The original version of this article was written by Paul Cunningham and published on January 15, 2015. This version is revised to reflect the current environment within Microsoft 365.

When you delete a Microsoft 365 user account from the Microsoft 365 admin center, the account enters a soft-deleted state for 30 days. During this time, administrators can recover the account easily if the deletion was not intended. Azure AD restores the account fully except for license assignments. This includes, for example, memberships of Microsoft 365 Groups (and teams), Exchange attributes such as mailbox permissions and delegates, files including shares in OneDrive, etc.

Thirty Day Deleted Account Retention Limit

The 30-day limit for deleted account retention is set by Azure AD. A tenant cannot choose another value. However, if you want to permanently remove a deleted Microsoft 365 user you can use PowerShell. Reasons why you might want to do this include:

  • Incorrect provisioning of a user account.
  • Preventing a soft-match through Azure AD Connect when the UPN or primary smtp address is the same.
  • A mailbox with active hold is to be set to inactive.

On Demand Migration

Migrate all your workloads and Active Directory with one comprehensive Office 365 tenant-to-tenant migration solution.

Removing Deleted Azure AD Accounts with PowerShell

To remove accounts, you need both the Azure Active Directory PowerShell and Microsoft Online Services modules installed on your computer.

Caution: do not proceed unless you are completely sure that you want to permanently remove the users.

First, connect to Azure Active Directory by running Connect-AzureAD and entering your admin credentials. Also connect to Microsoft Online Services by running the Connect-MSolService cmdlet:

Connect-AzureAD
Connect-MSOlService

After connecting, run the Get-MsOlUser cmdlet to return a list of deleted users together with their object identifier:

Get-MsolUser -ReturnDeletedUsers | Format-Table DisplayName, ObjectId

DisplayName                               ObjectId
-----------                               --------
Chris Bishop                              1368fd78-c2b4-4e14-8e69-65dddc432451
John Beddie                               8dfa381e-685a-4ba6-a12a-6a7b35df8199

After finding the required account in the set returned by Get-MsolUser, you can remove their user object permanently by running the Remove-AzureADMSDeletedDirectoryObject.

Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451

Removal is immediate and the account is then irrecoverable.

To permanently remove deleted accounts from Azure AD before their deletion retention period expires, you can pipe the set of objects retrieved by Get-MsolUser to the Remove-AzureADMSDeletedDirectoryObject cmdlet:

Get-MsolUser -ReturnDeletedUsers | Select -ExpandProperty ObjectId | Remove-AzureADMSDeletedDirectoryObject 

Update: Use the Microsoft Graph PowerShell SDK

Microsoft has announced their intention to deprecate the Microsoft Online Services and Azure AD PowerShell modules. You should replace any code using these modules with cmdlets from the Microsoft Graph PowerShell SDK. In this case, to find deleted user accounts, run:

$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user"
[array]$DeletedUsers = Invoke-MgGraphRequest -Uri $Uri -Method Get

$DeletedUsers.Value.Foreach({Write-Host $_.DisplayName, $_.id})

A more developed form of the Graph API request which is similar to how the Microsoft Entra admin center fetches deleted Azure AD accounts is shown below. I used the Graph X-ray add-on to sniff behind the scenes to discover the code they used.

$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user?`$select=id,displayName,userPrincipalName,userType,deletedDateTime,deletedDateTime,id,userPrincipalName&`$top=999&`$count=true"
[array]$DeletedUsers = Invoke-GraphRequest -Uri $Uri -Method Get
$DeletedUsers = $DeletedUsers.Value | Sort-Object {$_.deletedDateTime -as [datetime]} -descending

Then, to permanently remove a soft-deleted Azure AD account, run the Remove-MgDirectoryDeletedItem cmdlet and pass the object identifier of the account to delete.

Remove-MgDirectoryDeletedItem -DirectoryObjectId 8aa1261a-b63e-4d5e-8acb-174879fc007a

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Marco

    THere is a direct command now as well: Get-MgDirectoryDeletedItemAsUser which returns name, ID, mail and UPN.

