGroup is connected to ExternalDirectoryObjectId of Get-UnifiedGroup. Two Ids are still missing in the deleted groups.
Mar 27 2018 11:26 PM
@Tobias, what I meant was that the Get-UnifiedGroup cmdlet run with this parameter will return both active and deleted groups, which you can easily confirm if you remove the filter. We have the same situation with the Get-Mailbox cmdlets, however for it we also have the -InactiveMailboxOnly which will filter out any active mailboxes.
Now, having seen the full code in your screenshot, the Groups returned definitely match the soft-deleted criteria. So you should be seeing the same between Get-UnifiedGroup and Get-AzureADMSDeletedGroup output. Which brings us to the other possible scenario, issue with the sync between ExODS and Azure AD, for which you should open a support case.
Mar 28 2018 02:42 AM
Apr 13 2018 01:21 AM
I just want to post an update. My case is still in progress. It`s now confirmed the situation is an unknown behavior. In general the 2 commands do the same. What we know is some deleted Office 365 Groups in Exchange Online are synced to the Azure AD recycle bin with a very, very long delay. I can reproduce a delay of min. 5 days. For the last 30 days I have currently 57 deleted groups that have not yet been synchronized from EXO to AAD. The EXO and AAD support teams try to get an official time range, or maybe they have an issue with the sync.
In general all customers should be able to reproduce the situation, at least if you are in the region Europe West.
Apr 14 2018 02:37 AM
Definitely sounds like a replication issue, and one that should be taken care of in a timely manner. The SLAs for that sync process should be in the range of hours, definitely not days. Anyway, @Christophe Fiessinger might be able to get right people involved.
May 09 2018 07:33 AM - edited May 09 2018 07:48 AM
SolutionYesterday I found the cause. There are 2 issues preventing the EXO and AAD cmdlets returning the same results for deleted groups.
Get-AzureADMSDeletedGroup -all:$true
-All
If true, return all group members. If false, return the number of objects specified by the Top parameter
Without the parameter Get-AzureADMSDeletedGroup returns just 100 results and the date filter was not applied to all deleted groups in AAD.
I did the same tests, one for the last 5 days and one for 30 days. Both commands include now the same results.
May 09 2018 07:33 AM - edited May 09 2018 07:48 AM
SolutionYesterday I found the cause. There are 2 issues preventing the EXO and AAD cmdlets returning the same results for deleted groups.
Get-AzureADMSDeletedGroup -all:$true
-All
If true, return all group members. If false, return the number of objects specified by the Top parameter
Without the parameter Get-AzureADMSDeletedGroup returns just 100 results and the date filter was not applied to all deleted groups in AAD.
I did the same tests, one for the last 5 days and one for 30 days. Both commands include now the same results.