What resources can be soft-deleted and restored in Microsoft Entra ID

What can be deleted and restored

If you ever used the Entra Admin Center, you may have noticed that if you delete a user, you can list the deleted users and restore them. Same for the groups.

Users and groups are only resources that can be restored in the Entra Admin Center.

Does it mean that only users and groups can be soft-deleted and restored? Not at all.

The resources that can be soft-deleted and restored via the Microsoft Graph API and any Graph SDK are:

  • User
  • Group
  • Device
  • Application
  • Service principal
  • Administrative unit
  • Certificate authority detail
  • Certificate based auth PKI

The soft-deleted objects are retained for 30 days by default. After that, they are permanently deleted and cannot be restored.

List deleted objects

To list the deleted objects, you can use the following Graph API endpoint:

GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.{resourceType}

Possible values for the {resourceType} are user, group, device, application, servicePrincipal, administrativeUnit, certificateBasedAuthPki, and certificateAuthorityDetail.

When you work with the PowerShell, use the specific Microsoft Graph SDK cmdlets for each resource type:

  • Get-MgDirectoryDeletedItemAsUser
  • Get-MgDirectoryDeletedItemAsGroup
  • Get-MgDirectoryDeletedItemAsDevice
  • Get-MgDirectoryDeletedItemAsApplication
  • Get-MgDirectoryDeletedItemAsServicePrincipal
  • Get-MgDirectoryDeletedItemAsAdministrativeUnit

Unfortunately, there is no cmdlet to list deleted certificateBasedAuthPki and certificateAuthorityDetail resources.

Restore deleted objects

To restore deleted object, you need to know the object id of the deleted item

POST https://graph.microsoft.com/v1.0/directory/deletedItems/{item_object_id}/restore

In PowerShell, restoring is more straightforward than retrieving, because no matter of what type the resource is, you can use the Restore-MgDirectoryDeletedItem cmdlet.

Restore-MgDirectoryDeletedItem -DirectoryObjectId $objectId

Note

If you try to call the GET /v1.0/directory/deletedItems/microsoft.graph.{resourceType} endpoint for the following resource types:

  • directoryRole
  • directoryRoleTemplate
  • organization

like

GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.directoryRole
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.directoryRoleTemplate
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.organization

you will be suprised that the Graph API doesn't return an error and even returns some items. All these items have the deletedDateTime property set to null, which means that they are not soft-deleted, but actual items.

PowerShell scripts

For a complete PowerShell implementation, see my GitHub repository with scripts:

  • Get-DeletedEntraObjects.ps1 - Lists deleted objects
  • Restore-DeletedEntraObject.ps1 - Restores deleted objects
0
Buy Me a Coffee at ko-fi.com
An error has occurred. This application may no longer respond until reloaded. Reload x