Restore deleted Microsoft 365 Hybrid User
If you need to restore a Microsoft 365 hybrid user account which was synced from on-premises Active Directory to Azure AD and Microsoft 365, you need to perform the following steps:
A soft-deleted user mailbox is a mailbox that has been deleted using the Microsoft 365 admin center or the Remove-Mailbox cmdlet in Exchange Online PowerShell, and has still been in the Azure Active Directory (Azure AD) recycle bin for less than 30 days.
Source: https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes
Soft-deleted and hard-deleted mailboxes
Source: https://docs.microsoft.com/en-us/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-mailboxes
First we will restore the user account in Microsoft 365, we can use here the Microsoft 365 admin center.
Under Users -> Deleted users, select the account you want to restore and click on Restore user.
After clicking on Restore user, you need to select Auto-generate password or Let me create the password.
The second step is to restore the on-premises Active Directory user account. In my case, as I have enabled the Active Directory Recycle Bin, this is an easy process as follows.
First I will check if the user account is listed as deleted in on-premises AD. So I will execute the following command by using the Active Directory Module for Windows PowerShell on one of the on-premises DCs.
# To show all Users with displayName = John Doe either deleted or not deleted
Get-ADObject -Filter {displayName -eq “John Doe”} -IncludeDeletedObjects
# To show all Users where displayName is like John* and is deleted
Get-ADObject -Filter {isdeleted -eq $TRUE -and displayName -like “John*”} -IncludeDeletedObjects
# To show all Users where sAMAccountName = John Doe but just in case it is deleted
Get-ADObject -Filter {isdeleted -eq $TRUE -and sAMAccountName -eq “jdoe”} -IncludeDeletedObjects
To finally restore the user I have to run the following command
Get-ADObject -Filter {displayName -eq “John Doe”} -IncludeDeletedObjects | Restore-ADObject
or
Get-ADObject -Filter {isdeleted -eq $TRUE -and displayName -like “John*”} -IncludeDeletedObjects | Restore-ADObject
Now as both user accounts, on-premises and cloud are restored, we finally need to hard match both user accounts by using the ImmutableId.
First we need to determine the objectGUID of the on-premises user account as follows.
Determine the objectGUID of the deleted on-premises user
Ldifde -d “<distinguishedName user account>” -f C:user.txt
Note the objectGUID from the output file to use it below as ImmutableId in Azure AD.
Ldifde
Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services.
Source: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
Now we need to connect to Azure AD by using the Azure Active Directory PowerShell for Graph module and set for the ImmutableID of the user in Azure AD the previously determined on-premises objectGUID. This objectGUID you will find in the output file user.txt above.
# if not still installed on your computer
Install-Module -Name AzureAD
# connect to Azure AD
$credential = Get-Credential
Connect-AzureAD -Credential $credential
Get-AzureADUser -SearchString jdoe@braintesting.de | fl objectID
Set-AzureADUser -ObjectId <objectID> -ImmutableId “<objectID>”
sourceAnchor
The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD. The attribute is also called immutableId and the two names are used interchangeably.
Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#sourceanchor
Finally run the sync from on-premises to Azure AD.
Start-ADSyncSyncCycle -PolicyType Delta
Ok, but my sync status is still In cloud and not Synced from on-premises as follows.
To finally change the sync status in Microsoft 365 from In cloud into Synced from on-premises, we just need to change the password in on-premises and trigger the sync in AD Connect another time.
Start-ADSyncSyncCycle -PolicyType Delta
Now the sync status will be listed in the Microsoft 365 admin center correct with Synced from on-premises as follows.
Links
Recover a deleted mailbox in hybrid
https://msoffice365exo.blogspot.com/p/blog-page_36.html
RESTORE DELETED AD/OFFICE 365 USER IN AD CONNECT ENVIRONMENT
https://www.virtubytes.com/2019/02/14/restore-deleted-user-ad-connect/
Office 365 – Why You Need to Understand ImmutableID
https://blogs.perficient.com/2015/04/01/office-365-why-you-need-to-understand-immutableid/
Delete or restore user mailboxes in Exchange Online
https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes
Exchange Online data deletion in Microsoft 365
https://docs.microsoft.com/en-us/compliance/assurance/assurance-exchange-online-data-deletion
Scenario Overview for Restoring Deleted Active Directory Objects
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd379542(v=ws.10)
Active Directory Recycle Bin Step-by-Step Guide
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)
How to restore deleted user accounts and their group memberships in Active Directory
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/retore-deleted-accounts-and-groups-in-ad
Azure AD Connect: Design concepts
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts
sourceAnchor
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#sourceanchor