Finding and restoring deleted users in MS365

In the rush to get us migrated to Microsoft 365 I hadn’t put much thought into the retention of deleted/disabled users and their data. With an on-premises server I could just disable a user and leave them in the Active Directory or in another OU in the Active Directory for as long as I wanted. Even if I deleted a user then their mailbox was usually retained in Exchange anyway and was retrievable at a later date.

But with Microsoft 365 you cannot organise your users into separate organisational units or folders, they are just all listed as one under ‘Active users’. This ends up looking messy if you have loads of users who have left but you want to retain their accounts for a while. You can of course remove a users licences and click the ‘Block sign-in’ button to disable a users access but it’s unreasonable to expect to keep all these users in the ‘Active users’ section indefinitely.

So the natural inclination when a user leaves is to delete their account by clicking on ‘Delete user’. Now this does also give you the option to give another user access to their emails by converting the user to a Shared Mailbox but the users account still remains in your directory under ‘Active users’ as well as a shared mailbox Under ‘Groups’ and ‘Shared mailboxes’ which doesn’t help with the clutter. However this does work well if you just want another user to access the mailbox temporarily to get what they need but be aware that as soon as you do delete the user from ‘Active users’ even though the shared mailbox remains under groups you only have 30 days before both the account AND it’s respective shared mailbox are permanently deleted.

When you delete a user you can still see their account under ‘Deleted users’ in the admin console. The deleted user stays here for 30 days (giving you a chance to restore the user easily) and then it is removed permanently. There is no way to restore a user that has been permanently deleted in this way UNLESS you have already setup a retention policy so if you don’t already have a retention policy configured and running then you should make sure to set one up in the Security Admin Center.

To do this login to your Microsoft 365 admin console and go to
Security > Information Governance > Retention

You can create a new policy here stating how long you want to retain data for and which locations (Exchange, SharePoint, OneDrive, Teams etc).

CHECK WHETHER YOU HAVE ANY INACTIVE MAILBOXES

To see whether you have any inactive mailboxes you can login to your Microsoft 365 admin console and go to the security admin center to see a list of any inactive mailboxes in your organisation.

Security > Information Governance > Retention
Click on the three dots … (more) and select Inactive mailboxes

NOTE: When you restore an inactive mailbox, the mailbox content and its archive mailbox gets merged into any existing mailbox. After the restoration, the inactive mailbox is retained in the same state.

CONNECT POWERSHELL TO MICROSOFT 365

NOTE: I’ve had issues in the past connecting PowerShell to Microsoft 365. If you have problems then my post on converting Exchange 2010 hybrid to cloud might help.

1. Run Windows PowerShell as an administrator (right-click on PowerShell and choose run as administrator).

2. Setup an execution policy by typing:

Set-ExecutionPolicy RemoteSigned

3. Enter in your Microsoft 365 admin credentials into a variable:

$UserCredential = Get-Credential

Connect PowerShell to your Microsoft 365 tenant using the credentials stored in the variable in the previous step:

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

RESTORE AN INACTIVE MAILBOX

Now you should be connected to the Microsoft 365 tenant follow these commands to restore an inactive mailbox.

1. Find the identities of the inactive mailbox

Get-Mailbox -InactiveMailboxOnly | FT Name,ExchangeGuid,PrimarySmtpAddress

2. Create a variable with the details of the inactive mailbox

$InactiveMailbox = Get-Mailbox -InactiveMailboxOnly -Identity <identity of inactive mailbox>

Replace the above with the appropriate identity returned in the previous step. For example $InactiveMailbox = Get-Mailbox -InactiveMailboxOnly -Identity No.Face@DomainName.com

Now you have the choice of either restoring just the inactive mailbox or restoring both the inactive mailbox and its associated archive mailbox. You can also restore these to a new folder in the target mailbox (which is the neater option)…

RESTORE JUST THE MAILBOX

Enter the following command to restore just the mailbox (not including the archived mailbox)

New-MailboxRestoreRequest -SourceMailbox $InactiveMailbox.DistinguishedName -TargetMailbox <mailbox address> -AllowLegacyDNMismatch

Replace the above with the target mailbox you want the inactive one to be merged into. For example New-MailboxRestoreRequest -SourceMailbox $InactiveMailbox.DistinguishedName -TargetMailbox My.Mailbox@DomainName.com -AllowLegacyDNMismatch

RESTORE BOTH THE MAILBOX AND THE ARCHIVE MAILBOX

Enter the following command to restore the mailbox and the archive mailbox

New-MailboxRestoreRequest -SourceMailbox $InactiveMailbox.DistinguishedName -SourceIsArchive -TargetMailbox <mailbox address> -TargetIsArchive -TargetRootFolder “Inactive Mailbox Archive” -AllowLegacyDNMismatch

Replace the above with the target mailbox you want the inactive one to be merged into. For example New-MailboxRestoreRequest -SourceMailbox $InactiveMailbox.DistinguishedName -SourceIsArchive -TargetMailbox My.Mailbox@DomainName.com -TargetIsArchive -TargetRootFolder “Inactive Mailbox Archive” -AllowLegacyDNMismatch

RESTORE THE MAILBOX AND ARCHIVE MAILBOX TO A SEPARATE FOLDER (THE NEATER OPTION)

To restore the inactive mailbox content to a folder in the top-level of the target mailbox enter this

New-MailboxRestoreRequest -SourceMailbox $InactiveMailbox.DistinguishedName -TargetMailbox <mailbox address> -TargetRootFolder “Restored Inactive Mailbox” -AllowLegacyDNMismatch

Replace the above with the targets mailbox and the result will be that the User will now have a new folder in their mailbox called ‘Restored Inactive Mailbox’ with the inactive mailbox contents inside it. For example New-MailboxRestoreRequest -SourceMailbox $InactiveMailbox.DistinguishedName -TargetMailbox My.Mailbox@DomainName.com -TargetRootFolder “Restored Inactive Mailbox” -AllowLegacyDNMismatch