Restore Deleted Objects Using Microsoft Entra PowerShell
Accidentally deleting a critical user account, application registration, or group in Microsoft Entra ID tenant can trigger a moment of panic. But fear not! Microsoft 365 deleted objects are not immediately gone forever. Microsoft Entra ID has a soft-delete mechanism, giving admins a 30-day window to restore them. Only after this period, the object is permanently deleted and cannot be restored.
You can manage object deletions in Microsoft 365 through the Entra admin center, but for faster, and bulk recovery, PowerShell is the superior choice. Let’s learn how to restore deleted objects using Microsoft Entra PowerShell now!
Let’s make sure you have everything needed to successfully run the recovery commands. Your Microsoft Entra ID account must have one of these administrator roles:
- To restore users: User Administrator
- To restore groups: Groups Administrator
- To restore applications: Application Administrator, Cloud Application Administrator, or Hybrid Identity Administrator
- To restore administrative units: Privileged Role Administrator
If you’re unsure about your permissions, a Global Administrator has the rights to perform all these actions. However, Global Administrator is a high-privileged account, and it is recommended to follow least privileged access practices and use role-specific administrators whenever possible.
Firstly, connect to the Microsoft Entra PowerShell module and assign scopes based on action:
- Restore Users: User.ReadWrite.All
- Restore Groups: Group.ReadWrite.All
- Restore Applications: Application.ReadWrite.All
- Restore Administrative Units: AdministrativeUnit.ReadWrite.All
Once the appropriate scopes are assigned, you can proceed to restore the deleted objects safely. Now, let’s see how to
- Restore a recently deleted user
- Bulk restore deleted users
- Restore a deleted Microsoft 365 group
- Bulk recover deleted Microsoft 365 groups
- Restore a recently deleted application
- Bulk restore application registration
- Recover a deleted service principal
- Bulk Restore Entra ID service principals
- Recover soft-deleted administrative units
- Bulk restore administrative units
Deleting a user account in Entra doesn’t immediately erase it. Instead, the user account remains suspended for a month, giving admins time to reverse the action.
Find the deleted users in the organization by running the following cmdlet.
|
1 |
Get-EntraDeletedUser |
The result shows the user ID along with the deleted date and time. You will need the Object ID to restore a user.
Then restore the deleted user by executing the below cmdlet:
|
1 |
Restore-EntraDeletedDirectoryObject -Id '<UserID>' |
Replace <UserId> with the actual Object ID of the user to be restored.
When restoring a user, their previous licenses are reapplied. If your tenant doesn’t have available licenses, this may temporarily place you out of compliance.
In large organizations, accidental deletions can affect multiple users at once during system migrations, HR data corrections, or automated account cleanup processes. In such cases, restoring them one by one is time-consuming. Instead, you can import a CSV file with Users ID and restore them in bulk using PowerShell.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$users = Import-Csv -Path "<FilePath>.csv" foreach ($user in $users) { try { Restore-EntraDeletedDirectoryObject -Id $user.UserId Write-Host "Restored User with ID: $($user.UserId)" -ForegroundColor Green } catch { Write-Host "Failed to restore User with ID: $($user.UserId). Error: $_" -ForegroundColor Red } } Update <FilePath>.csv to point to your CSV file’s location. |
Input CSV file format:
Groups play a central role in collaboration by providing shared access to resources such as Teams, SharePoint, and Outlook. Accidentally deleting a group in Microsoft 365 can disrupt access for many users. To restore a group in Microsoft 365, follow the steps below.
Use the following cmdlet to view groups currently in the soft-deleted state:
|
1 |
Get-EntraDeletedGroup |
This retrieves all deleted group IDs that are eligible for recovery. The output will show details such as display name, object ID, and group type.
Once you’ve identified the group, use its Id to restore it using:
|
1 |
Restore-EntraDeletedDirectoryObject -Id "<GroupID>" |
Replace the ID with the deleted group’s ID you want to restore.
Important: Only Unified Groups (Microsoft 365 Groups) can be restored. It is not possible to restore deleted distribution lists and security groups in Microsoft 365.
This method is perfect for bulk recovery scenarios where several Microsoft 365 groups are lost simultaneously due to accidental deletion or administrative mistakes. Bulk restoration helps maintain business continuity and minimizes downtime for affected teams.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
#Import the CSV file containing Group IDs to restore $groups = Import-Csv -Path "<FilePath>.csv" foreach ($group in $groups) { try { Restore-EntraDeletedDirectoryObject -Id $group.GroupId Write-Host "Restored Group with ID: $($group.GroupId)" -ForegroundColor Green } catch { Write-Host "Failed to restore Group with ID: $($group.GroupId). Error: $_" -ForegroundColor Red } } |
Replace <FilePath>.csv with the complete file path to your CSV.
