You are currently offline, waiting for your internet to reconnect

How to troubleshoot deleted user accounts in Office 365, Azure, and Intune

PROBLEM
A user account is accidentally deleted from Microsoft Office 365, Microsoft Azure, or Microsoft Intune and has to be restored.
CAUSE
Office 365 user accounts can be deleted in any of the following ways:
  • User accounts can be manually deleted by using the Office 365 portal.
  • User accounts can be manually deleted by using the Azure portal.
  • User accounts can be manually deleted or deleted through a script by using Microsoft Azure Active Directory Module for Windows PowerShell.
  • User accounts can be manually deleted by using the Exchange admin center in Exchange Online.
  • User accounts can be deleted through a synchronized deletion if directory synchronization filtering changes exclude the on-premises Active Directory user object from the synchronization set. (Directory synchronization filtering changes are also known as scoping.)
  • User accounts can be deleted through a synchronized deletion if the on-premises user object was deleted from the on-premises Active Directory schema.
  • User accounts can be deleted by using an API (for example, Graph API).
SOLUTION

Before you start

When a user object is deleted, it's not immediately and completely removed from Azure Active Directory (Azure AD). The user object is put in a deleted state and no longer appears in the user list. However, it can be recovered for an organization within 30 days. To determine whether a user object is eligible to be recovered from a deleted state, follow these steps:
  1. In the Office 365 portal, look up user accounts that were deleted through the portal. To do this, follow these steps:
    1. Sign in to the Office 365 portal (https://portal.office.com) by using administrative credentials.
    2. Click Users, and then click Deleted Users.
    3. Look for the user whom you want to recover.
  2. Using Azure Active Directory Module for Windows PowerShell, follow these steps:
    1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
    2. Type the following commands in the order in which they are presented. Make sure that you press Enter after you type each command.
      • $cred = get-credential
        Note When you're prompted, enter your Office 365 credentials.
      • Connect-MSOLService -credential:$cred
      • Get-MsolUser –ReturnDeletedUsers

Resolution 1: Use the Office 365 portal or the Azure Active Directory Module for Windows PowerShell to recover a deleted user account

To recover a user account that was deleted manually, use one of the following methods:
  • Use the Office 365 portal to recover the user account. For more information about how to do this, see Delete or restore users.
  • Use the Azure Active Directory Module for Windows PowerShell to recover the user account. To do this, type one of the following commands, and then press Enter:
    • Restore-MsolUser -ObjectId <Guid> -AutoReconcileProxyConflicts -NewUserPrincipalName <string>
    • Restore-MsolUser -UserPrincipalName <string> -AutoReconcileProxyConflicts -NewUserPrincipalName <string>


      In these commands, the following conventions are used:
      • The UserPrincipalName and ObjectID parameters uniquely identify the user object to be restored.
      • The AutoReconcileProxyConflictsparameter is optional and is used in scenarios in which another user object is granted the target user object’s proxy address after that address was deleted.
      • The NewUserPrincipalName parameter is optionally used in scenarios in which another user object is granted the target user object’s user principal name (UPN) after that UPN was deleted.

Resolution 2: Recover a user account that was deleted because directory synchronization filtering (scoping) changes exclude the on-premises Active Directory user object

To recover deleted user accounts, make sure that directory synchronization filtering is set in such a way that the scope includes the objects that you want to recover. For more information, go to the following Microsoft website:

Resolution 3: Recover a user account that was deleted because the on-premises user object was deleted from the on-premises Active Directory schema

To recover an item that was deleted from the on-premises Active Directory schema, follow these steps:
  1. Try to restore the deleted item from the Active Directory recycle bin. For more information about how to do this, go to the following Microsoft website:Notes
    • The Active Directory recycle bin is available only with the functional level of Windows 2008 R2 or later versions.
    • For the Active Directory recycle bin to be useful in recovering an item, it must be enabled before the item is deleted.
  2. If the Active Directory recycle bin is unavailable, or if the object in question is no longer in the recycle bin, try to recover the deleted item by using the AdRestore tool. To do this, follow these steps:
    1. Install the AdRestore tool from the following Microsoft TechNet website:
    2. Use AdRestore together with a search filter to locate the deleted on-premises user object.

      The following is an example of how to use AdRestore to enumerate all user objects that have a "UserA" string in their name:
      C:\>adrestore.exe UserAAdRestore v1.1 by Mark RussinovichSysinternals - www.sysinternals.comEnumerating domain deleted objects:cn: MailboxADEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3fdistinguishedName: CN=UserA\0ADEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3f,CN=Deleted Objects,DC=Domain,DC=comlastKnownParent: OU=OnPremises,DC=Domain,DC=comFound 1 item matching search criteria.
    3. Use AdRestore together with the -r switch to restore the user object.

