You can use the following methods to make the Active Directory logon account inaccessible and to remove the mailbox from the address book. To make sure that the mailbox continues to receive email and is discoverable in Exchange Admin Center (EAC), do one of the following:
- Hide the account from the address book.
- Logon-disable the account.
- Filter the source object (for example, extensionAttribute10=NoSync).
- Move the source object into an organizational unit that is not in MMSSPP scope (for example, OU=DisabledUsers).
- Use the explicit deprovisioning attribute (for example, extensionAttribute3=RemoveMSOMailbox).
- Clear all mail attribute values from the source object (mail, mailNickname, proxies, targetAddress).
If the account has been deleted, you can use Automatic Service Reconnection (ASR) to reconnect the mailbox. Here are some considerations and limitations to be aware of:
- ASR can be used for reconnection only while mailbox is in a Pending Deletions state. (For current users, this is three days or less. For new customers, it's 30 days).
- If the DeleteNow feature is used in ASR, or if the pending deletion time has passed, the mailbox will be in a disconnected state and cannot be recovered unless the original logon account is restored in the customer’s directory (by using an authoritative Active Directory restore).
- For ASR reconnection, users must know the source Active Directory object GUID of the original account. This value is visible on the managed PendingDeletion object as ms-msCustomerObjectGUIDString.
- There is a secondary gate for ASR (typically the mail attribute) that must match the mailbox.
- Create temporary or surrogate accounts that are out of scope or that are filtered by MMSSPP.
- Change the extension attribute for ASR on the temp account that has the object GUID of the original Active Directory account.
- Change the secondary gate attribute (mail) to match the mailbox.
- Add an appropriate target address.
- Remove the filter or move it in scope.
- The ASR process will complete during the next sync.
- Complete discovery search of the mailbox, and download it to a .pst file.
- Remove the object from scope, and clean up the attributes.
For more information, see the O365D-ITAR provisioning handbook.
Article ID: 2919831 - Last Review: 9 Jan 2014 - Revision: 1