Graph and Deleted Users

If you want to restore deleted Azure AD objects via Graph, there’s a cmdlet for it. You might find references to Restore-MgUser and such, but those don’t work (and probably never did) because of which the cmdlets were removed.

It has a Get- variant which you’d think can be used to search for deleted objects, find their Id, and use that with the cmdlet above to do a restore. I couldn’t get it working though:

Looks like it can just get an item by its Id. Pointless.

So I resorted to the API itself. You need to do a GET against the Graph endpoint /directory/deletedItems/microsoft.graph.user. Good thing is you can even filter against specific properties.

At a basic level you do the following:

In the output all the Ids are in the value property. Additional values, if any, can be got by following the link in the @odata.nextLink property.

If you want to filter, that’s easy too.

Notice the double single quotes around the entry I am searching for. This is important. It needs to be single quotes, but since they are already within single quotes I need to escape them. And I need the whole Url to be in single quotes because of the $filter – if I use double quotes, PowerShell treats it like a variable.

If searching by UPN, use endsWith as the UPN gets changed when an account is deleted.

For both of these filtered searches the ConsistencyLevel header matters, and should be set to “eventual”.

On a side note, it is also possible to use Graph API to change the immutable ID of an object. This is possible due to an Azure AD bug and will stop working at some point… Essentially, if you delete an object from on-prem, it will move the Azure AD object to the Deleted Items container. You can then restore it as above, change the UPN to a cloud one, set a new immutable ID (say of an account from a different forest with which you want to associate this Azure AD account), and set the UPN to the new one.

Kind of like this:

That’s all!