Office 365: Mail to deleted mail enabled user accounts results in NDR
Customers may have users with a security principal within their domain that do not have a mailbox hosted within their messaging solution. In this event customers choose to mail enable the user accounts. In an Exchange environment mail enabled users accounts appear in the address list as if a local mailbox exists but mail destined for these objects are sent to the external email address stamped on the object.
When using directory synchronization with Office 365 these objects are subsequently replicated into the MSOL directory as user accounts. Exchange online then detects the presence of these mail enabled user accounts and subsequently creates a mail enabled user object in the Exchange Online directory. This is what allows the user to appear in the Exchange Online address list.
Let’s take a look at an example.
In the on premises active directory a user account is provisioned. This account is what allows for logon privileges to the domain.
[PS] C:\>Get-User BlogTest
Name RecipientType
---- -------------
Blog Test User
The account is then mail enabled using the enable-mailUser commandlet.
[PS] C:\>Enable-MailUser BlogTest -ExternalEmailAddress user@microsoft.com
Name RecipientType
---- -------------
Blog Test MailUser
Using the get-mailUser commandlet we can validate the settings of this user including the external email address set on the object.
[PS] C:\>Get-MailUser BlogTest | fl externalemailaddress,userprincipalname,displayname,emailaddresses,primarysmtpaddress
,recipienttype
ExternalEmailAddress : SMTP:user@microsoft.com
UserPrincipalName : BlogTest@domain.com
DisplayName : Blog Test
EmailAddresses : {smtp:BlogTest@domain1.domain2.com, smtp:BlogTest@serviceDomain.mail.onmicrosoft.com,
smtp:BlogTest@domain.com, SMTP:user@microsoft.com}
PrimarySmtpAddress : user@microsoft.com
RecipientType : MailUser
When directory synchronization occurs the object can be validated in the MSOL directory using get-MSOLUser.
PS C:\> Get-MsolUser -UserPrincipalName BlogTest@Domain2 | fl DisplayName,ProxyAddresses
DisplayName : Blog Test
ProxyAddresses : {smtp:BlogTest@ServiceDomain.onmicrosoft.com, smtp:BlogTest@Domain2,
smtp:BlogTest@DOMAIN1.Domain2, smtp:BlogTest@ServiceDomain.mail.onmicrosoft.com...}
When the provisioning process has had time to detect and operate on the object a mail user object is created in Exchange Online. This can be validated with the get-MailUser command when connected to Exchange Online.
PS C:\> Get-MailUser BlogTest | fl externalemailaddress,userprincipalname,displayname,emailaddresses,primarysmtpaddress,
recipientType
ExternalEmailAddress : SMTP:user@microsoft.com
UserPrincipalName : BlogTest@domain.com
DisplayName : Blog Test
EmailAddresses : {SMTP:user@microsoft.com, smtp:BlogTest@servicedomain.mail.onmicrosoft.com,
smtp:BlogTest@domain1.domain2.com, smtp:BlogTest@domain.com...}
PrimarySmtpAddress : user@microsoft.com
RecipientType : MailUser
At this time the object is fully provisioned and will appear in the Exchange Online global address list. Users who select this object from the global address list will successfully send email to the remote mailbox.
There may exist at some time a reason to remove the on premises Active Directory user account. When this object is removed and directory synchronization is performed this should result in the removal of the MSOL user account as well as the mail user account within Exchange Online. Let’s look at an example.
Using Active Directory Users and Computers the on premises AD object is deleted. This can be validated with Get-User.
[PS] C:\>Get-User BlogTest
The operation couldn't be performed because object 'BlogTest' couldn't be found on 'Server1.domain.domain.com'.
+ CategoryInfo : NotSpecified: (:) [Get-User], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=MAIL,RequestId=95b95c5e-03c2-406a-9400-c490c0d7cddb,TimeStamp=5/13/2014 1:34:34PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 4549B0D2,Microsoft.Exchange.Management.RecipientTasks.GetUser
+ PSComputerName : mail.domain.domain.com
This also results in the removal of the on premises mail user object. This can be validated with Get-MailUser.
[PS] C:\>Get-MailUser BlogTest
The operation couldn't be performed because object 'BlogTest' couldn't be found on 'Server1.domain1.domain2.com'.
+ CategoryInfo : NotSpecified: (:) [Get-MailUser], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=MAIL,RequestId=0106f632-ad95-4f07-b054-4e749e437cfc,TimeStamp=5/13/2014 1:35:55PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 84EC86F5,Microsoft.Exchange.Management.RecipientTasks.GetMailUser
+ PSComputerName : mail.domain1.domain2.com
When directory synchronization has completed we can validate the object no longer exists in the MSOL directory using get-MSOLUser.
PS C:\> Get-MsolUser -UserPrincipalName BlogTest@domain2.com | fl DisplayName,ProxyAddresses
Get-MsolUser : User Not Found. User: BlogTest@domain2.com.
At line:1 char:1
+ Get-MsolUser -UserPrincipalName BlogTest@domain2.com | fl DisplayName,Pro ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UserNotFoundException,Microsoft.Online.Administration.Automation.GetUser
When the provisioning process has detected the deletion the mail user object is removed from Exchange Online. This can be validated with get-MailUser.
PS C:\> Get-MailUser BlogTest
The operation couldn't be performed because object 'BlogTest' couldn't be found on 'CO1PR06A002DC02.NAMPR06A002.prod.outlook.com'.
+ CategoryInfo : NotSpecified: (:) [Get-MailUser], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : [Server=BN1PR06MB101,RequestId=c3cde9d7-e638-4808-8891-65d539689698,TimeStamp=5/13/2014 1:40:19 PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 782EAA9B,Microsoft.Exchange.Management.RecipientTasks.GetMailUser
+ PSComputerName : pod51043psh.outlook.com
The object after deletion from the Exchange Online directory will no longer appear in the address list.
