Edit

Share via


Restore-EntraDeletedDirectoryObject

Restore a previously deleted object.

Syntax

Restore-EntraDeletedDirectoryObject
       -Id <String>
       [<CommonParameters>]

Description

The Restore-EntraDeletedDirectoryObject cmdlet is used to restore previously deleted objects, such as application, group, service principal, administrative unit, or user objects.

When a group or application is deleted, it is initially soft deleted and can be recovered within the first 30 days. After 30 days, the deleted object is permanently deleted and cannot be recovered.

Notes:

  • Only Unified Groups (also known as Office 365 Groups) can be restored; Security groups cannot be restored.
  • Restoring an application does not automatically restore its associated service principal. You must explicitly use this cmdlet to restore the deleted service principal.

For delegated scenarios, the calling user needs to have at least one of the following Microsoft Entra roles:

  • To restore deleted applications or service principals: Application Administrator, Cloud Application Administrator, or Hybrid Identity Administrator.
  • To restore deleted users: User Administrator.
    • However, to restore users with privileged administrator roles:
      • In delegated scenarios, the app must be assigned the Directory.AccessAsUser.All delegated permission, and the calling user must also be assigned a higher privileged administrator role.
      • In app-only scenarios, in addition to being granted the User.ReadWrite.All application permission, the app must be assigned a higher privileged administrator role.
  • To restore deleted groups: Groups Administrator.
    • However, to restore role-assignable groups, the calling user must be assigned the Privileged Role Administrator role.

Examples

Example 1: Restore a deleted object with ID

Connect-Entra -Scopes 'AdministrativeUnit.ReadWrite.All' #administrativeUnit resource
Connect-Entra -Scopes 'Application.ReadWrite.All' #application resource
Connect-Entra -Scopes 'Group.ReadWrite.All' #group resource
Connect-Entra -Scopes 'Application.ReadWrite.All' #servicePrincipal resource
Connect-Entra -Scopes 'User.ReadWrite.All' #user resource
Restore-EntraDeletedDirectoryObject -Id 'dddddddd-3333-4444-5555-eeeeeeeeeeee'

Id                                   DeletedDateTime
--                                   ---------------
dddddddd-3333-4444-5555-eeeeeeeeeeee

This example shows how to restore a deleted object in Microsoft Entra ID.

  • -Id parameter specifies the Id of the directory object to restore.

Example 2: Restoring a Soft-Deleted User and Removing Conflicting Proxy Addresses

Connect-Entra -Scopes 'User.ReadWrite.All'
Restore-EntraDeletedDirectoryObject -Id 'dddddddd-3333-4444-5555-eeeeeeeeeeee' -AutoReconcileProxyConflict

Id                                   DeletedDateTime
--                                   ---------------
dddddddd-3333-4444-5555-eeeeeeeeeeee

This example shows how to restore a deleted object in Microsoft Entra ID.

  • -Id parameter specifies the Id of the directory object to restore.
  • -AutoReconcileProxyConflict parameter removes any conflicting proxy addresses while restoring a soft-deleted user whose one or more proxy addresses are currently used for an active user.

Parameters

-AutoReconcileProxyConflict

Specifies whether Microsoft Entra ID should remove conflicting proxy addresses when restoring a soft-deleted user, if any of the user's proxy addresses are currently in use by an active user. This parameter applies only when restoring a soft-deleted user. The default value is false.

Type:System.Management.Automation.SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Id

The Id of the directory object to restore.

Type:System.String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

Inputs

System.String

Outputs

System.Object