What Happens During Archive Provisioning in Exchange Hybrid Environment

Things can sometimes get tricky when it comes to managing archives for migrated mailboxes in Exchange hybrid environments. In this blog post, we cover the details of what happens when you enable and disable the archive mailbox for a mailbox that has been migrated to Exchange Online, and some troubleshooting scenarios.

For synced users, all provisioning actions are initiated from on-premises and then synchronized to Exchange Online via Azure AD Connect.

  1. Enable-RemoteMailbox user@contoso.com -Archive
  2. Synchronize the changes to Exchange Online
  3. Run the following cmdlet in Exchange Online: Get-Mailbox user@contoso.com | fl *archive*

Archive provisioning flow

Here is a list of archive-related attributes for remote mailboxes in Exchange on-prem and the corresponding mailbox in Exchange Online, before enabling the archive mailbox:

Note: throughout this blog post, screenshots from the on-premises Exchange Management Shell have a black background and those from Exchange Online PowerShell have a blue background.

archiveprov01.jpg

archiveprov02.jpg

When you enable the archive mailbox using Enable-RemoteMailbox, this creates the ArchiveGuid, changes the ArchiveState to HostedPending, while ArchiveStatus remains set to None:

archiveprov03.jpg

After you run Delta sync to synchronize these changes to Exchange Online, an archive mailbox is provisioned using the ArchiveGUID and ArchiveName it receives from on-premises:

archiveprov04.jpg

archiveprov05.jpg

archiveprov06.jpg

Once the archive is provisioned, Exchange Online notifies the Azure AD by setting the msExchArchiveStatus attribute to 1 (Active), and the process has now successfully completed.

archiveprov07.jpg

Directory synchronization then takes this information from Azure AD and updates the corresponding on-premises object. The sync sets ArchiveState in on-premises to HostedProvisioned as shown below:

archiveprov08.jpg

To remove an archive mailbox, first check if there are any holds applied using the steps in How to Identify holds placed in Exchange Online mailbox. If any are found, they need to be removed before the archive can be deprovisioned.

Run Disable-RemoteMailbox <mailbox> -Archive from on-premises and wait for the changes to synchronize to Azure AD which involves passing the DeprovisionArchive status to the Exchange object and disabling the cloud archive.

RemoteRecipientType and archive properties (ArchiveGuid and ArchiveName) are the property values that trigger the change in the provisioning status of archive mailbox in a hybrid environment.

Archive deprovisioning/disablement flow

When an admin disables an archive using the on-premises Exchange admin center or Exchange Management Shell, this clears the ArchiveGUID and ArchiveName and writes the current ArchiveGUID value to DisabledArchiveGUID:

archiveprov09.jpg

Directory synchronization deletes ArchiveGUID and ArchiveName from the account in Azure AD.

archiveprov10.jpg

Exchange Online consumes these changes from Azure AD and disables the cloud archive by clearing the values for ArchiveGuid and ArchiveName:

archiveprov11.jpg

Issue 1: When you try to enable or disable an archive for mailboxes hosted in Exchange Online using Exchange Online management tools, you encounter the following error:

“The operation on Identity “<mailbox>” failed because out of the current user’s write scope. The action Disable-Mailbox/Enable-Mailbox, ‘Archive’, can’t be performed on the “<mailbox>” because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization”.

Cause: This occurs when you are synchronizing user objects from on-premises Active Directory using Azure AD Connect, and you are trying to change properties in Exchange Online which is not possible since the Source of Authority is on-premises Active Directory. You must manage the user’s properties in Active Directory and changes will be synchronized to Exchange Online.

Resolution: The correct way to do this is initiating the changes from on-premises Exchange environment and then letting them synchronize to Exchange Online.

If enabling archive:

  1. Run Enable-RemoteMailbox <mailbox> -Archive from on-premises.
  2. Run Delta sync.
  3. Verify that RemoteRecipientType has a value of ProvisionArchive. ArchiveGuid and ArchiveName will also appear with an ArchiveStatus of Active. If that is not the case, wait for the changes to sync to Exchange Online and check for any sync issues.

If disabling archive:

  1. Disable-RemoteMailbox <mailbox> -Archive from on-premises.
  2. Run Delta sync.
  3. Once the sync is complete, run the following command in Exchange Online PowerShell:
    • Get-Mailbox <mailbox>|fl *recipient*,*archive*
  4. Look for RemoteRecipientType –DeprovisionArchive. Also, ArchiveGuid and ArchiveName will be removed.

Admins may encounter validation errors that prevent them from provisioning an archive for a migrated mailbox after following the steps above. Probable reasons are:

  • A soft-deleted mailbox or mailuser with same archive GUID already exists in Microsoft 365 because they were not properly removed (for example, removing license from a user without clearing holds on their mailbox).
  • An inactive mailbox exists with the same archive GUID.

In this case, get rid of any conflicting objects and then the archive can be provisioned.

Issue 2: You are unable to disable an online archive, even when it shows as disabled on the corresponding on-premises object.

Cause: This occurs when the mailbox is on hold. Disabling the archive fails, and the admin will see this error.

archiveprov12.jpg

Resolution: To resolve this, remove all holds from the mailbox. See this article for more details.

Note: Removing holds from the mailbox may result in data being permanently deleted. Make sure you understand this to avoid possible unwanted data loss.

Issue 3: You get an ArchiveGUID mismatch error on affected user accounts in the Microsoft 365 admin center, which prevents changes like title/manager/HiddenFromGAL/proxyaddress on synced users object. You might see an error like the following:

Failed to Sync the Archive Guid <00000000-0000-0000-0000-000000000000> of mailbox because one cloud archive <guid> exists. 

Cause: This is due to the on-premises object being inconsistent with the cloud object. In this case, the on-premises object does not reflect a provisioned remote archive.

Resolution: To resolve this, configure the on-premises object to reflect a provisioned cloud archive and ensure the on-premises ArchiveGuid matched the cloud ArchiveGuid.

  1. Use the following command to set ArchvieGuid and ArchiveName:
    Get-RemoteMailbox user1@domain.com | Set-RemoteMailbox -ArchiveGuid “ <Archiveguid value from Exchange Online mailbox>” -ArchiveName “<same from Exchange Online mailbox>”
  2. Run Delta sync.

Issue 4: When you try to deprovision an archive, you receive this error:

ExchangeValidationError  “Failed to disable the archive of mailbox <guid> due to a conflict in directory settings. To disable this archive, first run Enable-RemoteMailbox -Archive on-premises. After the next Dirsync sync cycle, run Disable-RemoteMailbox -Archive on-premises to disable this archive “

Cause: This can occur when RemoteRecipientType in Exchange Online is out of sync with the on-premises object and has a DeprovisionArchive value from a recent archive deprovisioning.

Resolution: Enable the archive from on-premises and run Delta sync. This will reset RemoteRecipientType to “provisionArchive” in Exchange Online.

IMPORTANT: Make sure to confirm RemoteRecipientType as ProvisionArchive in Exchange Online.

After that, disable the archive from on-premises and run Delta sync. Exchange Online will pick up those changes and disable the cloud archive.

We hope you find this information helpful!

Thanks, Darshana Rana for reviewing this post.

Hitesh Sharma and Neha Kapoor


Source link

Share this post via

Leave a Reply