Orphaned Accounts in Exchange online

Technical Level : Intermediate

Summary

     An orphan is any object in Exchange Online that does not have a corresponding object in AzureAD based on ExternalDirectoryObjectID (with the exception of mail enabled Public Folders, which are not synced between AzureAD and EXO). Under normal circumstances, when you create a user, mail user, user mailbox, mail enabled group, or contact, one account is created in AzureAD and one account is created in Exchange Online. The two accounts are linked by objectID/externalDirectoryObjectID

   To identify an orphan, collect the (Exchange Online) EXO account's externalDirectoryObjectID and search for it in AzureAD. If you cannot find a match, you have an orphan. If the EXO account does not have an externalDirectoryObjectID, then it too is an orphan.


Details

How Orphaned Objects Occur

There are two main ways this happens.

Hard-Deleted Mailbox

The current by-design behavior when you purge mailbox user:

  1. User account in AzureAD is deleted with remove-msoluser
  2. User account in EXO is moved to the Soft-Deleted users container
    1. The mailbox is disconnected, will remain this way for 30 days.
  3. User account in AzureAD is purged with remove-msoluser -removefromrecyclebin
  4. User account in EXO has its externalDirectoryObjectID cleared
    1. The mailbox remains disconnected, still for 30 days from the date that step #2 occurred.

The mailbox will return with the get-mailbox -softdeletedMailboxcommandlet until it is permanently deleted by the system after 30 days, or until it is permanently deleted by the Administrator.

Inactive Mailboxes

A mailbox that is on LitigationHold or InPlaceHold, when it is deleted will be placed in a soft-deleted state and remain there until the hold is removed and the mailbox is manually purged by the Administrator.

Hard Deleted MailUser

The current by-design behavior when you purge mailuser:

  1. User account in AzureAD is deleted with remove-msoluser
  2. User account in EXO is moved to the Soft-Deleted container
    1. It will remain this way for 30 days.
  3. User account in AzureAD is purged with remove-msoluser -removefromrecyclebin
  4. User account in EXO has its externalDirectoryObjectID cleared
    1. It continues to remain this way for 30 days from the date that step #2 occurred

This is the same design that applies to mailboxes. The only difference is that the mailuser cannot be manually purged, there is no PowerShell command available to accomplish this. The customer must wait 30 days for the system to clear the account.

For more details on how to purge Mailboxes in Exchange online please see: How to purge a soft deleted mailbox in Office 365

For details on how to restore a mailbox that is in a soft deleted state or in an inactive state please see the below two articles:

Recover soft-deleted mailboxes in an Exchange Hybrid scenario

How to restore an inactive mailbox for a federated user in an Exchange Hybrid deployment

Back to Exchange Online Support Corner

 

Forum Article Info


Last updated February 12, 2020 Views 3,283 Applies to: