This is a somewhat niche issue – which is why im documententing it here.
Scenario
- Exchange migration to exchange online which i came into approx 75% of the way through – so i don’t have any history on why some things have happened (and there is no useful doco)
- Tenant wide retention policies are in place for all data (legislative requirement im led to believe for this client)
- Identity sync via AADConnect
- Some mailboxes cannot be moved. Powershell error message from new-moverequest indicates that the identity is not unique
Investigation
- Start off by looking at the AAD Object sync with
- Connect-MSOLService
- (Get-MsolUser -UserPrincipalName identity@goes.here.com).errors.errordetail.objecterrors.errorrecord| fl ErrorCode
- The output, will likely look something like this:
- The value “<guid-value>” of property “ArchiveGuid” is used by another recipient object. Please specify a unique value.
- Next up, we want to have a look at the potential duplicate objects
- Connect-ExchangeOnline
- Get-recipient -identity <identity> -includesoftdeletedrecipients
- This will likely show you 2 (or more) mail user objects
- To confirm the soft-deleted mailuser object you can use
- Get-MailUser -resultsize unlimited -SoftDeletedMailUser -Identity <identity> | fl *guid*
- Notice the ArchiveGUID returned is the same as the ArchiveGUID from the Get-MSOLuser error retrieved earlier in the investigation
- If you then try and run the obvious next step
- Get-MailUser -Identity <identity> -SoftDeletedMailUser | Remove-MailUser
- You will get an error similar to
- Remove-MailUser: The operation couldn’t be performed because object ‘Soft Delete d Objects\<identity>’ couldn’t be found on ‘SYBPR01A004DC01.AUSPR01A004 .PROD.OUTLOOK.COM’
Now, i know what your thinking “just exclude the mailbox from the retention policy” – and there within lies the issue…. there is no mailbox, only a mail user object, but with an archive mailbox that has been retained by the retention policy after the primary mailbox has been removed. It is then, to my knowledge, impossible to exclude that archive mailbox from retention – as its associated with a mailuser – not a mailbox.
As to how these identities got into this state…. absolutely no idea. I wasn’t around for the earlier parts of the project – but given some other things i’ve seen at the client, standardisation and documentation appear to be frowned upon (which is why i’m getting out ASAP)
Solution
The unfortunate solution is to log a call with O365 support.
I included all of the above information in my original support request and was still asked to run a “get-mailbox”… i included all the info again (and again, and again over a teams call showed them the exact same errors and data that i sent them) – and eventually they got the point (took approx 15 business days) and sent it to an internal team, who deleted the objects
Unfortunately i cant post the case number for reference (as it would potentially identify the client) – but maybe pointing MS support to this article might speed the process for others (?). Ideally, there would be a way around this, without engaging support – but there is not as far as I’m aware as of June 2023.