When you delete a user account in Azure (Microsoft 365), the user is not deleted immediately. The disabled user account is stored in AAD for 30 days. In this article, we’ll look at how to restore a deleted user in Azure AD (AAD) using Azure Portal or PowerShell.
In Azure AD, there are two modes for deleting objects (users):
- Soft delete – a user is deleted from the active tenant users and the user account is suspended (moved to the AAD recycle bin). At the same time, all user attributes (including M365 group membership, assigned access permissions to Exchange Online mailboxes and folders, calendar permissions, Teams chats, etc.) remain unchanged. Azure services will automatically delete such an account after 30 days;
- Hard delete (permanent) – an object is deleted from the Azure Recycle Bin and cannot be restored using the built-in tools (you may force delete any object from Azure AD without waiting 30 days).
To delete or restore users, a Global administrator or User administrator role must be assigned to your account.
The easiest way to restore a deleted user in AAD is to use the Azure Portal:
- You can find a list of deleted users available to restore in the Azure AD admin center (https://aad.portal.azure.com/);
- Go to Users and select Deleted Users. There is a list of deleted users that includes the date when the user was deleted (Deletion date) and the date when the user will be permanently removed from AAD (Permanent deletion date);
- Find a user you want to restore (you can search a user by the User principal name or add other user attributes as filters), select it and click Restore user;
- Confirm the restore action. You will see the message: User successfully restored;
- When you restore a deleted user, the Azure/Microsoft 365 group membership and the set of assigned AAD licenses are fully restored as well.
You can display a list of all deleted users (with the full list of attributes) using this command:
Get-MsolUser -ReturnDeletedUsers | fl *
You can display specific user properties only (name, ID, user creation or deletion date):
Get-MsolUser -ReturnDeletedUsers | select DisplayName, ObjectId,SoftDeletionTimestamp, WhenCreated
You can restore a user by their ObjectID:
Restore-AzureADMSDeletedDirectoryObject -Id 98813128-ffb1-4c55-b11f-6c58d7d66
You can also restore a user by a UPN using the Restore-MsolUser cmdlet:
Restore-MsolUser -UserPrincipalName "[email protected]"
- In the previous command, you may use an optional parameter
–AutoReconcileProxyConflicts, which allows you to assign a new proxy address to a user if the old one is busy
- or you can set a new UPN immediately using the option
-NewUserPrincipalName "[email protected]"
Remove-MsolUser –userprincipalname [email protected] -RemoveFromRecycleBin
You can also use the Azure AD audit logs to search for user deletion events. For example, the following script will find a user deletion event (you will see who deleted a user and when), return a UPN and ObjectID of a deleted user:
Import-Module AzureADPreview -UseWindowsPowerShell
Get-AzureADAuditDirectoryLogs -Filter "category eq 'UserManagement' and OperationType eq 'Delete'" |where-object TargetResources -like ("*AlexTest*")|select-object -ExpandProperty TargetResources
You can restore a user by their object ID using the