Restore-EntraDeletedDirectoryObject
Restore a previously deleted object.
Restore-EntraDeletedDirectoryObject
-Id <String>
[<CommonParameters>]
The Restore-EntraDeletedDirectoryObject
cmdlet is used to restore previously deleted objects, such as application, group, service principal, administrative unit, or user objects.
When a group or application is deleted, it is initially soft deleted and can be recovered within the first 30 days. After 30 days, the deleted object is permanently deleted and cannot be recovered.
Notes:
- Only Unified Groups (also known as Office 365 Groups) can be restored; Security groups cannot be restored.
- Restoring an application does not automatically restore its associated service principal. You must explicitly use this cmdlet to restore the deleted service principal.
For delegated scenarios, the calling user needs to have at least one of the following Microsoft Entra roles:
- To restore deleted applications or service principals: Application Administrator, Cloud Application Administrator, or Hybrid Identity Administrator.
- To restore deleted users: User Administrator.
- However, to restore users with privileged administrator roles:
- In delegated scenarios, the app must be assigned the
Directory.AccessAsUser.All
delegated permission, and the calling user must also be assigned a higher privileged administrator role. - In app-only scenarios, in addition to being granted the
User.ReadWrite.All
application permission, the app must be assigned a higher privileged administrator role.
- In delegated scenarios, the app must be assigned the
- However, to restore users with privileged administrator roles:
- To restore deleted groups: Groups Administrator.
- However, to restore role-assignable groups, the calling user must be assigned the Privileged Role Administrator role.
Connect-Entra -Scopes 'AdministrativeUnit.ReadWrite.All' #administrativeUnit resource
Connect-Entra -Scopes 'Application.ReadWrite.All' #application resource
Connect-Entra -Scopes 'Group.ReadWrite.All' #group resource
Connect-Entra -Scopes 'Application.ReadWrite.All' #servicePrincipal resource
Connect-Entra -Scopes 'User.ReadWrite.All' #user resource
Restore-EntraDeletedDirectoryObject -Id 'dddddddd-3333-4444-5555-eeeeeeeeeeee'
Id DeletedDateTime
-- ---------------
dddddddd-3333-4444-5555-eeeeeeeeeeee
This example shows how to restore a deleted object in Microsoft Entra ID.
-Id
parameter specifies the Id of the directory object to restore.
Connect-Entra -Scopes 'User.ReadWrite.All'
Restore-EntraDeletedDirectoryObject -Id 'dddddddd-3333-4444-5555-eeeeeeeeeeee' -AutoReconcileProxyConflict
Id DeletedDateTime
-- ---------------
dddddddd-3333-4444-5555-eeeeeeeeeeee
This example shows how to restore a deleted object in Microsoft Entra ID.
-Id
parameter specifies the Id of the directory object to restore.-AutoReconcileProxyConflict
parameter removes any conflicting proxy addresses while restoring a soft-deleted user whose one or more proxy addresses are currently used for an active user.
Specifies whether Microsoft Entra ID should remove conflicting proxy addresses when restoring a soft-deleted user, if any of the user's proxy addresses are currently in use by an active user. This parameter applies only when restoring a soft-deleted user. The default value is false
.
Type: | System.Management.Automation.SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
The Id of the directory object to restore.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
System.String
System.Object