      The following is an example of how to use AdRestore to restore the UserA object:
      C:\>adrestore.exe Usera –rAdRestore v1.1 by Mark RussinovichSysinternals - www.sysinternals.comEnumerating domain deleted objects:cn: UserADEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3fdistinguishedName: CN=MailboxA\0ADEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3f,CN=Deleted Objects,DC=Domain,DC=comlastKnownParent: OU=OnPremises,DC=Domain,DC=comDo you want to restore this object (y/n)? yRestore succeeded.Found 1 item matching search criteria.
    4. Enable the user object in Active Directory. When the object is restored, it's disabled at first. Therefore, you have to enable it. If it's necessary, first reset the user object’s password, and then enable the user object in Active Directory Users and Computers.

      To enable the user object in Active Directory Users and Computers, follow these steps:
      1. In Active Directory Users and Computers, right-click the user, and then click Reset Password.
      2. Enter a new password in the New password and Confirm password boxes, and then click OK.
      3. Right-click the user, click Enable Account, and then click OK.

        Screen shot of Enable account in Active Directory
        You receive the following error message. (This error message is expected.)
        Windows cannot enable object <MailboxName> because:
        Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
        After you receive this error message, reset the user's password in Active Directory Users and Computers.
    5. Configure the user logon name. The user logon name (also known as the user principal name, or UPN) isn't set from the restored user object. You have to update the user logon name, especially if the user is a federated account.

      To configure the user logon name, follow these steps:
      1. In Active Directory Users and Computers, right-click the user, and then click Properties.
      2. Click Account, enter a name in the User logon name box, and then click OK.
Finally, if you can't recover the deleted user account through the Active Directory recycle bin or by using the AdRestore tool, perform an authoritative restore of the deleted user objects in Active Directory.

Warning Make sure that only the user objects that you want to restore are marked as authoritative. Active Directory objects that are marked as authoritative in the restore process may cause many Active Directory service issues.

For more information about how to perform an authoritative restore of Active Directory objects, go to the following Microsoft website:
Warning Objects that are restored by using resolution 3 may not have all service attributes (Exchange Online, Skype for Business Online (formerly Lync Online), and so on) automatically repopulated after the restore action. Use the appropriate service management tools to repopulate the on-premises object attributes before the next directory synchronization interval propagates the restore action to the cloud directory.

For example, for an object that was formerly mail-enabled in Exchange Online, you may want to use Windows PowerShell cmdlets to repopulate the Exchange Online attributes. In the following example, the User1 object is repopulated with Exchange Online attributes for the contoso.onmicrosoft.com tenant:
Enable-RemoteMailbox -Identity User1 -RemoteRoutingAddress user1@contoso.mail.onmicrosoft.com
If the following conditions are true, resolution 3 won't work:
  • Restoring the object by using the Active Directory recycle bin isn't an available option.
  • Restoring the object by using the AdRestore tool isn't an available option.
  • Active Directory authoritative restoring isn't an available option.
In this situation, contact Office 365 Support for help.
MORE INFORMATION
Changes that are made to a domain or to a user object in Office 365 after a user account is deleted and before the user account is recovered can affect the user experience after recovery. After user deletion and before user recovery, the following events may occur:
  • A new user is created who uses a unique user ID value that was formerly assigned to the deleted user.
  • A new user is created who uses a unique email address value that was formerly assigned to the deleted user.
When these conflicts occur, conflicting attributes must be updated to remove the conflict before user recovery can be completed. If a conflict occurs during user recovery, the user will experience one of the following symptoms when a user recovery is tried:
  • Windows PowerShell returns one of the following error messages:

    Error message 1
    Restore-MsolUser : The specified user account cannot be restored because of the following error: Error Type UserPrincipalName
    Error message 2
    Restore-MsolUser : The specified user account cannot be restored because of the following error: Error Type proxyAddress
    To restore users who are in this state, you can correct the conflict by using the following parameters when you run the Restore-MSOLUser cmdlet:
    • AutoReconcileProxyConflicts
    • NewUserPrincipalName
    Note When you use the AutoReconcileProxyConflicts parameter, any conflicting email addresses are removed from the deleted user before you continue with the recovery process.
  • The Office 365 portal shows the equivalent error messages in the form of the Windows PowerShell error states that were mentioned earlier. For example, you see the following:

    Screen shot of user name conflict page

    To restore users who are in this state, complete the form, and make sure that you specify how you want to correct the conflict.

Still need help? Go to the Office 365 Community website or the Azure Active Directory Forums website.
Properties

Article ID: 2619308 - Last Review: 08/14/2015 22:57:00 - Revision: 22.0

Microsoft Office 365, Microsoft Intune, Microsoft Azure Cloud Services, Microsoft Azure Active Directory, Office 365 User and Domain Management

  • o365a o365e kbgraphxlink o365 o365022013 o365m kbgraphic KB2619308
Feedback
>