Restore deleted item (directory object)

Namespace: microsoft.graph

Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items. If an item was accidentally deleted, you can fully restore the item. This is not applicable to security groups, which are deleted permanently.

A recently deleted item will remain available for up to 30 days. After 30 days, the item is permanently deleted.

This API is supported in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet


The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Supported resource Delegated (work or school account) Delegated (personal Microsoft account) Application
administrativeUnit AdministrativeUnit.ReadWrite.All Not supported. AdministrativeUnit.ReadWrite.All
application Application.ReadWrite.All Not supported. Application.ReadWrite.OwnedBy
group Group.ReadWrite.All Not supported. Not supported.
servicePrincipal Application.ReadWrite.All Not supported. Application.ReadWrite.OwnedBy
user User.ReadWrite.All Not supported. Not supported.

For delegated scenarios, the calling user needs to have at least one of the following Azure AD roles.

  • To restore deleted applications or service principals: Application Administrator, Cloud Application Administrator, or Hybrid Identity Administrator.
  • To restore deleted users: User Administrator. However, to restore users with privileged administrator roles:
    • In delegated scenarios, the app must be assigned the Directory.AccessAsUser.All delegated permission, and the calling user must also be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
    • In app-only scenarios and in addition to being granted the User.ReadWrite.All application permission, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
  • To restore deleted groups: Groups Administrator. However, to restore role-assignable groups, the calling user must be assigned the Privileged Role Administrator role.

HTTP request

POST /directory/deletedItems/{id}/restore

Request headers

Name Description
Authorization Bearer <token> Required
Content-type application/json

Request body

Do not supply a request body for this method.


If successful, this method returns a 200 OK response code and a directoryObject object in the response body.





Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json