If you need to restore a Microsoft 365 hybrid user account which was synced from on-premises Active Directory to Azure AD and Microsoft 365, you need to perform the following steps:

A soft-deleted user mailbox is a mailbox that has been deleted using the Microsoft 365 admin center or the Remove-Mailbox cmdlet in Exchange Online PowerShell, and has still been in the Azure Active Directory (Azure AD) recycle bin for less than 30 days.
Source: https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/delete-or-restore-mailboxes

Soft-deleted and hard-deleted mailboxes
Source: https://docs.microsoft.com/en-us/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-mailboxes

First we will restore the user account in Microsoft 365, we can use here the Microsoft 365 admin center.

Under Users -> Deleted users, select the account you want to restore and click on Restore user.

After clicking on Restore user, you need to select Auto-generate password or Let me create the password.

The second step is to restore the on-premises Active Directory user account. In my case, as I have enabled the Active Directory Recycle Bin, this is an easy process as follows.

First I will check if the user account is listed as deleted in on-premises AD. So I will execute the following command by using the Active Directory Module for Windows PowerShell on one of the on-premises DCs.

# To show all Users with displayName = John Doe either deleted or not deleted
Get-ADObject -Filter {displayName -eq “John Doe”} -IncludeDeletedObjects

# To show all Users where displayName is like John* and is deleted
Get-ADObject -Filter {isdeleted -eq $TRUE -and displayName -like “John*”} -IncludeDeletedObjects

# To show all Users where sAMAccountName = John Doe but just in case it is deleted
Get-ADObject -Filter {isdeleted -eq $TRUE -and sAMAccountName -eq “jdoe”} -IncludeDeletedObjects

To finally restore the user I have to run the following command

Get-ADObject -Filter {displayName -eq “John Doe”} -IncludeDeletedObjects | Restore-ADObject
Get-ADObject -Filter {isdeleted -eq $TRUE -and displayName -like “John*”} -IncludeDeletedObjects | Restore-ADObject

Now as both user accounts, on-premises and cloud are restored, we finally need to hard match both user accounts by using the ImmutableId.

First we need to determine the objectGUID of the on-premises user account as follows.

Determine the objectGUID of the deleted on-premises user
Ldifde -d “<distinguishedName user account>” -f C:\user.txt

Note the objectGUID from the output file to use it below as ImmutableId in Azure AD.

Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services.

Source: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)

Now we need to connect to Azure AD by using the Azure Active Directory PowerShell for Graph module and set for the ImmutableID of the user in Azure AD the previously determined on-premises objectGUID. This objectGUID you will find in the output file user.txt above.

# if not still installed on your computer
Install-Module -Name AzureAD

# connect to Azure AD
$credential = Get-Credential
Connect-AzureAD -Credential $credential

Get-AzureADUser -SearchString jdoe@braintesting.de | fl objectID
Set-AzureADUser -ObjectId <objectID> -ImmutableId “<objectID>”

The sourceAnchor attribute is defined as an attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD. The attribute is also called immutableId and the two names are used interchangeably.

Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts#sourceanchor

Finally run the sync from on-premises to Azure AD.

Start-ADSyncSyncCycle -PolicyType Delta

Ok, but my sync status is still In cloud and not Synced from on-premises as follows.

To finally change the sync status in Microsoft 365 from In cloud into Synced from on-premises, we just need to change the password in on-premises and trigger the sync in AD Connect another time.

Start-ADSyncSyncCycle -PolicyType Delta

Now the sync status will be listed in the Microsoft 365 admin center correct with Synced from on-premises as follows.


Recover a deleted mailbox in hybrid


Office 365 – Why You Need to Understand ImmutableID

Delete or restore user mailboxes in Exchange Online

Exchange Online data deletion in Microsoft 365

Scenario Overview for Restoring Deleted Active Directory Objects

Active Directory Recycle Bin Step-by-Step Guide

How to restore deleted user accounts and their group memberships in Active Directory


Azure AD Connect: Design concepts