Edit

Share via

Restore deleted item (directory object)

Namespace: microsoft.graph

Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items.

Restore a recently deleted directory object from deleted items. The following types are supported:

If an item was accidentally deleted, you can fully restore the item. However, security groups can't be restored. Also, restoring an application doesn't restore the associated service principal automatically. You must call this API to explicitly restore the deleted service principal.

A recently deleted item remains available for up to 30 days. After 30 days, the item is permanently deleted.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Supported resource Delegated (work or school account) Delegated (personal Microsoft account) Application
administrativeUnit AdministrativeUnit.ReadWrite.All Not supported. AdministrativeUnit.ReadWrite.All
application Application.ReadWrite.All Not supported. Application.ReadWrite.OwnedBy
certificateBasedAuthPki PublicKeyInfrastructure.Read.All Not supported. PublicKeyInfrastructure.Read.All
certificateAuthorityDetail PublicKeyInfrastructure.Read.All Not supported. PublicKeyInfrastructure.Read.All
group Group.ReadWrite.All Not supported. Group.ReadWrite.All
servicePrincipal Application.ReadWrite.All Not supported. Application.ReadWrite.OwnedBy
user User.DeleteRestore.All Not supported. User.DeleteRestore.All

Important

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.

  • Administrative units: Directory Readers (read-only), Global Readers (read-only), Privileged Role Administrator
  • Applications: Hybrid Identity Administrator, Cloud Application Administrator, Application Administrator
  • External user profiles: Global Reader (read-only), Skype for Business Administrator, Teams Administrator
  • Groups: Groups Administrator (except for role-assignable groups), User Administrator (except for role-assignable groups), Privileged Role Administrator (least privileged role for role-assignable groups)
  • Pending external user profiles: Global Reader (read-only), Skype for Business Administrator, Teams Administrator
  • Service principals: Hybrid Identity Administrator, Cloud Application Administrator, Application Administrator
  • Users: Authentication Administrator, Privileged Authentication Administrator, User Administrator. However, to restore users with privileged administrator roles:
    • In delegated scenarios, the app must be assigned the Directory.AccessAsUser.All delegated permission, and the calling user must also be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
    • In app-only scenarios and in addition to being granted the User.ReadWrite.All application permission, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.

HTTP request

POST /directory/deletedItems/{id}/restore

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-type application/json

Request body

In the request body, supply a JSON representation of the parameters.

The following table lists the parameters that are required when you call this action.

Parameter Type Description
autoReconcileProxyConflict Boolean Optional parameter. Indicates whether Microsoft Entra ID should remove any conflicting proxy addresses while restoring a soft-deleted user whose one or more proxy addresses are currently used for an active user. Used only for restoring soft-deleted user objects. The default value for this parameter is false.
newUserPrincipalName String The new userPrincipalName to add to the restored user. Optional.

Response

If successful, this method returns a 200 OK response code and a directoryObject object in the response body.

Examples

Example 1: Restore a deleted item

Request

POST https://graph.microsoft.com/v1.0/directory/deletedItems/78bf875b-9343-4edc-9130-0d3958113563/restore

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity",
  "@odata.type":"#microsoft.graph.group",
  "id":"46cc6179-19d0-473e-97ad-6ff84347bbbb",
  "displayName":"SampleGroup",
  "groupTypes":["Unified"],
  "mail":"example@contoso.com",
  "mailEnabled":true,
  "mailNickname":"Example",
  "securityEnabled":false,
  "visibility":"Public"
}

Example 2: Restore a deleted item and remove any conflicting proxy addresses

Request

POST https://graph.microsoft.com/v1.0/directory/deleteditems/78bf875b-9343-4edc-9130-0d3958113563/restore
Content-Type: application/json

{
  "autoReconcileProxyConflict": true
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "@odata.type": "#microsoft.graph.user",
    "id": "78bf875b-9343-4edc-9130-0d3958113563",
    "businessPhones": [],
    "displayName": "SampleUser",
    "givenName": "Sample",
    "jobTitle": "Product Marketing Manager",
    "mail": "sampleuser@contoso.com",
    "mobilePhone": "+1 425 555 0109",
    "officeLocation": "18/2111",
    "preferredLanguage": "en-US",
    "surname": "Vance",
    "userPrincipalName": "sampleuser@contoso.com"
}

Example 3: Restore a deleted user and assign them a new userPrincipalName

Request

POST https://graph.microsoft.com/v1.0/directory/deleteditems/78bf875b-9343-4edc-9130-0d3958113563/restore
Content-Type: application/json

{
  "newUserPrincipalName": "johndoe@contoso.com"
}

Response

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity",
    "@odata.type": "#microsoft.graph.user",
    "id": "78bf875b-9343-4edc-9130-0d3958113563",
    "businessPhones": [],
    "displayName": "SampleUser",
    "givenName": "Sample",
    "mobilePhone": "+1 425 555 0109",
    "officeLocation": "18/2111",
    "preferredLanguage": "en-US",
    "surname": "Vance",
    "userPrincipalName": "johndoe@contoso.com"
}