Reporting Soft-Deleted Entra ID Objects

Posted on by Tony Redmond

Contemplating the Best Way to Report Soft-Deleted Entra ID Objects

The Microsoft Technical Community article about keeping track of object deletions in Entra ID contains some interesting information. I want to take the opportunity to throw some additional light on the topic.

Use the Unified Audit Log to Track Entra ID Object Deletions

First, although the article covers KQL queries to find information about Entra ID audit log entries ingested into Microsoft Sentinel, it doesn’t cover how to retrieve the same information through the unified audit log. Every Microsoft 365 tenant with Office 365 E3 or above has access to the unified audit log, so you don’t have to invest in Sentinel licenses to find events for soft- or hard-deletions of objects like users and groups. The events can be retrieved using the Search-UnifiedAuditLog PowerShell cmdlet or through the Audit search feature in the Microsoft Purview Compliance portal.

[array]$Operations = "Delete group", "Delete application", "Delete administrative unit", "Delete user", "Remove service principal"
[array]$Records = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(1) -ResultSize 5000 -Operations $Operations -SessionCommand ReturnLargeSet -Formatted
$Records | group operations -NoElement | Sort-Object count | Format-Table Name, Count -AutoSize

Name                                  Count
----                                  -----
Delete administrative unit.               2
Delete application.                       2
Delete user.                              5
Remove service principal credentials.     5
Remove service principal.                 5
Delete group.                             7

The nice thing is that Microsoft 365 retains audit log events for 90 days (Purview Audit standard) or 365 days (Purview Audit premium), so the information is available for longer than it is in the Entra ID audit logs (maximum 30 days). By all means, use Microsoft Sentinel if you have it, but the point is that you don’t need to spend any extra money to track down audit events for Entra ID object deletions.

Report Entra ID Soft-Deleted Objects with PowerShell

Entra ID stores its soft-deleted objects in a recycle bin. The objects remain in the recycle bin for 30 days after which Entra ID hard-deletes (permanently removes) the objects. The Entra admin center has options to recover soft-deleted users, groups, and applications. Any soft-deleted object can be recovered using the Restore-MgDirectoryObject cmdlet from the Microsoft Graph PowerShell SDK. See this page for more information, and here are articles detailing how to restore soft-deleted Microsoft 365 groups and user accounts.

Before you can run the Restore-MgDirectoryObject cmdlet, you need to know the identifier for the object to restore. The article provided a PowerShell script to help. I thought the code was OK but could be improved by:

  1. Using production and not beta cmdlets. For instance, use Get-MgDirectoryDeletedItemAsUser to find soft-deleted user objects instead of Get-MgBetaDirectoryDeletedItemAsUser. Beta cmdlets are great, and I use them all the time, but if a cmdlet is available in the production (V1.0) endpoint, it’s better to use that version. Curiously, the Property parameter must be used with the Get-MgDirectoryDeletedItemAsUser cmdlet to fetch the DeletedDateTime property. This doesn’t happen with the other cmdlets.
  2. Including the All parameter for the cmdlets. The Graph APIs automatically limit the number of objects returned by a call (usually a page of between 100 and 300 objects). Developers use a process called pagination to fetch all available objects if necessary. Many Graph SDK cmdlets do the heavy lifting of pagination by including the All parameter to instruct the Graph to fetch all matching objects. It’s unlikely that you’ll need the cmdlets to fetch more than one page of deleted objects, but you might run into a situation where several hundred soft-deleted user or group objects are available, and it’s nice to be sure to fetch them all.
  3. Including a type in the output. As written, the script reported basic details of all soft-deleted objects and left it to the administrator to figure out what type of object each was. By including the object type in the report, it makes the job of an administrator easier.

Figure 1 shows the output of the script.

Reporting soft-deleted Entra ID objects. Report soft-deleted Entra ID object
Figure 1: Output of the script to report soft-deleted Entra ID objects

Download the Script to Report Soft-Deleted Entra ID Objects

You can download my version of the script to report Entra ID soft-deleted objects from GitHub. I tested using V2.15 of the Microsoft Graph PowerShell SDK. The V1.0 version of the cmdlets might not be available in an earlier version. The normal caveats apply. This I script is for demonstration purposes only. Don’t expect bulletproof code!

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.