How to disconnect a mailbox & re-assign it to new user in a Hybrid Scenario
Scenario objectives: We have an Exchange Hybrid setup between on-premises and Exchange Online (Office 365). All users are synced and the mailbox is located at Exchange Online.
We need to separate an existing mailbox from its user account and re-connect this mailbox to a new user account. If the mailbox in this scenario was located at the on-premises Exchange it would be an easy process just using the Exchange Management Console. But in a Hybrid scenario, the process includes many steps since the mailbox is not directory conencted to the Active Directory user account but it is conected to the Azure AD Synced User Account.
For the ease of the guide we will name the Existing User Account: OLDUSER and the New User Account: NEWUSER.
We will disconnect the Exchange Online Mailbox from the OLDUSER and connect it to the NEWUSER.
Step 1.
At the on-premises Active Directory, at an OU that is not synced with Azure AD, create the new user account. The “NEWUSER”. Ensure that you do not enter nothing at the email field. Just a user account with no email attributes.
Step 2.
Move the “OLDUSER” to an OU that is not synced with Azure AD
Step 3.
Run a Delta Sync. Go to the server that the AD Connect is installed, open the PowerShell and run “Start-ADSyncSyncCycle”
Step 4.
We need to get the GUID of the NEWUSER. To do so login to a Domain Controller, open PowerShell and run:
[system.convert]::ToBase64String((Get-Aduser NEWUSER).objectGUid.ToByteArray())
Copy the GUID to a Notepad
Step 5.
Open the Office 365 Admin Center and Restore the deleted user “OLDUSER”
Go to Users –> Deleted Users –> Select the user “OLDUSER” –>Click Restore
Step 6.
Connect to Azure AD and set the GUID of the “NEWUSER” to the Office 365 “OLD USER”. Details for connecting to Azure AD “https://technet.microsoft.com/en-us/library/dn975125.aspx“
Connect-MsolService Set-MsolUser -UserPrincipalName [email protected] -ImmutableId vMZGJpW6CUGY09bduJ5dlw==
Step 5.
Open the Office 365 Admin Center and Delete the old user “OLDUSER”
Go to Users –> Active users –> Select the “OLDUSER” –> click Delete user
Step 6.
Clean the on-premises Active Directory account of the old user “OLDUSER” from all attributes that will be added to the new user, like Proxy addresses, Target, address, Alias name, nickname etc.
Step 7.
Make the “NEWUSER” user account a Remote Mailbox object
At the on-premises Exchange, open the Exchange Management Shell and run:
Enable-RemoteMailbox -Identity NEWUSER -DisplayName "NEW USER" -RemoteRoutingAddress [email protected] -Alias newuser -PrimarySmtpAddress [email protected]
Step 8.
Move the “NEWUSER” to an OU that is Synced with Azure AD and run a Delta Sync like Step 3.
After that the “NEWUSER” active directory account will be connected with the “OLDUSER” Exchange Online mailbox and all attributes of the Exchange Online mailbox will be replaced with the “NEWUSER’s” values.
I suppose there are other ways, maybe easier, to accomplish this task, but following this process you will have the desired result without problems.
Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.
Hi Pantelis,
thanks for the info… I was wondering, if I want to REPLACE my AD completely, i.e. have OLD AD syncing with O365, create NEW AD servers, do I just shutdown the old AD, create the new users and then Connect to Azure AD and set the GUID of the “NEWUSER” to the Office 365 “OLD USER” using:
Set-MsolUser -UserPrincipalName [email protected] -ImmutableId vMZGJpW6CUGY09bduJ5dlw==
and then in O365 delete the OLD USERS, then SYNC my NEW AD to O365?
Thanks,
Stefan
You don’t need to delete the old O365 users.
1. create the new AD
2. add the immutableid from local AD to Office 365 (Azure AD)
3. add the ExchangeGUID from Exchange Online mailbox to the local AD user
4. sync and the new local AD Users will connect with the old O365 users.
Hi,
My situation is this.
A users account was deleted in AD so I restored the mailbox to “cloud only”
I recovered the old AD account and now they are showing as 2 seperate accounts within the O365 console.
We are on a federated domain so had to change the UPN to @domain.onmicrosoft.com before trying to set the immutable.
Still, when trying to set it I am getting this:
set-msoluser : Uniqueness violation. Property: SourceAnchor.
Any ideas?
Thanks
Hello, I tried to reproduce the problem. To change the immutableid, remove the user from the ad connect sync OUs (or make an exception). Run a sync and the user will be deleted from O365. Then you can change the immutableid.
