Working with Inactive Mailboxes
Working with Inactive Mailboxes
On Demand Recovery supports the backup and restore of inactive mailboxes of hard-deleted users.
|
|
NOTE: This feature requires the following consent permissions and roles:
|
NOTE: If you need to restore the inactive mailbox of a hybrid user, see Restoring Mailboxes for Hybrid Users.
To back up and restore inactive mailboxes, you need to back up the mailbox properties associated with the user account.
To back up the linkage between users and inactive mailboxes:
- On the Dashboard, select Manage Backups.
- In the Manage backups dialog, select the tenant from the list and select Edit.
- In the Configure backup dialog, under Backup options, select the checkbox Back up linkage between users and inactive mailboxes.
- Select Save.
Restoring Mailboxes for Hybrid Users
To preserve the original cloud mailbox of hybrid users, you need to remove the newly created cloud user from Microsoft Entra ID before the restore.
To do so, in the Restore objects dialog, select the checkbox If a hybrid user account already exists in Microsoft Entra ID, delete it before the restore operation.
Hybrid user scenario
- A hybrid user is deactivated by the administrator. The user account goes to the Recycle Bin. After 30 days, Microsoft Entra ID cleans this account from the Recycle Bin.
- The user returns to the organization and the user account is enabled by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.
- To use the original cloud mailbox for the user, the user needs to be restored from the backup. Before restoring the user, the newly created cloud user is removed from Microsoft Entra ID.
If you restore a hybrid user and their mailbox with On Demand Recovery:
- For Non-Federated Domains, On Demand Recovery restores a cloud user and its mailbox without an on-premises user.
- For Federated Domains, restore of hybrid users requires Recovery Manager for Active Directory. In this scenario, On Demand Recovery restores a hybrid user and its mailbox in the cloud. Recovery Manager for Active Directory restores this hybrid user on-premises, then it calls Microsoft Entra Connect to synchronize the user back to the cloud and make the cloud user previously restored by On Demand Recovery be in the Federated Domain. Without Recovery Manager for Active Directory, the cloud user will be non-federated after restore and you will not log in with this user.
Hybrid Connection Port and Protocol Requirements
Hybrid Connection Port and Protocol Requirements
Hybrid configuration with Recovery Manager for Active Directory requires only outbound TCP/UDP port 443 to be opened on the Recovery Manager Portal server to access the internet. If the Recovery Manager Portal server already has access to the internet, you do not need to change the Firewall configuration.
|
|
Note: If you do not want to open all outbound IP Prefixes and your firewall or proxy allows DNS allow lists, you can add connections to <your name space>.servicebus.windows.net to your allow list. |
Table 2: Hybrid connection port and protocol requirements
| HTTPS |
443 (TCP/UDP) |
Outbound |
Figure 2: Hybrid Restore Components Diagram
Hybrid Connection Security
FIPS 140-2 compliant TLS protocol is used for traffic encryption. HTTPS certificate is validated on our client side (Recovery Manager Portal).
Server side is Azure WCF Relay that is created and configured in Quest Azure Subscription.
Shared Access Signature (SAS) is used for authentication. A SAS token is based on an access key generated by On Demand Recovery cloud. This key is downloaded to the on-premises server with Recovery Manager Portal and used in the portal configuration to establish the Hybrid connection (from on-premises to the cloud). The SAS token is sent to the cloud and verified on each connection request. For details about Shared Access Signature algorithm, click the following link: https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-authentication-and-authorization.
