Restore user objects in Entra ID

05.01.2026 Last updated : 19.01.2026 Mein Avatar für die Krähe mit Hut. Man sieht eine Krähe mit einem Doktorhut.Krähe mit Hut

Similar to Active Directory, Entra ID uses a type of recycle bin to store deleted objects for a certain period of time (30 days). This enables quick recovery. However, there may be specific scenarios in which the use of PowerShell is more effective, for example

  • if a user account is to be restored with a different user principal name
  • if the custom domain of the account to be restored no longer exists and the account also uses email aliases from this domain

Simple restore with Graph PowerShell

A simple restore with default settings can be performed either via the graphical user interface or using PowerShell:

# Check needed modules and install, if required
if (!(Get-InstalledModule Microsoft.Graph.Identity.DirectoryManagement -ErrorAction SilentlyContinue)){Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser}

# Connect to Microsoft Graph with the appropriate permissions
Connect-MgGraph -Scopes User.ReadWrite.All,User.DeleteRestore.All

# Request restore scope
$RestoreChoice = Read-Host 'Restore all or single user object? (1:All 2:Single)'

# Restore all user objects
if ($RestoreChoice -eq '1')
   {
   $DeletedObjects = Get-MgDirectoryDeletedItemAsUser -All 
   ForEach ($DeletedObject in $DeletedObjects)
      {
      Write-Host "Restoring $($DeletedObject.DisplayName)..." -ForeGroundColor Yellow
      Restore-MgDirectoryDeletedItem -DirectoryObjectId $DeletedObject.Id
      }
   }
   
# Restore single user object
if ($RestoreChoice -eq '2')
   {
   $Selection = Get-MgDirectoryDeletedItemAsUser -All | Out-GridView -Title 'Please choose object to be restored' -OutputMode:Single
   Write-Host "Restoring $($Selection.DisplayName)..." -ForeGroundColor Yellow
   Restore-MgDirectoryDeletedItem -DirectoryObjectId $Selection.Id
   }
PowerShell

Restore without aliases and/or new userprincipalname

If additional parameters are required for recovery, the variant described above is not sufficient, as no individual parameters can be defined here. Individual requirements can be mapped using two variants:

  • Graph API
  • Entra PowerShell

This procedure is suitable, for example, in the context of client migrations where user-defined domains need to be transferred. To do this, it is first necessary to remove all references to the domain in the source environment. Instead of doing this manually, which can be tedious, the objects can be temporarily deleted and restored after the domain has been transferred using the following scripts. This can help to speed up the migration process considerably.

Graph API

# Check needed modules and install, if required
if (!(Get-InstalledModule Microsoft.Graph.Authentication -ErrorAction SilentlyContinue)){Install-Module Microsoft.Graph.Authentication -Scope CurrentUser}
if (!(Get-InstalledModule Microsoft.Graph.Identity.DirectoryManagement -ErrorAction SilentlyContinue)){Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser}

# Connect to Microsoft Graph with the appropriate permissions
Connect-MgGraph -Scopes User.ReadWrite.All,User.DeleteRestore.All,Domain.Read.All

# Set restore parameters
$params = @{
   autoReconcileProxyConflict = $true   # This parameter causes aliases which refer to a non-existing domain to be ignored
   }

# Request restore scope
$RestoreChoice = Read-Host 'Restore all or single user object? (1:All 2:Single)'

# Request restore options
$RestoreOptions = Read-Host 'Set new userprincipalname? (1:Yes 2:No)'
if ($RestoreOptions -eq 1){$UserDomain = (Get-MgDomain | Out-GridView -Title 'Please choose new domain' -OutputMode:Single).Id

# Alle Objekte wiederherstellen
if ($RestoreChoice -eq '1')
   {
   $DeletedObjects = Get-MgDirectoryDeletedItemAsUser -All 
   ForEach ($DeletedObject in $DeletedObjects)
      {
      if ($RestoreOptions -eq 1)
         {
         # Build new userprincipalname
         $UPN = $DeletedObject.Mail
         $Temp = $UPN -Split ('@')
         $Prefix = $Temp[0]
         $NewUPN = $Prefix + '@' + $UserDomain
         
