2

The Microsoft documentation for the Disable-RemoteMailbox powershell cmdlet states:

Note: If you are deprovisioning a cloud mailbox and its associated online archive, you must first disable the online archive with the command Disable-RemoteMailbox -Archive and then perform a directory synchronization prior to disabling the remote mailbox. Attempting to disable both the online archive and cloud mailbox without a sync between them may result in an ArchiveGuid mismatch and validation error.

So 3 steps are required to deprovision a mailbox correctly:

  1. Call Disable-RemoteMailbox "David Strome" -Archive
  2. Wait for the AD Connect directory synchronization
  3. Disable-RemoteMailbox "David Strome"

Is step #2 necessary if you also disable the on-premise AD user and you exclude disabled users from the directory synchronization, effectively deleting the AAD user and eventually the user and archive mailboxes?

If the person comes back for a new work period, the on-premise AD user is enabled. That may happen within the 30 days retention period for the mailboxes.

Tore Olav Kristiansen
  • 33
  • 6

1 Answers1

1

It is still recommended that you perform step 2 and it only takes 1-2 minutes to force synchronization.

To force a synchronization from AD to Azure AD PowerShell is used. To perform a delta synchronization run:

Start-ADSyncSyncCycle -PolicyType Delta

To perform a full synchronization use:

Start-ADSyncSyncCycle -PolicyType Initial

Jayce
  • 769
  • 4
  • 5
  • We reached the same conclusion after reading this: https://docs.microsoft.com/en-US/office365/troubleshoot/archive-mailboxes/cannot-provision-deprovision We are going to poll the on-premise AD user property msExchRemoteRecipientType to see if the archive has been deprovisioned before performing step 3. Our application does not have access to start a synchronization and poll for its completion. – Tore Olav Kristiansen Feb 18 '21 at 21:09