Restore deleted item (directory object)
Namespace: microsoft.graph
Restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items. If an item was accidentally deleted, you can fully restore the item. This is not applicable to security groups, which are deleted permanently.
A recently deleted item will remain available for up to 30 days. After 30 days, the item is permanently deleted.
This API is supported in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
|---|---|---|---|
| administrativeUnit | AdministrativeUnit.ReadWrite.All | Not supported. | AdministrativeUnit.ReadWrite.All |
| application | Application.ReadWrite.All | Not supported. | Application.ReadWrite.OwnedBy |
| group | Group.ReadWrite.All | Not supported. | Not supported. |
| servicePrincipal | Application.ReadWrite.All | Not supported. | Application.ReadWrite.OwnedBy |
| user | User.ReadWrite.All | Not supported. | Not supported. |
For delegated scenarios, the calling user needs to have at least one of the following Azure AD roles.
- To restore deleted applications or service principals: Application Administrator, Cloud Application Administrator, or Hybrid Identity Administrator.
- To restore deleted users: User Administrator. However, to restore users with privileged administrator roles:
- In delegated scenarios, the app must be assigned the Directory.AccessAsUser.All delegated permission, and the calling user must also be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
- In app-only scenarios and in addition to being granted the User.ReadWrite.All application permission, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
- To restore deleted groups: Groups Administrator. However, to restore role-assignable groups, the calling user must be assigned the Privileged Role Administrator role.
HTTP request
POST /directory/deletedItems/{id}/restore
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer <token> Required |
| Content-type | application/json |
Request body
Do not supply a request body for this method.
Response
If successful, this method returns a 200 OK response code and a directoryObject object in the response body.
Example
Request
POST https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}/restore
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity",
"@odata.type":"#microsoft.graph.group",
"id":"46cc6179-19d0-473e-97ad-6ff84347bbbb",
"displayName":"SampleGroup",
"groupTypes":["Unified"],
"mail":"example@contoso.com",
"mailEnabled":true,
"mailNickname":"Example",
"securityEnabled":false,
"visibility":"Public"
}
Feedback
Submit and view feedback for