         # Add parameter
         $UserParams['NewUserPrincipalName'] = $NewUPN
         }
      $URL = 'https://graph.microsoft.com/v1.0/directory/deletedItems/' + $DeletedObject.Id + '/restore'
      Write-Host "Restoring $($DeletedObject.DisplayName)..." -ForeGroundColor Yellow
      Invoke-MgGraphRequest -Method POST $URL -Body $params
      }
   }  
   
# Einzel-Wiederherstellung
if ($RestoreChoice -eq '2')
   {
   $Selection = Get-MgDirectoryDeletedItemAsUser -All | Out-GridView -Title 'Please choose object to be restored' -OutputMode:Single
   if ($RestoreOptions -eq 1)
      {
      # Build new userprincipalname
      $UPN = $Selection.Mail
      $Temp = $UPN -Split ('@')
      $Prefix = $Temp[0]
      $NewUPN = $Prefix + '@' + $UserDomain
      
      # Add parameter
      $UserParams['NewUserPrincipalName'] = $NewUPN
      }
   $URL = 'https://graph.microsoft.com/v1.0/directory/deletedItems/' + $Selection.Id + '/restore'
   Write-Host "Restoring $($Selection.DisplayName)..." -ForeGroundColor Yellow
   Invoke-MgGraphRequest -Method POST $URL -Body $params
   }
PowerShell


Entra PowerShell

# Check needed modules and install, if required
if (!(Get-InstalledModule Microsoft.Entra.DirectoryManagement -ErrorAction SilentlyContinue)){Install-Module Microsoft.Entra.DirectoryManagement -Scope CurrentUser}

# Connect to Entra ID with appropriate permissions
Connect-Entra -Scopes User.ReadWrite.All

# Request restore scope
$RestoreChoice = Read-Host 'Restore all or single user object? (1:All 2:Single)'

# Request restore options
$RestoreOptions = Read-Host 'Set new userprincipalname? (1:Yes 2:No)'
if ($RestoreOptions -eq 1){$UserDomain = (Get-EntraDomain | Out-GridView -Title 'Please choose new domain' -OutputMode:Single).Id

# Restore all user objects
if ($RestoreChoice -eq '1')
   {
   $DeletedObjects = Get-MgDirectoryDeletedItemAsUser -All 
   ForEach ($DeletedObject in $DeletedObjects)
      {
      if ($RestoreOptions -eq 1)
         {
         # Build new userprincipalname
         $UPN = $DeletedObject.Mail
         $Temp = $UPN -Split ('@')
         $Prefix = $Temp[0]
         $NewUPN = $Prefix + '@' + $UserDomain
         
         # Add parameters
         $UserParams['NewUserPrincipalName'] = $NewUPN
         }
    
      Write-Host "Restoring $($Selection.DisplayName)..." -ForeGroundColor Blue
      if ($RestoreOptions -eq 1){Restore-EntraDeletedDirectoryObject -Id $Selection.Id -AutoReconcileProxyConflict -NewUserPrincipalName $NewUPN}
      if ($RestoreOptions -ne 1){Restore-EntraDeletedDirectoryObject -Id $Selection.Id -AutoReconcileProxyConflict}
      }
   }

# Restore single user object
if ($RestoreChoice -eq '2')
   {
   # Let user choose which object to restore
   $Selection = Get-MgDirectoryDeletedItemAsUser -All | Out-GridView -Title 'Please choose object to restore' -OutputMode:Single

   if ($RestoreOptions -eq 1)
      {
      # Build new userprincipalname
      $UPN = $Selection.Mail
      $Temp = $UPN -Split ('@')
      $Prefix = $Temp[0]
      $NewUPN = $Prefix + '@' + $UserDomain
       
      # Add parameter
      $UserParams['NewUserPrincipalName'] = $NewUPN
      }

   Write-Host "Restoring $($Selection.DisplayName)..." -ForeGroundColor Blue
   if ($RestoreOptions -eq 1){Restore-EntraDeletedDirectoryObject -Id $Selection.Id -AutoReconcileProxyConflict -NewUserPrincipalName $NewUPN}
   if ($RestoreOptions -ne 1){Restore-EntraDeletedDirectoryObject -Id $Selection.Id -AutoReconcileProxyConflict}
   }
PowerShell


Liked this article? Share it!

Categories
Real World Corner
Tags
Previous article
Windows Server Upgrade - an overview
05.01.2026
Next article
Multiple email forwarding via inbox rules – not with Exchange Online!
07.01.2026