Office 365 Hybrid Duplicate Mailboxes

User has Exchange 2013 Hybrid Configuration, With Azure Active Directory Password Sync.

User has Successfully Synced the OU’s and Provisioned Licenses to the Mailboxes.  One Weird thing happened, It has provisioned empty Mailboxes on the Cloud and User has Mailboxes in the On-Prem as well,Causing Duplicate Mailboxes.

Ideally this shouldn’t happen.

By Design – Assigning License for an On-premises mailbox in the Cloud.

It should prompt in Mail Setting “This User’s On Premises Mailbox hasn’t been migrated to Exchange Online. The Exchange Online Mailbox will be available after migration is completed.

Weird – Assigning License for an On-premises mailbox in the Cloud. (Provisioning Empty Mailboxes in the Cloud Causing Duplicate mailboxes)

As the Mailboxes kept Provisioned for a day or so. The empty mailboxes received emails sent from Same domain Office 365 Users .

Took a Backup of emails using E-discovery search –

Easy Way – Before July1 2017 you have to use in-place eDiscovery & hold to search and download as PSTs

Choose the mailboxes to be exported.

Choose All Criteria

Note – Use Internet Explorer for the Export PST application to work.

As Specified After July you have to use the Security and compliance center to do the same process.

https://protection.office.com

In the left pane of the Security & Compliance Center, click Search & investigation > Content search.

1. On the Content search page, select a search.
2. In the details pane, under Export results to a computer, click Start export.
3. On the Export the search results page, under Include these items from the search, choose one of the following options:
4. Under Export Exchange content as, choose one of the following options:
   • One PST file for each mailbox   Exports one PST file for each user mailbox that contains search results. Any results from the user’s archive mailbox are included in the same PST file.

Lets see the Traditional Way to Copy Mails to Another Mailbox –

Added Office 365 Administrator to Discovery Management

Add-RoleGroupMember "Discovery Management" –Member admin@domain.onmicrosoft.com

New-Managementroleassignment –Role "Mailbox Import Export" –User admin@domain.onmicrosoft.com

Close Powershell and Re-Opened Powershell

You can use –EstimateResultsonly switch to check the stats before run.

Get-mailbox Test20 | Search-mailbox –searchquery {received:02/01/2013..01/17/2017} –TargetFolder Backup –TargetMailbox Backup@careexchange.in

For Example in my case.

Exported to the Backup Mailbox

To check precise items in the folders you can also use –

Get-mailboxfolderstatistics mailboxname | select Name,FolderSize,ItemsinFolder

Now mailboxes are Backed up using PST or Copied to different mailbox.

Re Ran the Hybrid Configuration wizard from Exchange 2013 Server to make sure things are fine.

Good to know – Now If you have customized the co-existence connectors .It puts back to default hybrid configurations. In my case I couldn’t use TLS in a specific site and manually specified public ips in mail flow connectors.

re running the hybrid configuration put me back to TLS.

Now Remove the License from the Mailboxes using GUI or Connect to MSOL for Bulk modifications.

Connect-MsolService

Set-MsolUserLicense –UserPrincipalName test@careexchange.in -RemoveLicenses "orgname:ENTERPRISEPACK"

To list licensed users

Get-Mailuser | Where-object{$_.Islicensed –like “True”} | FT UserPrincipalName,Licenses

To Check and Remove the right licenses .

Now All duplicate mailboxes should have been converted to mail users. Before migrating them back make sure you permanently delete them from the deleted mailbox list.

if they exist in SoftDeletedMaibox List . Permanently remove them before you try Migrating them back again.

Using Office 365 PowerShell –

To List Softdeleted mailboxes –

Get-Mailbox –SoftDeletedMailbox

To Permanently Delete All SoftDeletedMailboxes – (Be Careful on this)

Get-Mailbox –SoftDeletedMailbox | Remove-Mailbox –PermanentlyDelete

Using Msol service

Connect-MsolService

Make sure it doesn’t return any deleted users as well. which has been duplicated

Get-MsolUser –ReturnDeletedUsers

To Remove Deleted Users  –

Remove-MsolUser -UserPrincipalName test@careexchange.in –RemoveFromRecycleBin

To Remove All Deleted Users  – (Be Careful on this)

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin –Force 

Now We are good to go to migrate them back again.

Still having issues ?

Remove MSOL user from Cloud. To sync back the Object again.

Get-MsolUser -UserPrincipalName user@careexchange.in

Removing MsolUser  (Be Careful on this)

Get-MsolUser -UserPrincipalName user@careexchange.in | Remove-MsolUser

Removing MsolUser from RecycleBin (Be Careful on this)

Get-MsolUser -UserPrincipalName user@careexchange.in -ReturnDeletedUsers |
Remove-MsolUser -RemoveFromRecycleBin

Once you remove. Force Sync or Wait for the Normal Sync  Interval to happen.

Import-Module ADSync

Start-ADSyncSyncCycle -PolicyType Delta

Workaround Which worked out in Some Environments – 

Use Exchange On-Premises in

Remove the license for the user, wait for few minutes , then log into the Exchange Control Panel (Office 365 TAB) on your on-premises exchange server and initiate remote move from there.

Choose Remote Move Migration

Good to know –

Compared Immutable IDs – Looks Same.

$immuOnPremID – is OnPrem Immutable ID.

$immuCloudID is Cloud Immutable ID

Import-Module ActiveDirectory
Import-Module ADSync
$cred = Get-Credential

Connect-MsolService -Credential $cred
$GUIDbyte = (Get-ADUser TestUser).objectGUID.ToByteArray()

$immuOnPremID = [System.Convert]::ToBase64String($GUIDbyte)
$immuCloudID = Get-MsolUser -UserPrincipalName Testuser@careexchange.in | Fl ImmutableId

To Change Immutable ID for Specific User –

Set-MsolUser -UserPrincipalName Testuser@careexchange.in -ImmutableId $immuID

See also –

Office 365 Hybrid Configuration Wizard Step by Step

Adding Domain in Existing Hybrid Configuration