A Brief History of Soft-Deleted Entra ID Groups

Posted on by Tony Redmond

Soft-Deleted Security Groups Can Now be Restored

Message center notification MC1183299 (6 November 2025) brought some good news in that Entra ID now has the ability to restore soft-deleted “cloud” security groups. Or rather, that Entra ID now retains deleted security groups for 30 days in a soft-deleted state to allow recovery via the Entra admin center or PowerShell during that period. The feature went into public preview in late October 2025 and is due to reach general availability in late February 2026.

Interestingly, despite the preview status and the PowerShell examples in Microsoft’s documentation, the functionality is available through V1.0 Graph APIs and V1.0 cmdlets in the Microsoft Graph PowerShell SDK.

Recovering Office 365 Groups

Before March 2017, there was no way to recover a deleted group. Microsoft recognized this as an issue, especially for the relatively new Office 365 Groups. The function of Office 365 Groups as a fulcrum to connect different resources like a SharePoint Online site, Planner Plan, and so on meant that deleting an Office 365 group could have catastrophic consequences.

At the Ignite 2016 conference, Microsoft announced the intention to support soft-deleted Office 365 Groups that could be recovered. The feature was eventually delivered with an update to the AzureAD PowerShell module in March 2017. About six months later, Microsoft updated the Azure AD admin center to support group restoration.

Restoring Soft-Deleted Entra Groups

Today, soft-deleted Microsoft 365 Groups are recoverable through the Entra admin center and by using cmdlets from the Microsoft Graph PowerShell SDK. However, Entra ID did not support recovery of other types of groups. Part of the reason was that the Graph APIs to list and restore deleted items didn’t include code to handle anything other than Microsoft 365 Groups, and part was due to Exchange Online owning distribution groups and mail-enabled security groups.

The update addresses recovery of security groups (with both assigned and dynamic membership). This is the simplest type of group for Entra ID to deliver support for because security groups are a “pure” Entra object. Enabling soft-deletion for security groups closes a big recovery gap for Entra ID as it is all too easy for an administrator to make a mistake and delete an important security group. Up to now, the only solution is to recreate the security group from scratch, which isn’t always very easy.

The functionality is available in the Entra admin center and supported with the Get-MgDirectoryDeletedItemAsGroup (list soft-deleted groups) and Restore-MgDirectoryDeletedItem cmdlets from the Microsoft Graph PowerShell SDK (I used V2.32 for testing).

Figure 1 shows the situation in the Entra admin center. If you select the Deleted groups option, Entra lists soft-deleted security and Microsoft 365 groups. The current UX doesn’t reveal the group type.

Viewing soft-deleted security and Microsoft 365 groups in the Entra admin center.
Figure 1: Viewing soft-deleted security and Microsoft 365 groups in the Entra admin center

Much the same can be done using PowerShell (Figure 2). In this case, the displayed information can be modified to include the group type and to inform the administrator how many days remain in a group’s retention period.

Viewing soft-deleted security and Microsoft 365 groups via PowerShell. Soft-deleted security groups.
Figure 2: Viewing soft-deleted security and Microsoft 365 groups via PowerShell

The script (available for download from the Office 365 for IT Pros GitHub repository) uses the pass through capability of the Out-GridView cmdlet to send selected soft-deleted groups through the pipeline to be restored by the Restore-MgDirectoryDeletedItem cmdlet. This is a quick and convenient method to present information to users for their selection for further processing.

The Obvious Question

The obvious question that flows from this update is whether Entra ID plans to support restoration of the other group types that appear in its admin center (distribution lists and mail-enabled security groups). The answer depends on whether Exchange Online will support enabling these groups with soft-deleted capabilities. So far, Microsoft hasn’t said anything on this topic and there’s no sign of such a capability in the Exchange admin center, where I suspect the feature would appear first.

BTW: For those attending the Microsoft Ignite 2025 conference in San Francisco, I’m speaking at session THRSP956 at 11:00am in Theater C in Muscone South. Happy to chat with any and all afterwards!

Need help to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

2 Replies to “A Brief History of Soft-Deleted Entra ID Groups”

  1. Does this mean we can de-couple security groups from Entra Connect Sync, have them soft delete and restore them as cloud only security groups?
    If so, this is a step towards easier migration to cloud only given the previous approach that existed was only to remove them from sync to delete them in the cloud and have to create them again as new objects in Entra ID.

    Reply

    1. I doubt it. The term used in MC1183299 is “cloud security groups.” When Microsoft prefixes an Entra ID object with “cloud,” it usually means “cloud-only,” or objects that have only ever existed in the cloud.

      I don’t have Entra Connect Sync set upo because I operate a cloud-only environment, but you could try and let us know…

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.