Fetch Recently Deleted Guest Users Using Graph PowerShell

Guest accounts are widely used in Microsoft 365 tenants to collaborate with external vendors, consultants, partners, and clients. Over time, some of these guest accounts may be removed from the directory when access is no longer required.

When a guest user is deleted, the account is not immediately removed permanently. Instead, it is moved into the Deleted Users container, where it remains recoverable for a limited retention period (typically 30 days). 

For administrators, it becomes important to track recently deleted guest users for:

• Security audits 
• Compliance reporting
• Guest access governance
• Restoration of accidentally deleted accounts

In this article, we will explore a Graph PowerShell script that fetches guest users deleted within the last 30 days and exports the report into a CSV file.

The Script 

The following script retrieves recently deleted guest user accounts and exports the results to CSV.

<# 
.SYNOPSIS
    Fetches guest user accounts deleted in the last 30 days
    and exports the report to CSV.

.DESCRIPTION
    This script queries Microsoft Entra ID deleted users using Microsoft Graph.
    It filters only Guest users deleted recently.

.REQUIREMENTS
    Microsoft.Graph module
    Directory.Read.All permission
#>

# -------------------------------
# Step 1: Connect to Microsoft Graph
# -------------------------------
Connect-MgGraph -Scopes "Directory.Read.All"

Write-Host "`nFetching recently deleted guest users..." -ForegroundColor Cyan

# -------------------------------
# Step 2: Define Date Range (Last 30 Days)
# -------------------------------
$DaysBack   = 30
$CutoffDate = (Get-Date).AddDays(-$DaysBack)

# -------------------------------
# Step 3: Fetch Deleted Users
# -------------------------------
$DeletedUsers = Get-MgDirectoryDeletedItemAsUser -All `
    -Property Id,DisplayName,UserPrincipalName,DeletedDateTime,UserType

# -------------------------------
# Step 4: Filter Only Guest Users Deleted Recently
# -------------------------------
$DeletedGuestReport = $DeletedUsers |
    Where-Object {
        (
            $_.UserType -eq "Guest" -or
            $_.UserPrincipalName -like "*#EXT#*"
        ) -and
        $_.DeletedDateTime -ge $CutoffDate
    } |
    Select-Object DisplayName, UserPrincipalName, UserType, DeletedDateTime

# -------------------------------
# Step 5: Display Results in Console
# -------------------------------
Write-Host "`nDeleted Guest Accounts Found (Last $DaysBack Days): $($DeletedGuestReport.Count)" -ForegroundColor Yellow
$DeletedGuestReport | Format-Table -AutoSize

# -------------------------------
# Step 6: Export Report to CSV
# -------------------------------
$ExportPath = "$PSScriptRoot\RecentlyDeletedGuestUsersReport.csv"
$DeletedGuestReport | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8

Write-Host "`nReport exported successfully to:" -ForegroundColor Green
Write-Host $ExportPath -ForegroundColor White
                            

How the Script Works 

Let’s walk through the script step-by-step to understand how it retrieves deleted guest accounts. 

Step 1: Connect to Microsoft Graph 

Connect-MgGraph -Scopes "Directory.Read.All" 

The script begins by connecting to Microsoft Graph with the required permission: 

• Directory.Read.All – Needed to read deleted directory objects 

This permission is mandatory because deleted accounts are stored separately from active users.

Step 2: Define the Last 30 Days Window

$DaysBack   = 30
$CutoffDate = (Get-Date).AddDays(-$DaysBack)
                            

Since deleted users are retained only temporarily, the script focuses on guest
accounts deleted within the last 30 days.

The $CutoffDate ensures we only retrieve recent deletions.

Step 3: Fetch Deleted Users Only

$DeletedUsers = Get-MgDirectoryDeletedItemAsUser -All 

Instead of using the generic deleted items cmdlet, the script uses:

• Get-MgDirectoryDeletedItemAsUser 

This cmdlet returns only deleted user objects, making it more efficient and easier to work with.

Step 4: Filter Only Guest Users 

Where-Object { 
    $_.UserType -eq "Guest" -or 
    $_.UserPrincipalName -like "*#EXT#*" 
}
                            

Guest accounts can be identified reliably using:

• UserType = Guest
• Or the presence of #EXT# in the UserPrincipalName

Using both makes the script more accurate across different tenant scenarios.

Step 5: Display the Output in Console

$DeletedGuestReport | Format-Table -AutoSize

The script prints the report in a readable table format, showing key fields:

• DisplayName
• UserPrincipalName
• UserType
• DeletedDateTime

Removing the Mail field ensures the DeletedDateTime column remains clearly visible in the console.

Step 6: Export the Report to CSV

Export-Csv -Path RecentlyDeletedGuestUsersReport.csv

Finally, the report is exported for audit and compliance use.
The CSV file can be used for:

• External access review
• Guest lifecycle governance
• Restoration decisions
• Quarterly security reporting

Further Enhancing the Script

This script is an excellent starting point, but you can extend it further based on organizational needs.
Here are some useful enhancements.

Fetch Deleted Guests from the Last 7 Days

For tighter monitoring, reduce the range:
$DaysBack = 7

This helps in weekly audits.

Include Who Deleted the Guest User

Deleted user objects do not directly store the “deleted by” information.
To identify who deleted the guest, you can correlate with:

• Audit Logs (Get-MgAuditLogDirectoryAudit)

This is a powerful compliance enhancement.

Restore Deleted Guest Accounts Automatically

Since deleted accounts remain recoverable, admins may want an option to restore guests directly.
Graph provides restore actions that can be automated carefully.

Export Additional Guest Metadata

You may also include:

• External domain
• Creation date
• Invitation status

These fields are helpful when reviewing guest lifecycle.

Possible Errors and Solutions

Below are common issues administrators may encounter when running this script.

Error	Cause	Solution
Insufficient privileges to complete the operation	The account lacks directory read permissions.	Connect using the correct scope: Connect-MgGraph -Scopes "Directory.Read.All" Also ensure admin consent is granted
Cmdlet Not Found (Get-MgDirectoryDeletedItemAsUser)	The required Graph module component is missing.	Install or update the module: Install-Module Microsoft.Graph -Force Or specifically install: Install-Module Microsoft.Graph.Identity.DirectoryManagement
No Deleted Guests Returned	No guest accounts have been deleted recently, or the tenant has passed the retention period.	Confirm a guest was deleted in the last 30 days Remember: deleted users are permanently removed after the retention window
DeletedDateTime Appears Empty	Some properties require explicit selection.	Ensure DeletedDateTime is included in -Property.

Conclusion

Tracking deleted guest accounts is an important part of Microsoft 365 tenant governance. Guest users often represent external access, and deletions should be monitored carefully for security and compliance purposes.

This Graph PowerShell script allows administrators to:

• Retrieve guest accounts deleted in the last 30 days
• Display the results cleanly in the console
• Export the report to CSV for auditing

Recently deleted guest reporting is especially useful in environments with frequent external collaboration.