I have been working with a customer in a case with a migration of mailboxes from one Office 365 User to another.
You might have done this on on-premises Exchange server where you disabled a mailbox and later on needed to connect it again to another user.
So how is this possible in Exchange online?
Just some background information on who this customer scenario was:
- One Office 365 tenant.
- Exchange 2013 Hybrid Edition.
- AD Connect which connects to two Active Directory domain, one for their primary domain in Denmark and one for a Domain in South America.
- The users that needed to move had an account in the Danish domain and one in the South American domain. The old with the primary mailbox being South America and the new account being in Denmark.
- Both the Danish and South American Office 365 account had a Office 365 licens. So both account had a mailbox and OneDrive.
- Before the move the Southern American users where instructed to backup their OneDrive data as this can’t be moved with this method.
So in this scenario we had a mailbox connected to a South American Office 365 account, which needed to be moved over to a Danish Office 365 account.
For this scenario the process is the following:
- Moved user in the old Active Directory Domain to another Organisational Unit which is not synchronized by AD Connect.
- Start a AD Connect synchronization. This is executed from the On-Premises AD Connect Server. (This will trigger a soft deletion in Office 365)
Start-ADSyncCycleSchedule -policytype Delta - Restore the user in the Office 365 Admin Portal once it gets into the Users -> Deleted Users section.
- Remove ImmutableID from the old Southern American account.
Set-MsolUser -UserPrincipalName xx@SouthernAmerica.com.mx -ImmutableId “$NULL” - Find the ImmutableID for the Danish account in the Danish Active Directory which is going to take over the Southern American mailbox and note this done for later. The command should be executed in Powershell administrative mode on an Active Directory server.
[system.convert]::ToBase64String((Get-ADUser SamAccountNameOfDanishAccount).objectGUid.ToByteArray())
Example value returned: O+vYwOVZIEWgW2a8kH+aaw== - Move the Danish Active Directory account to an Organisational Unit which isn’t synchronized by AD Connect.
- Start a AD Connect synchronization. This is executed from the On-Premises AD Connect Server
Start-ADSyncCycleSchedule -policytype Delta - Remove the Danish Office 365 account with a hard deletion of the account.
Get-msoluser -UserPrincipalName xx@DanishAccount.dk -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin - The next step is to connect the Southern American mailbox with the Danish Office 365/Active Directory account. This is done by using the ImmutableID that got extracted in Step 5 and inject this into the South American Office 365 account that was restored in Step 3.
To run this command you need to connect to Office 365 with powershell Connect-MsolService with a Global Admin account. (You need to have the cmdlets for this installed on you computer)Set-MsolUser -UserPrincipalName xx@SouthernAmerica.com.mx -ImmutableId “O+vYwOVZIEWgW2a8kH+aaw==”
- Wait 10-15 minutes before proceeding to next step.
- Move the user in the Danish Active Directory Domain back to an Organizational Unit that is synchronized with AD Connect.Start a AD Connect synchronization. This is executed from the On-Premises AD Connect Server. Note: That it’s done with the Initial policytype to trigger the switch and connect the Danish Office 365 Account/Active Directory Account with the Southern American mailbox.
Start-ADSyncCycleSchedule -policytype Initial - Add the old email address from the Southern American account to the Danish account. This is done on the Exchange Hybrid Edition server.
- Start a AD Connect synchronization. This is executed from the On-Premises AD Connect Server.
Start-ADSyncCycleSchedule -policytype Delta
I have also created an Excel sheet with all the different commands. The excel sheet is build up by using one line per user that needs to be remapped. This was created to give a better overview of the process where you want to moved more than one users at a time.
The excel sheet is built into sections but will have the same step numbers as outlined in the blog post.
Download here:
About the author:
Cloud Architect with over 15+ years of hands-on experience with Microsoft enterprise solutions. Deep technical skills in servers, desktops, security, productivity applications.
Dear Mr. Andersen,
Thank you very much for your instructions. It is really helpful.
But I have an issue:
I try to follow your instructions (by using the new AzureAD module), but I do not seem to be able to change the ImmutableID as instructed in 4.:
PS C:\> (Get-AzureADUser | where {$_.UserPrincipalName -eq $UPN}) | Set-AzureADUser -ImmutableId $NULL
PS C:\> (Get-AzureADUser | where {$_.UserPrincipalName -eq $UPN}) | Select DisplayName,ImmutableID
DisplayName ImmutableId
———– ———–
John Doe ezfpv51wod+koULlHQpXoQy=
It seems that being able to change the ImmutableID is ‘fixed’ by Microsoft and so, it seems no longer possible. Or is there still a way to do this?
Thanks!
With kind regards,
Jac Backus