Input CSV file format:
The restoration of applications requires a clear understanding of the application object model in Microsoft Entra ID. An application is represented by two distinct objects:
- Entra ID application registration – Defines the application’s identity and configuration.
- Service Principal – Represents the instance of the application in a specific tenant.
When an application is deleted, both objects are soft-deleted and must be restored individually.
Firstly, to find the list of deleted application registrations, run the following.
|
1 |
Get-EntraDeletedApplication |
This will list details such as application name, ID, and publisher domain.
With application ID from the command above, restore the deleted applications you wish to in Entra ID.
|
1 |
Restore-EntraDeletedDirectoryObject -Id '<ApplicationID>' |
After restoring the application, you might also need to restore deleted application’s service principal which is detailed below.
For development or testing environments where many app registrations might be deleted, restoring them one-by-one is impractical. This bulk approach lets you restore Entra app registrations in one go.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
#Import the CSV file containing Application IDs to restore $applications = Import-Csv -Path "<FilePath>.csv" foreach ($app in $applications) { try { Restore-EntraDeletedDirectoryObject -Id $app.ApplicationId Write-Host "Restored Application with ID: $($app.ApplicationId)" -ForegroundColor Green } catch { Write-Host "Failed to restore Application with ID: $($app.ApplicationId). Error: $_" -ForegroundColor Red } } |
Specify your CSV file path instead of <FilePath>.csv.
Input CSV file format:
Find the deleted service principals in the organization by running the below:
|
1 |
Get-EntraDeletedServicePrincipal |
Once you identify the required object, you can restore it with the Restore-EntraDeletedDirectoryObject cmdlet, specifying the unique Object ID of the service principal.
|
1 |
Restore-EntraDeletedDirectoryObject –Id ‘<ServicePrincipalIdObject>’ |
Replace <ServicePrincipalIdObjectId> with the actual ID of the service principal you wish to restore.
Note: If you restore only the service principal without restoring the associated app registration, the service principal becomes unusable. It loses its link to the application metadata like client secrets, permissions, and redirect URIs, making authentication and access to resources fail. For complete Entra app functionality, you need to restore both the deleted app registration and service principal together.
You can restore multiple service principals in bulk using a CSV file. Ensure your CSV file has a column named ServicePrincipalId.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
#Import the CSV file containing service principal IDs to restore $servicePrincipals = Import-Csv -Path "<FilePath>.csv" foreach ($sp in $servicePrincipals) { try { Restore-EntraDeletedDirectoryObject -Id $sp.ServicePrincipalId Write-Host "Restored Service Principal with ID: $($sp.ServicePrincipalId)" -ForegroundColor Green } catch { Write-Host "Failed to restore Service Principal with ID: $($sp.ServicePrincipalId). Error: $_" -ForegroundColor Red } } |
Use this approach to quickly restore multiple deleted service principals without manually restoring each one.
Input CSV file format:
Administrative units in Entra ID are containers used to delegate administrative permissions and apply policies to a subset of users or groups. Their accidental deletion can disrupt governance models. The Get-EntraDeletedAdministrativeUnit cmdlet provides a view into all soft-deleted administrative units.
|
1 |
Restore-EntraDeletedDirectoryObject -Id '<AdministrativeUnitId>' |
Replace <AdministrativeUnitId> with the actual ID of the administrative unit you wish to restore in the organization.
In large organizations, losing multiple administrative units can halt delegated administration for entire departments. This bulk restoration script quickly recovers all your administrative units, their memberships, and scoped role assignments in one go.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
#Import the CSV file containing Administrative Unit IDs to restore $adminUnits = Import-Csv -Path "<FilePath>.csv" foreach ($unit in $adminUnits) { try { Restore-EntraDeletedDirectoryObject -Id $unit.AdminUnitId Write-Host "Restored Administrative Unit with ID: $($unit.AdminUnitId)" -ForegroundColor Green } catch { Write-Host "Failed to restore Administrative Unit with ID: $($unit.AdminUnitId). Error: $_" -ForegroundColor Red } } |
Modify <FilePath>.csv with the correct path where your CSV is stored.
Input CSV file format:
Pro tip: To prevent permanent deletions of Microsoft 365 objects, consider enabling protected actions in Entra ID.
Now you know how to quickly restore deleted users, groups, apps, and more in Microsoft 365. Feel free to reach us through the comment section, if you have any queries.
