Recovering a mailbox in an Exchange Hybrid Environment

In an hybrid environment a user account can be of two types:

a) User account which is managed in Cloud

b) User account which is synced from on-premise Active Directory

In the first case, if the user account and its corresponding mailbox is deleted [Soft Delete], it can be restored from O365 itself from Deleted Users section. By default, the retention period configured for an Exchange online mailbox is 14 days. You can extend this up to a maximum of 30 days.

To check the configured retention period through Exchange Online PowerShell use the cmdlet : Get-Mailbox | FL RetainDeletedItemsFor

To change the retention period value to a max of 30 days use : Set-Mailbox -Identity “Name” -RetainDeletedItemsFor 30

However, in the latter case if the user account and its corresponding mailbox is deleted, the user account should be restored in the on-premises AD first. The mailbox will automatically re-attach later after directory synchronization.

In the scenario we are about to discuss, we will be merging the contents a disconnected mailbox to a new mailbox in Exchange Online. So lets start:

We have a disconnected source mailbox in Exchange Online now. A new AD user account and remote mailbox was provisioned. This will be the target mailbox.

Note:- You may think that instead of provisioning a new mailbox, we could have attached the disconnected mailbox to the new AD account. But it does not work that way, because the GUID of the old account will be different from the one created now and will result in issues.

• The next step is to identify the GUID of the soft-deleted mailbox and the target mailbox. For this you will have to connect to Exchange Online through PowerShell first. You can refer here to connect to Exchange Online.

Once connected use the following cmdlet:

For soft-deleted mailbox, Get-Mailbox -SoftDeletedMailbox -Identity “Name” | fl

For target mailbox, Get-MailboxStatistics -Identity “Name” | fl

• Now, run the cmdlet to restore the mailbox : New-MailboxRestoreRequest -SourceMailbox “GUID” -TargetMailbox “GUID”

You can also restore the archive mailboxes : New-MailboxRestoreRequest -SourceMailbox “GUID” -SourceIsArchive -TargetMailbox “GUID” -TargetIsArchive

If you need to restore both regular mailbox and archive, run both the commands one after the other.

Reference : http://blogs.technet.com/b/exchange/archive/2015/01/13/a-better-way-to-recover-a-mailbox.aspx

Configuring Impersonation rights in Exchange 2010

Recently, the IT team decided to try out a third party add-on that supports Exchange Online with Outlook client. In order to configure this add-on on the server, one of the requirement was to configure a service account to impersonate the users in a Distribution Group. This post provides the steps to achieve the same.

Starting from Exchange 2010, the permission model being used is called Role Based Access Control (RBAC) which allows fine-grained as well as easy control over the level of permissions to be assigned for users or administrators. Impersonation leverages RBAC and in this post, we discuss the ApplicationImpersonation management role associated with impersonation.

First, we will have to define a management scope (say, “TestImpersonationScope“)to filter out the users of the distribution group (say, “Admin Group“):

New-ManagementScope -Name:TestImpersonationScope -RecipientRestrictionFilter: {MemberOfGroup -eq “Admin Group”}

You can use the below command to get more info on the created management scope:

Get-ManagementScope “TestImpersonationScope” | fl

Now, run the below command to allow the service account (say, “testuser“) to impersonate all the members of the created scope:

New-ManagementRoleAssignment –Name:”Admin Group Impersonation Role” –Role:ApplicationImpersonation –User:testuser –CustomRecipientWriteScope:TestImpersonationScope

You can also configure impersonation for all users in an organization.

Reference : https://msdn.microsoft.com/en-us/library/office/dn722376(v=exchg.150).aspx
http://blogs.msdn.com/b/dhruvkh/archive/2011/10/19/impersonation-in-the-times-of-rbac.aspx