Not sure when this change happened (looks like in the last week of December, based on changes to the documentation page at least) but previously I could run the Restore-MgDirectoryDeletedItem cmdlet permission to restore a deleted user and all it needed was the User.ReadWrite.All permission (see version of documentation from 17th December) but now it needs a newly introduced permission called User.DeleteRestore.All (link to current documentation).
I have a few automations that broke thanks to this. Good thing no one used them during the holiday period, else it would have been way more irritating. As it is, I had to do some panicked troubleshooting yesterday to see what went wrong when someone used it and the restore kept failing. 🤬
Didn’t find anything when Googling on this but came across a Tony Redmond post with a similar observation.
From Tony’s post I came across the Graph change log and while it mentions this change, it gives the impression this is just an optional good-to-have granular permission, and nowhere does it say this is now required for user restores. The User.ReadWrite.All permission simply doesn’t cut it any more.
