We are running Exchange Hybrid Mode with remote mailbox and archive in M365. One of our employees left many months ago and so their mailbox went to soft deletion/retention. Their AD object was only disabled (never deleted), so when it got restored and synced back through Entra Connect, a new M365 user with same alias but (empty) mailbox was created (which was fine).
Our issue is that the AD user still has the prior msExchArchiveGUID for the user, and this archive is still soft deleted in EOL, but again, the user in M365 is a different version of the user. I need to figure out how to tell AD to create a new (empty) archive for the M365 user now active.
Details:
In EAC:
If I run: Get-RemoteMailbox returningUser | fl displayname, ArchiveGuid it reports from the msExchArchiveGUID property in AD.:
ArchiveGuid : some-legit-archive-guid-number
In EOL:
If I run: Get-Mailbox returningUser | fl archiveguid I get:
ArchiveGuid : 00000000-0000-0000-0000-000000000000
However, if I run: Get-EXOMailbox -SoftDeletedMailbox -Archive | where { $_.alias -eq 'returningUser' } | select Guid
I get:
Guid
---
some-legit-archive-guid-number
What I've tried: Deleting the Hybrid-based archive, syncing, then re-adding:
In EAC: Disable-RemoteMailbox returningUser -Archive, run Entra Connect, everything looks good. msExchArchiveGUID in AD is empty. When I run Enable-RemoteMailbox returningUser -Archive the pesky prior msExchArchiveGUID returns.
I've read a lot of examples of mismatches where the solution is telling EAC to use the EOL version of the Archive GUID, but in this case it seems to be that EOL can't use the EAC version of the GUID because it's soft deleted and tied to a prior artifact user.
If anyone knows how to tell EAC to stop looking (wherever it is looking) for that prior ArchiveGUID and just issue a new archive, I'd be grateful!
Thanks!
Last note: If I run this:
Get-MsolUser -HasErrorsOnly | fl DisplayName,UserPrincipalName,@{Name="Error";Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}}
The error is:
{The value "some-legit-archive-guid-number" of
property "ArchiveGuid" is used by another recipient object.
Please specify a unique value.}
(aka same soft deleted GUID)
Best Answer
The resolution ended up requiring a direct change to AD object attributes:
While EAC had the mailbox archive enabled, I had to go directly into the AD object attributes and clear out:
Then when the sync ran, it created a new error:
Once this error came up, I went to a Guid to hexadecimal converter and converted the [new-archive-guid-id] to hexadecimal.
Finally, I went back into AD and:
For whatever reason it was not enough to disable the archive in EAC - they had to be cleared while the archive was "on" / perform the sync.
I also had to keep running:
during these steps in order to track the error status between forced Entra Connect syncs.
If anyone knows the MSGraph Powershell equivalent of this Get-MSolUser command, it would be great to learn. Thanks!