Restore deleted item (directory object)
Namespace: microsoft.graph
Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items. If an item was accidentally deleted, you can fully restore the item. However, security groups cannot be restored. Also, restoring an application doesn't restore the associated service principal automatically. You must call this API to explicitly restore the deleted service principal.
A recently deleted item remains available for up to 30 days. After 30 days, the item is permanently deleted.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
|---|---|---|---|
| administrativeUnit | AdministrativeUnit.ReadWrite.All | Not supported. | AdministrativeUnit.ReadWrite.All |
| application | Application.ReadWrite.All | Not supported. | Application.ReadWrite.OwnedBy |
| group | Group.ReadWrite.All | Not supported. | Group.ReadWrite.All |
| servicePrincipal | Application.ReadWrite.All | Not supported. | Application.ReadWrite.OwnedBy |
| user | User.ReadWrite.All | Not supported. | User.ReadWrite.All |
For delegated scenarios, the calling user needs to have at least one of the following Microsoft Entra roles.
- To restore deleted applications or service principals: Application Administrator, Cloud Application Administrator, or Hybrid Identity Administrator.
- To restore deleted users: User Administrator. However, to restore users with privileged administrator roles:
- In delegated scenarios, the app must be assigned the Directory.AccessAsUser.All delegated permission, and the calling user must also be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
- In app-only scenarios and in addition to being granted the User.ReadWrite.All application permission, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
- To restore deleted groups: Groups Administrator. However, to restore role-assignable groups, the calling user must be assigned the Privileged Role Administrator role.
HTTP request
POST /directory/deletedItems/{id}/restore
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-type | application/json |
Request body
Don't supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a directoryObject object in the response body.
Example
Request
POST https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}/restore
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity",
"@odata.type":"#microsoft.graph.group",
"id":"46cc6179-19d0-473e-97ad-6ff84347bbbb",
"displayName":"SampleGroup",
"groupTypes":["Unified"],
"mail":"example@contoso.com",
"mailEnabled":true,
"mailNickname":"Example",
"securityEnabled":false,
"visibility":"Public"
}
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for