End users who desire to email this object would have to address the message manually to the external email address. For example:
This is where the issue arises. In this instance the user has successfully addressed an email to the external email address but the mail is returned with a non-delivery report.
Delivery has failed to these recipients or groups:
Blog Test
The email address you entered couldn't be found. Check the recipient's email address then try to resend the message. For more tips to resolve this issue see DSN code 5.1.1 in Exchange Online. If the problem continues contact your help desk.
The diagnostic information states the following:
Diagnostic information for administrators:
Generating server: DM2PR0601MB0953.namprd06.prod.outlook.com
IMCEAEX-_o=ExchangeLabs_ou=Exchange+20Administrative+20Group+20+28FYDIBOHF23SPDLT+29_cn=Recipients_cn=0729272369574e7d945aeeecf1afd94c-Blog+20Test@namprd06.prod.outlook.com
Remote Server returned '550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found'
Original message headers:
Received: from DM2PR0601MB0953.namprd06.prod.outlook.com (25.160.25.145) by
DM2PR0601MB0953.namprd06.prod.outlook.com (25.160.25.145) with Microsoft SMTP
Server (TLS) id 15.0.944.11; Tue, 13 May 2014 13:43:53 +0000
Received: from DM2PR0601MB0953.namprd06.prod.outlook.com ([25.160.25.145]) by
DM2PR0601MB0953.namprd06.prod.outlook.com ([25.160.25.145]) with mapi id
15.00.0944.000; Tue, 13 May 2014 13:43:53 +0000
Content-Type: application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding: binary
From: Dev User <DevUser@servicedomain.onmicrosoft.com>
To: Blog Test <user@microsoft.com>
Subject: Test Message
Thread-Topic: Test Message
Thread-Index: AQHPbrFT/8JoaY496EePsUIz8dp/Tw==
Date: Tue, 13 May 2014 13:43:52 +0000
Message-ID: <1399988632393.9363@FortMillRescueSquad.onmicrosoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator: <1399988632393.9363@servicedomain.onmicrosoft.com>
MIME-Version: 1.0
X-Originating-IP: [167.220.151.116]
Return-Path: DevUser@serviceDomain.onmicrosoft.com
For many administrators this NDR is recognizable. The same NDR is generated when an object is deleted from the environment but the email is addressed using nickname or recipient cache. In this instance though the email was not addressed using nickname or recipient cache but rather the SMTP address was fully typed in the TO: line. (Note: The email address was manually removed from the nickname cache prior to addressing the email to ensure that automatic resolution does not occur.)
Why is the mail NDRing. When a user account is removed from the MSOL directory the account is placed into a soft deleted state. This can be validated with get-MSOLUser –returnedDeletedUsers.
PS C:\> Get-MsolUser -UserPrincipalName BlogTest@domain.com -ReturnDeletedUsers
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
BlogTest@domain.com Blog Test False
While the user remains in a soft deleted state within the MSOL directory the corresponding mail user object remains in a soft deleted state within Exchange Online. It is believed that the recipient resolvers within transport detect the presences of the soft deleted mail user object within the Exchange Online directory and subsequently produce a non-delivery report based on the state of this object.
This mail is legitimate though – how can the issue be resolved?
In order to remove the soft deleted mail user object from the Exchange Online directory the soft deleted user object must be removed from the MSOL directory. This can be accomplished with remove-MSOLUser.
PS C:\> Remove-MsolUser -UserPrincipalName BlogTest@domain.com -RemoveFromRecycleBin
Confirm
Continue with this operation?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y
The results can be validated with Get-MSOLUser.
PS C:\> Get-MsolUser -UserPrincipalName BlogTest@domain.com -ReturnDeletedUsers
Get-MsolUser : User Not Found. User: BlogTest@fortmillrescue.com.
At line:1 char:1
+ Get-MsolUser -UserPrincipalName BlogTest@fortmillrescue.com -ReturnDeletedUsers
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Get-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UserNotFoundException,Microsoft.Online.Administration.Automation.GetUser
The provisioning process will eventually detect the deletion of the object from the MSOL directory. This will cause the soft deleted mail user object to be purged from the Exchange Online directory. After this object is purged mail should deliver successfully to the external account when the full external email address is utilized.
At this time anytime a mail user object is removed from the on premises directory the corresponding soft deleted MSOL object would need to also be removed in order to ensure that mail addressed to the external object will immediately function. In many cases the soft deleted MSOL object will expire, resulting in the removal of the soft deleted mail user object from the Exchange Online directory, prior to this issue being noticed by the end user population.
Our development teams are aware of this behavior and are considering potential future service modifications.
Comments
- Anonymous
May 19, 2014
This comment isn't directly relevant to the issue you're presenting here but along the same lines. We migrated from Exchange 2003 to O365 over a year ago. Is the Enable-MailUser cmdlet even available for WAAD? I would like to be able to use it to turn dirsync'ed users into Mail Users rather than migrate a bunch of contacts into O365 objects, but it doesn't seem to be available and the only documentation I find on it is related to using EMC 2010 or 2013. - Anonymous
May 26, 2014
Pingback from Weekly IT Newsletter – May 19-23, 2014 | Just a Lync Guy - Anonymous
May 26, 2014
Pingback from NeWay Technologies – Weekly Newsletter #96 – May 22, 2014 | NeWay - Anonymous
May 26, 2014
Pingback from NeWay Technologies – Weekly Newsletter #96 – May 23, 2014 | NeWay - Anonymous
December 07, 2015
It appears that the command for enable-mailuser is gone. Any help on the reason?