How to Restore and Permanently Delete Users Using Graph PowerShell
Managing user accounts in Microsoft 365 involves handling both active and deleted users. When a user is deleted, they are first moved to a "soft delete" state, allowing for potential recovery within a specified period. In this article, we will explore how to restore and permanently delete users using Graph PowerShell. We will cover the key concepts of soft deletion and permanent deletion, use cases for these operations, and possible errors and their solutions.
What is Soft Deletion?
Soft deletion is a state where a user account is removed from the active directory but is retained in a recycle bin for a certain retention period (typically 30 days). During this period, administrators have the option to restore the user account if needed.
What is Permanent Deletion?
Permanent deletion, also known as hard deletion, removes the user account completely from the directory. Once a user is permanently deleted, it cannot be recovered.
Listing Deleted Users
To manage deleted users, you first need to list them. The Get-MgDirectoryDeletedItemAsUser cmdlet retrieves all the deleted users.
# List all deleted users
Get-MgDirectoryDeletedItemAsUserThis command provides a list of deleted users, including their IDs, which are necessary for restoration or permanent deletion.
Restoring a Deleted User
To restore a deleted user, use the Restore-MgDirectoryDeletedItem cmdlet along with the user's DirectoryObjectId.
# Restore a deleted user
Restore-MgDirectoryDeletedItem -DirectoryObjectId c71e4a5f-e379-4389-8f6e-af9057860fa1Replace c71e4a5f-e379-4389-8f6e-af9057860fa1 with the actual DirectoryObjectId of the user you wish to restore.
Permanently Deleting a User
To permanently delete a user, use the Remove-MgDirectoryDeletedItem cmdlet with the user's DirectoryObjectId.
# Permanently delete a user
Remove-MgDirectoryDeletedItem -DirectoryObjectId $directoryObjectIdReplace $directoryObjectId with the actual DirectoryObjectId of the user you wish to permanently delete.
Possible Errors and Solutions
| Error | Cause | Solution |
| ResourceNotFound | The specified DirectoryObjectId does not exist. |
Verify the DirectoryObjectId - which is the User ID in our case - actually exists by executing Get-MgUser cmdlet. |
| Remove-MgDirectoryDeletedItem: Resource not found | The user ID provided does not exist in the deleted users container or may have already been permanently removed. | Use Get-MgDirectoryDeletedItemUser to ensure the object exists before calling Remove-MgDirectoryDeletedItem. |
| Restore-MgDirectoryDeletedItem: Insufficient privileges to complete the operation | The signed-in account does not have the necessary delegated or application permissions to perform the restore action. | Ensure the account has either Directory.AccessAsUser.All (delegated) or Directory.ReadWrite.All (application) permissions and has admin consent. |
Frequently Asked Questions
How long are deleted users retained before they are permanently removed? Deleted users are retained in Azure AD for 30 days by default. After this period, they are automatically and permanently deleted.
- Can I restore multiple users in bulk?
- Does restoring a user also restore licenses and group memberships?
- Is it possible to recover a user after permanent deletion?
Yes. You can pipe results from Get-MgDirectoryDeletedItemUser and loop through them with Restore-MgDirectoryDeletedItem in a foreach loop.
No. Restoring the user account does not automatically reassign licenses or memberships. These must be reapplied manually or through automation.
No. Once a user is permanently deleted using Remove-MgDirectoryDeletedItem, recovery is not possible through Microsoft Graph or the admin portal.
Use Cases
- Restoring Users: Restoring users is useful in scenarios where a user account was mistakenly deleted or needs to be reinstated quickly without losing any data or access permissions.
- Permanently Deleting Users: Permanent deletion is necessary for compliance reasons or to ensure that sensitive information associated with the user account is completely removed from the directory.
Even after deletion, users in the soft-deleted state retain their original Object IDs. This consistency allows for reliable scripting—whether you're restoring accounts or checking license reclamation opportunities.
Conclusion
Managing user deletions in Microsoft 365 involves understanding the concepts of soft deletion and permanent deletion. Using Graph PowerShell, administrators can efficiently restore or permanently delete user accounts as required. By following the steps and examples provided, you can handle these operations smoothly and address any errors that may arise. Understanding these processes ensures better management of user lifecycle and data security within your organization.
By leveraging these PowerShell cmdlets, you can maintain control over your directory and ensure that user accounts are managed according to your organization's policies and needs.
Related Articles:
Using Get-MgDirectoryRole in Graph PowerShellUsing Get-MgUserLicenseDetail in Graph PowerShell
Using Find-GraphMgCommand in Graph PowerShell
Connect to Microsoft 365 Using PowerShell
How to Create Bulk Users in Office 365 Using Graph PowerShell?
Create Microsoft 365 Group Using Microsoft Graph PowerShell
Block Microsoft 365 User Using Microsoft Graph PowerShell
Assign Microsoft 365 License Using Graph PowerShell
Microsoft 365 User Management Using Graph PowerShell
Checking Group Membership in Microsoft 365
Bulk Assign Microsoft 365 License
Find Inactive Users in Microsoft 365
Using Powershell Graph Search Query
Using Powershell Graph Filter Query
Using Where-Object In Graph PowerShell
Using Expand Property In Graph PowerShell
Using Select Object In Graph PowerShell
Using -Contains Operator In Graph PowerShell
Add User to Multiple Microsoft 365 Groups Using Graph PowerShell
Get Microsoft 365 User Location Using Graph PowerShell
Import Microsoft 365 Groups from CSV File Using Graph PowerShell
Microsoft 365 Group User Import Using Graph PowerShell