Events
Apr 9, 3 PM - Apr 10, 12 PM
Code the Future with AI and connect with Java peers and experts at JDConf 2025.
Register NowMicrosoft Entra Connect Sync: Enable Active Directory recycle bin
We recommend that you enable the Active Directory Recycle Bin feature for your on-premises instances of Active Directory (AD) that are synchronized to Microsoft Entra ID.
If you accidentally deleted an on-premises AD user object and restore it using the feature, Microsoft Entra ID restores the corresponding Microsoft Entra user object. For information about restoring Active Directory objects, see Scenario overview for restoring deleted Active Directory objects.
To learn how to enable the Active Directory Recycle Bin feature, see Active Directory Administrative Center enhancements.
This feature helps with restoring Microsoft Entra user objects by doing the following:
If you accidentally deleted an on-premises AD user object, the corresponding Microsoft Entra user object is deleted in the next sync cycle. By default, Microsoft Entra ID keeps the deleted Microsoft Entra user object in soft-deleted state for 30 days.
If you have on-premises AD Recycle Bin feature enabled, you can restore the deleted on-premises AD user object without changing its Source Anchor value. When the recovered on-premises AD user object is synchronized to Microsoft Entra ID, Microsoft Entra ID restores the corresponding soft-deleted Microsoft Entra user object. For information about Source Anchor attribute, refer to article Microsoft Entra Connect: Design concepts.
If you do not have on-premises AD Recycle Bin feature enabled, you may be required to create an AD user object to replace the deleted object. If Microsoft Entra Connect Synchronization Service is configured to use system-generated AD attribute (such as ObjectGuid) for the Source Anchor attribute, the newly created AD user object won't have the same Source Anchor value as the deleted AD user object. When the newly created AD user object is synchronized to Microsoft Entra ID, Microsoft Entra ID creates a new Microsoft Entra user object instead of restoring the soft-deleted Microsoft Entra user object.
Note
By default, Microsoft Entra ID keeps deleted Microsoft Entra user objects in soft-deleted state for 30 days before they are permanently deleted. However, administrators can accelerate the deletion of such objects. Once the objects are permanently deleted, they can no longer be recovered, even if on-premises AD Recycle Bin feature is enabled.
Overview topics
Additional resources
Training
Module
Troubleshoot Active Directory - Training
Learn how to troubleshoot AD DS service failures or degraded performance. Learn how to recover deleted security objects and the AD DS database, and how to troubleshoot hybrid authentication issues.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.