Office 365 – User restore failed

     

Prelude

For whatever reason your users may end up in the recycle bin. Normally you can restore them easily by just clicking on Restore user on the Office portal. But sometimes you may get something like this:

User restore failed The user can’t be restored at this time. Correlation ID: …

Or visually:

I’ve gone through 3 levels of escalation till someone finally came up with an idea that actually worked. Now I’m gonna share my experiences with you so that you don’t have to go through all this.

Preparation

The thing is, at this point the Office portal is no longer useful, you can forget about it. Open Azure PowerShell instead, then connect to your tenant:

Connect-MsolService

Then get the Exchange cmdlets as well:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

First verify that both the Office 365 account and its mailbox are indeed deleted:

Get-MsolUser -UserPrincipalName [email protected]
Get-Mailbox [email protected]

These should not return anything. Now check if they’re in the recycle bin:

Get-MsolUser -UserPrincipalName [email protected] -ReturnDeletedUsers
Get-Mailbox [email protected] -SoftDeletedMailbox

If they are, now you may try to restore the user.

The easy way

Actually, if it didn’t work from the Office portal, chances are, it will fail via PowerShell, too. Obviously the Office portal also calls cmdlets in the background. Anyway, there are several modifiers you can try:

Restore-MsolUser -UserPrincipalName [email protected] -Verbose
Restore-MsolUser -UserPrincipalName [email protected] -Verbose -AutoReconcileProxyConflicts
Restore-MsolUser -UserPrincipalName [email protected] -Verbose -AutoReconcileProxyConflicts -NewUserPrincipalName [email protected]

For me all these failed badly:

Restore-MsolUser : Unable to complete this action. Try again later.
At line:1 char:1
+ Restore-MsolUser -UserPrincipalName [email protected] -Verbos ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Restore-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.IdentityInternalServiceException,Microsoft.Online.Administration.Automation.RestoreUser

If this is what you have, too, things will get a bit more complicated.

The hard way

The procedure goes like this:

  • Create a new mailbox, which also creates a new Office 365 account without licenses:
$oldUPN = [email protected]
$newUPN = [email protected]
New-Mailbox -Name Jo -FirstName Jo -LastName Sm -DisplayName "Jo Sm" -MicrosoftOnlineServicesID $newUPN -Password (ConvertTo-SecureString -String 'P@ssw0rd' -AsPlainText -Force) -ResetPasswordOnNextLogon $False
$oldUser = Get-MsolUser -UserPrincipalName $oldUPN -ReturnDeletedUsers
$newUser = Get-MsolUser -UserPrincipalName $newUPN
  • Copy the deleted account’s mailbox to the new one’s mailbox:
New-MailboxRestoreRequest -SourceMailbox $oldUser.ObjectId -TargetMailbox $newUser.ObjectId -AllowLegacyDNMismatch

First it’ll get queued and depending on the server load, it should be done within a few hours. Check its status occasionally and don’t proceed until it’s done:

Get-MailboxRestoreRequest | Get-MailboxRestoreRequestStatistics

If the mailbox had an online archive, copy that, too:

New-MailboxRestoreRequest -SourceMailbox $oldUser.ObjectId -SourceIsArchive -TargetMailbox $newUser.ObjectId -TargetIsArchive -AllowLegacyDNMismatch

Again, don’t proceed until it’s done.

  • Verify that the mails are intact using OWA and the new account’s credentials.

  • Asssign a license to the new account which causes it to link to the new mailbox.

  • Again, verify that the account is working fine, your mailbox is accessible, you can open the Office portal, etc.

  • Delete the old account altogether:

Remove-MsolUser -ObjectId $oldUser.ObjectId -RemoveFromRecycleBin
  • Verify the deletion:
Get-MsolUser -UserPrincipalName $oldUPN
Get-MsolUser -UserPrincipalName $oldUPN -ReturnDeletedUsers
Get-Mailbox $oldUPN
Get-Mailbox $oldUPN -SoftDeletedMailbox

All of these should return nothing.

  • Rename the new account to the old name:
Set-MsolUserPrincipalName -NewUserPrincipalName $oldUPN -ObjectId $newUser.ObjectId

Then also change the remaining attributes via the Office portal like display name, firt name, etc.

  • Re-apply all the previous security settings, group memberships, email aliases, everything.

  • Once you’re done with PowerShell, close your session:

Remove-PSSession $Session

Yay, it was that simple! A million thanks to Victor from Microsoft for his invaluable help on this case.