Pantelis Apostolidis, This really good one . Helped in one of critical situation
old – Enable-RemoteMailbox -Identity NEWUSER -DisplayName “NEW USER” -RemoteRoutingAddress [email protected] -Alias newuser [email protected]
New – Enable-RemoteMailbox -Identity NEWUSER -DisplayName “NEW USER” -RemoteRoutingAddress [email protected] -Alias newuser -PrimarySmtp [email protected]
Needed a space after Alias newuser -PrimarySmtp
Hi David, you are right, I corrected it!
This is a pretty old article, more than 3 years old! If anyone runs the process and e.g. the commands have changed, please let me know to update the article!
Hi, Can i use this method to Move an existing mailbox over to a new user, and then still keep the new user and start fresh with a new mailbox?
Hi Pantelis,
Thanks a lot for this article!
At the “Step 7.” you say:
Make the “NEWUSER” user account a Remote Mailbox object
At the on-premises Exchange, open the Exchange Management Shell and run:
Thanks a lot!
Since I only have Exchange Online, is there any opportunity to do this if I don’t have an on-premises Exchange ?
Hi Bled,
the “Remote Mailbox” is only for the hybrid scenario. To have an on-premises user connected to a remote mailbox that resides at exchange online. There is no need to do this in an exchange online-only scenario.
Hi, This information is really use full… Though I have a slightly different scenario.
My old user is in o365 and i think was created incorrectly in o365 rather than by doing a create in exchange and migrating to cloud. Because of this external emails to the primary smtp of this user is not working. This is a shared mailbox. Mails to the Microsoft tenant domain work, but not to our migrated domain. So I am thinking to detach the mailbox, delete the o365 account, create on premise the account again, migrate it, attach the mailbox and apply the teams exploratory license again.
Is this a good plan ?
Hi Michael, you are right, you need to disconnect the o365 mailbox, create the user on-premises, sync with ad-connect and use Enable-RemoteMailbox to connect the on-prem user to the online mailbox.
Hi, Pantelis
In my case, I need to disconnect user’s mailbox “user1”, and connect to a new shared mailbox “shared1” and create a new mailbox for “user1”.
it’s possible?
Hi Cassio,
Is it a cloud only schenario or a hybrid?
Hybrid!
Then you need to create a new user to take over the shared mailbox.
In high level:
1. Create a new user “shared1”
2. disconnect the mailbox from “user1” and connect it to “shared1” (follow the process of the article)
3. convert the “shared1” to shared mailbox
4. re-enable the sync for “user1” and it enable remote mailbox for “user1” to have a new mailbox.
I used this process (minus the on-prem Exchange part) and the NEWUSER got control of the mailbox but the Teams data from the OLDUSER did not sync to the NEWUSER. The NEWUSER essentially started as a brand new Teams account.
In my scenario the NEWUSER was already created when I started the process though. If you have thoughts on that I would love to hear them but more just putting this here for anyone using this guide in the future.
Hi Matthew,
Did you ever figure out how to fix the issue with losing Teams data when a new account is being used? I am also going to perform this process with the mailbox and want to be prepared if this happens with Teams. Thank you
Hi Matthew,
I appreciate your interest in my blog! Microsoft Teams is a combination of many products, like exchange online, OneDrive & SharePoint. I am not familiar of any way of migrating a Teams account to an other user as is. You can copy the OneDrive data, change access to SharePoint, migrate the mailbox (as described here), but I don’t know if you can migrate more Teams related data.
Somethign like this: https://answers.microsoft.com/en-us/msteams/forum/all/teams-migration-from-one-account-to-another/4d5f7542-14f7-452a-b618-758dcd8cf629
Thank you for this. I have a little twist in this scenario.
Parent company: Office 365 tenant
Parent company : AD connect setup
Child Company: separate AD
Child Company: AD objects synced to parent company AD Connect
Child Company: mailboxes migrated from Exchange On-premises to Parent company’s Office 365 Tenant.
What we would like to do is re-create users for child company on parent company’s AD, detach mailboxes that are on Exchange online from child company users accounts and re-attach to newly created accounts on parent domain AD. I tested it and it work but I don’t have Exchange in my test environment to see how the attributes are affected.
Any guidance will be appreciated
Hi,
[Hybrid enviorement]
Is there a way to enable remote mailbox without EMS?
We don’t have it here and need to separate a mailbox from a user.
thanks in advance.
I know this is an older article but it so far the only one I’ve found that may work for what we are trying to do. I am going through the steps and on Step 7 I am having an issue. I am running it on our On Premise Exchange Powershell and I am getting:
The operation couldn’t be performed because object ‘NEWUSER’ couldn’t be found on ‘ONPREMDOMAINCONTROLLER’.
I changed the names in the error to something generic. I’ve tried several things for -Identity in the PowerShell command but I get this error for everything I try. I can run Get-ADUser NEWUSER and get results but not when running the Enable-RemoteMailbox command.
Do you have any ideas?