Restore deleted item (directory object)
Namespace: microsoft.graph
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Restore a recently deleted directory object from deleted items. The following types are supported:
- administrativeUnit
- application
- certificateBasedAuthPki
- [certificateAuthorityDetail](../resources/certificateauthoritydetail.md
- externalUserProfile
- group
- pendingExternalUserProfile
- servicePrincipal
- user
If an item was accidentally deleted, you can fully restore the item. This isn't applicable to security groups, which are deleted permanently. Also, restoring an application doesn't restore the associated service principal automatically. You must call this API to explicitly restore the deleted service principal.
A recently deleted item remains available for up to 30 days. After 30 days, the item is permanently deleted.
This API is available in the following national cloud deployments.
Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
---|---|---|---|
✅ | ✅ | ✅ | ✅ |
Permissions
The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
---|---|---|---|
administrativeUnit | AdministrativeUnit.ReadWrite.All | Not supported. | AdministrativeUnit.ReadWrite.All |
application | Application.ReadWrite.All | Not supported. | Application.ReadWrite.OwnedBy |
externalUserProfile | ExternalUserProfile.ReadWrite.All | Not supported | ExternalUserProfile.ReadWrite.All |
group | Group.ReadWrite.All | Not supported. | Group.ReadWrite.All |
pendingExternalUserProfile | PendingExternalUserProfile.ReadWrite.All | Not supported | PendingExternalUserProfile.ReadWrite.All |
servicePrincipal | Application.ReadWrite.All | Not supported. | Application.ReadWrite.OwnedBy |
user | User.ReadWrite.All | Not supported. | User.ReadWrite.All |
certificateBasedAuthPki | PublicKeyInfrastructure.Read.All | Not supported. | PublicKeyInfrastructure.Read.All |
certificateAuthorityDetail | PublicKeyInfrastructure.Read.All | Not supported. | PublicKeyInfrastructure.Read.All |
Important
In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
- To restore deleted applications or service principals: Application Administrator, Cloud Application Administrator, or Hybrid Identity Administrator.
- To restore deleted users: User Administrator. However, to restore users with privileged administrator roles:
- In delegated scenarios, the app must be assigned the Directory.AccessAsUser.All delegated permission, and the calling user must also be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
- In app-only scenarios and in addition to being granted the User.ReadWrite.All application permission, the app must be assigned a higher privileged administrator role as indicated in Who can perform sensitive actions?.
- To restore deleted groups: Groups Administrator. However, to restore role-assignable groups, the calling user must be assigned the Privileged Role Administrator role.
HTTP request
POST /directory/deleteditems/{id}/restore
Request headers
Name | Description |
---|---|
Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
Content-type | application/json |
Request body
In the request body, supply a JSON representation of the parameters.
The following table lists the parameters that are required when you call this action.
Parameter | Type | Description |
---|---|---|
autoReconcileProxyConflict | Boolean | Optional parameter. Indicates whether Microsoft Entra ID should remove any conflicting proxy addresses while restoring a soft-deleted user whose one or more proxy addresses are currently used for an active user. Used only for restoring soft-deleted user. The default value for this paramater is false . |
Response
If successful, this method returns a 200 OK
response code and a directoryObject object in the response body.
Example
Request
POST https://graph.microsoft.com/beta/directory/deleteditems/46cc6179-19d0-473e-97ad-6ff84347bbbb/restore
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/beta/$metadata#directoryObjects/$entity",
"@odata.type":"#microsoft.graph.group",
"id":"46cc6179-19d0-473e-97ad-6ff84347bbbb",
"displayName":"SampleGroup",
"groupTypes":["Unified"],
"mail":"example@contoso.com",
"mailEnabled":true,
"mailNickname":"Example",
"securityEnabled":false,
"visibility":"Public"
}
Request
POST https://graph.microsoft.com/beta/directory/deleteditems/78bf875b-9343-4edc-9130-0d3958113563/restore
Content-Type: application/json
{
"autoReconcileProxyConflict": true
}
Response
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#users/$entity",
"id": "78bf875b-9343-4edc-9130-0d3958113563",
"businessPhones": [],
"displayName": "SampleUser",
"givenName": "Sample",
"jobTitle": "Product Marketing Manager",
"mail": "sampleuser@contoso.com",
"mobilePhone": "+1 425 555 0109",
"officeLocation": "18/2111",
"preferredLanguage": "en-US",
"surname": "Vance",
"userPrincipalName": "sampleuser@contoso.com"
}