Bulk restore deleted Azure AD users

• Author
• Recent Posts

Baki Onur Okutucu

Onur is a DevOps Engineer and Subject Matter Expert for Azure, and PowerShell. He is the founder of Clouderz Ltd, a cloud consultancy based in London. For 13 years in a row, Microsoft has recognized him as an MVP (Most Valuable Professional). You can follow Onur on Twitter: @BakiOnur.

Latest posts by Baki Onur Okutucu (see all)

• Permanently delete a Key Vault in Azure using PowerShell - Fri, Feb 4 2022
• Restore Azure Files with PowerShell - Fri, Jan 28 2022
• Bulk restore deleted Azure AD users - Wed, Dec 29 2021

Restoring deleted users in the Azure Portal ^

When a user is deleted in Azure AD, the user object is moved into the "Deleted Users" section, where all deleted users are stored for 30 days. These users are permanently deleted 30 days after the initial deletion; once permanently deleted, there is no way to restore them.

Listing deleted users in Azure Portal

Under the Deleted Users section, user objects can be restored individually.

If there is a huge number of users who need to be restored immediately, then this "Restore User" feature may not be the best way to do it. Instead, we can use the Bulk Restore option, which allows us to prepare and upload a CSV file that contains the user objects that we wish to restore in bulk.

A CSV template is used for the Bulk Restore operation

When we click Bulk Restore, we are given the option to download a CSV file that we can use as a template, which we can modify with the user IDs. Note that you should not touch the first two rows of the CSV file, as these need to be kept as they are.

Contents of the CSV file

Once the CSV file is ready, we can upload it and proceed with the restore operation by clicking the Submit button.

CSV file needs to be uploaded to Azure to be processed

Once submitted, the status of the restore operations can be viewed under the "Bulk operation results" section in Azure AD.

Bulk restore operation is in progress

Bulk operation results can be seen in Azure Portal

Details of the operations can also be downloaded.

Results of a bulk user restore operation

Once the users have been restored, they are automatically moved back into the "Users" section in Azure AD.

Restoring deleted users using PowerShell ^

We can do the same restore operation automatically using PowerShell. Even listing the deleted users with their ObjectIDs can be automated so that we can easily restore them in bulk. We will need two cmdlets in a function to achieve this: Get-AzureADAuditDirectoryLogs and Restore-AzureADMSDeletedDirectoryObject.

To be able to use Get-AzureADAuditDirectoryLogs, we first need to install the AzureADPreview module.

Get AzureADAuditDirectoryLogs is a part of the AzureADPreview module

For PowerShell 7 compatibility, you can use the following command to import the previously installed AzureADPreview module into a PowerShell 7 session with the UseWindowsPowerShell switch:

Import-Module AzureADPreview -UseWindowsPowerShell 

Once the module is imported, we can now flexibly list the deleted user objects in Azure AD with the PowerShell function below.

function Get-AzADDeletedUser {

param(

    $Username

)

$result = @()
$result+= "id, UserPrincipalName"
(Get-AzureADAuditDirectoryLogs `
 -Filter "category eq 'UserManagement' and OperationType eq 'Delete'" `
| select -ExpandProperty targetresources) `
| foreach{
    $idTmp = ($psitem -split "`n" | select-string "id:" | select line).Line | select -Unique
    $Id = $IdTmp.substring($idTmp.length - 36)
    $IdRefined = $Id.replace("-","")
    $UserPrincipalNameTmp = ($psitem -split "`n" | select-string "UserPrincipalName:" | select line).line.replace("UserPrincipalName:", "").replace(" ","")
    $UserPrincipalName = $UserPrincipalNameTmp.replace($IdRefined,"")
    $result+= "$id, $UserPrincipalName"
}

$DeletedUsers = $result | convertfrom-csv | select -Unique -Property id,UserPrincipalName
$DeletedUsers | where{$psitem.userprincipalname -like "$username*"}
}

The above function searches through the Azure AD logs for user deletion operations and parses the results to obtain the ObjectIDs of deleted users. In this way, it can restore the user objects using their ObjectIDs. The function can be used without any parameters to list all deleted users.

Get-AzADDeletedUser

Listing all deleted AAD users via PowerShell

We can also list specific users by using the -username parameter to filter the results.

Get-AzADDeletedUser -Username DeletedUser1
Get-AzADDeletedUser -Username DeletedUser2
Get-AzADDeletedUser -Username DeletedUser3

Specific users can also be listed with the username parameter

Since we can easily gather the Object IDs of the users who need to be restored, we can simply put them in an array that we can then use to restore the users in one go with the Restore-AzureADMSDeletedDirectoryObject cmdlet.

In the following example, I will put the ObjectIDs of DeletedUser1 and DeletedUser3 into the array $UsersToBeRestored first and then restore them afterward.

$UsersToBeRestored = @()
$UsersToBeRestored += (Get-AzADDeletedUser -Username DeletedUser1).id
$UsersToBeRestored += (Get-AzADDeletedUser -Username DeletedUser3).id
$UsersToBeRestored | Restore-AzureADMSDeletedDirectoryObject

Restoring multiple deleted users with a custom list

Conclusion ^

Just like any other day-to-day activity in Azure, PowerShell can be a good option to automate these repetitive tasks. Restoring multiple users with PowerShell can save quite a lot of time, especially when there is an urgent need to do so.