So I took a few days off for Easter. I know, I know, how silly of me. While I was out, someone from our service desk accidentally terminated (read: deleted) a Director level user’s account. This mess got escalated to the C-Level over IT & Development very quickly, and turned into a very large issue. Here’s how I performed the Office 365 Account Recovery for their account. I will put a summary together at the bottom.

My Padawan Office 365 admin quickly attempted to resolve the situation by running the following:

Undo-SoftDeletedMailbox DumptyH@LookingGlass.com -WindowsLiveID DumptyH@LookingGlass.com -Password (ConvertTo-SecureString -String 'Pa$$word1' -AsPlainText -Force)

Great command if you need just the mailbox. If you need anything else, keep reading…

He also brought back the Active Directory account. This brought back the user’s mailbox to a usable state. This of course happened at 5pm the day before I came back, so with her email working, they called it a win and hung up their hats. Unfortunately, what he didn’t realize was that while her mailbox was back, there were still other pieces missing. I found that her OneDrive was still soft-deleted, her Teams chat history was missing, and her account was no longer synchronized with our on-premise Active Directory.

The easy part…

The next day, the team told me about the situation and quickly dove in in an attempt to breathe life back into this account. I went to the Microsoft Admin portal (https://admin.microsoft.com) and saw that the user’s account dumptyh@lookingglass.com was still listed Users>Deleted Users. Since my Padawan restored the mailbox to dumptyh@lookingglass.com, I had to restore this account to another username – restore-dumptyh@lookingglass.com.

I quickly logged into the restore-dumptyh@lookingglass.com account and saw that all of the OneDrive files were there, so I knew this would be a piece to the puzzle. However, both of these accounts were showing up as cloud only accounts.

Switching Gears…

I opened PowerShell and connected using the MSOnline module (Connect-MSOLService) and ran a query for all users with the first name “Humpty” (Get-MSoluser -EnabledFilter All -SearchString "Humpty" | FL). By piping the results to Format-List, or FL, at the end, I was able to view all of the the user accounts’ properties in the command line. I checked the ImmutableId and saw that it was missing from both accounts. Switching over to on premise, I pulled the account information by running the Ldifde tool with the following:

Ldifde -d "CN=Humpty Dumpty,OU=Users,DC=LookingGlass,DC=com" -f Results.txt

Ldifde is very powerful, read more at https://support.microsoft.com/en-us/help/555636

I logged into the server running Azure AD Connect sync and verified which attribute we were using for the immutableID in the Synchronization Rule Editor. Normally, this would be the Active Directory objectGUID or mS-DS-ConsistencyGuid. However the previous engineer that set up our Azure AD Connect Sync created a custom anchor attribute as part of previous efforts for bringing four domains under a single Office 365 tenant.

Since the restore-dumptyh@lookingglass.com account was the original Office365 account, it was a good basis on which I could rebuild. I started rebuilding by setting the ImmutableID to match the on-premise account for this MSOnline account by running the following:

Set-Msoluser -UserPrincipalName Restore-DumptyH@LookingGlass.com -ImmutableId A12ABC3A456BCA789BCAbC==

Note: This is not the real Immutable ID.

After forcing a sync from the Azure AD Connect Sync server, restore-dumptyh@lookingglass.com was once again a synced account. After that sync, the UserPrincipalNames were still mismatched. I then deleted the extra account dumptyh@LookingGlass.com that existed. Then I used PowerShell and set the UserPrincipalName for the Cloud account back to match the On-Premise UserPrincpalName.

Set-MsolUserPrincipalName -UserPrincipalName restore-dumptyh@LookingGlass.com -NewUserPrincipalName dumptyh@LookingGlass.com

At this point, almost everything was back. All that was left was to restore the mail back into the mailbox that is now attached to dumptyh@LookingGlass.com. The simplest way to do this was to get the GUID’s and use the new New-MailboxRestoreRequest Command.

$TargetMB = Get-EXOMailbox -Filter "Name -like 'Humpty'"
$SourceMB = Get-EXOMailbox -SoftDeletedMailbox -Filter "Name -like 'Humpty'"

New-MailboxRestoreRequest -SourceMailbox $sourceMB.Guid -TargetMailbox TargetMB.Guid

And that was that. Small pieces to button back up like re-creating the user’s Outlook profile, and once again everything was back to normal. Hopefully you never have to encounter a problem like this, but if you do, hopefully this helps.

The shortened version – the steps I took for this Office 365 Account Recovery:

  • Restore-MsolUser -UserPrincipalName dumptyh@LookingGlass.com -NewUserPrincipalName Restore-dumptyh@LookingGlass.com
  • Determine ImmutableId Attribute in Use (typically objectGUID or mS-DS-ConsistencyGuid). You can use your own account to double check if you aren’t sure.
  • Ldifde -d "CN=Humpty Dumpty,OU=Users,DC=LookingGlass,DC=com" -f Results.txt
    Notepad.exe Results.txt
  • Set-Msoluser -UserPrincipalName Restore-DumptyH@LookingGlass.com -ImmutableId A12ABC3A456BCA789BCAbC==
  • Have user logout
  • Remove-MsolUser DumptyH@LookingGlass.com
  • Maybe Run an AADC Sync for good measure.
  • Set-MsolUserPrincipalName -UserPrincipalName restore-dumptyh@LookingGlass.com -NewUserPrincipalName dumptyh@LookingGlass.com
  • $TargetMB = Get-EXOMailbox -Filter "Name -like 'Humpty'"
    $SourceMB = Get-EXOMailbox -SoftDeletedMailbox -Filter "Name -like 'Humpty'"
  • New-MailboxRestoreRequest -SourceMailbox $sourceMB.Guid -TargetMailbox TargetMB.Guid

If you have questions, feel free to Contact me via the methods listed on my About Me page.