What can be deleted and restored
If you ever used the Entra Admin Center, you may have noticed that if you delete a user, you can list the deleted users and restore them. Same for the groups.
Users and groups are only resources that can be restored in the Entra Admin Center.
Does it mean that only users and groups can be soft-deleted and restored? Not at all.
The resources that can be soft-deleted and restored via the Microsoft Graph API and any Graph SDK are:
- User
- Group
- Device
- Application
- Service principal
- Administrative unit
- Certificate authority detail
- Certificate based auth PKI
The soft-deleted objects are retained for 30 days by default. After that, they are permanently deleted and cannot be restored.
List deleted objects
To list the deleted objects, you can use the following Graph API endpoint:
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.{resourceType}
Possible values for the {resourceType}
are user
, group
, device
, application
, servicePrincipal
, administrativeUnit
, certificateBasedAuthPki
, and certificateAuthorityDetail
.
When you work with the PowerShell, use the specific Microsoft Graph SDK cmdlets for each resource type:
- Get-MgDirectoryDeletedItemAsUser
- Get-MgDirectoryDeletedItemAsGroup
- Get-MgDirectoryDeletedItemAsDevice
- Get-MgDirectoryDeletedItemAsApplication
- Get-MgDirectoryDeletedItemAsServicePrincipal
- Get-MgDirectoryDeletedItemAsAdministrativeUnit
Unfortunately, there is no cmdlet to list deleted certificateBasedAuthPki
and certificateAuthorityDetail
resources.
Restore deleted objects
To restore deleted object, you need to know the object id of the deleted item
POST https://graph.microsoft.com/v1.0/directory/deletedItems/{item_object_id}/restore
In PowerShell, restoring is more straightforward than retrieving, because no matter of what type the resource is, you can use the Restore-MgDirectoryDeletedItem
cmdlet.
Restore-MgDirectoryDeletedItem -DirectoryObjectId $objectId
Note
If you try to call the GET /v1.0/directory/deletedItems/microsoft.graph.{resourceType}
endpoint for the following resource types:
- directoryRole
- directoryRoleTemplate
- organization
like
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.directoryRole
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.directoryRoleTemplate
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.organization
you will be suprised that the Graph API doesn't return an error and even returns some items. All these items have the deletedDateTime
property set to null
, which means that they are not soft-deleted, but actual items.
PowerShell scripts
For a complete PowerShell implementation, see my GitHub repository with scripts:
Get-DeletedEntraObjects.ps1
- Lists deleted objectsRestore-DeletedEntraObject.ps1
- Restores deleted objects