    1. Avatar photo
      Tony Redmond

      Very true. The Get-MgDirectoryDeletedItemAsUser cmdlet retrieves details of deleted user accounts from the Entra recycle bin. There’s also a Get-MgDirectoryDeletedItemAsGroup cmdlet.

  2. Henrik Wilson Malmqvist

    Sincere Apologies for the Unexpected Outreach — Urgent Assistance Needed with Microsoft Teams Issue

    Dear Tony

    I hope this message finds you well. Please accept my sincerest apologies for the unsolicited email and for including your addresses unexpectedly. I am reaching out in a state of urgency due to a critical and ongoing issue with Microsoft Teams that has severely impacted my professional responsibilities. Despite a week of efforts with Microsoft support, third-party engineers, and numerous troubleshooting steps, I have been unable to resolve the problem.

    To provide brief context, my business and personal Microsoft 365 accounts (one with a Gmail sign-in and the other as a Business Basic with .onmicrosoft) have somehow merged under the same organization and tenant ID. This has resulted in profile mix-ups, incorrect avatars, red triangles next to profiles in Teams, and persistent account switching errors. I’ve attempted (with help from support) every suggested fix, including resetting credentials, cleaning up MS Office apps, removing licenses, and trying to delete the organization from Azure, but nothing has worked. I’m now considering a hard delete through PowerShell, which is quite daunting as I am not an IT professional. If possible? I am not allowed to delete the two users/myself.

    These issues prevented me from attending a course on Teams in the beginning of the week.

    Given the ongoing support limitations and the critical impact on my job, I am reaching out in hope of finding a reliable resolution or any direction you might be able to offer. I fully understand that this is likely outside your regular scope, but any assistance or guidance would be deeply appreciated.

    Thank you very much for your time and consideration, and once again, I apologize for the unexpected outreach.

    Best regards,
    Henrik

    1. Avatar photo
      Tony Redmond

      Hi Henrik,

      This is a difficult problem for me because I don’t have access to your tenant. Microsoft support does and if they can’t help, there’s something very odd going on.

      Can you create a brand new account and access Teams? If so, that would at least get you back in the game. Later, you can delete the old accounts and reassign the User Principal Names and SMTP addresses to new accounts (after backing everything up from the OneDrive and Email for those accounts).

      TR

  3. Michael Lang

    Tony, I have a user who has an issue with their account. It seems to think there’s an On-Prem Exchange server. Its only one user affected here. But Microsoft wont help because they say it says managed. While I could do a purge of the user like this and then add them back to solve the issue, I have concerns because I don’t want them to lose their data in email and OneDrive etc. If I purge the account and recreate it, will Microsoft note the same upn and restore the data to that account?

    1. Avatar photo
      Tony Redmond

      If you purge an account and recreate it, you can assign the same UPN but the new account won’t have the same object identifier as the original. That will be your problem because the workloads use object identifiers (GUIDs, so always unique) to link data together. But I would push back on Microsoft support and ask for further help. If there’s a problem with an account, they should be able to figure out why. I assume that you didn’t do anything to cause the problem, which would then allow Microsoft off the hook…

      If you want to delete and recreate, backup everything first. You could do a content search to find everything in the account (assuming Office 365 E3 or above) and export it to a PST (mailbox) and individual files (OneDrive). Then use that data to recreate information for the new account.

      But all of this is expressed with the strong caveat that I do not know the precise details of your circumstances, which is why you should work with Microsoft support as they can sign into your tenant to see what’s happening there.

  4. Eric

    This article was beneficial. Thank you. If anyone has a list larger than 100 users, it will not be displayed. The output is truncated at 100. Using the code shown in this article, it can be solved by just modifying this one line – $Uri = “https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user?`$top=999” You need the ` to escape the $ in PowerShell. 999 is the largest value that can be used. Other methods can be used, such as Invoke-RestMethod to output @odata.nextlink, which is where the rest of the results are stored if your list exceeds 999 values.

    1. Avatar photo
      Tony Redmond

      All true. The Graph API for users returns 100 objects by default. If you want more, you’ve got to ask for them.

  5. Frank Cifelli

    Thanks for posting this. It worked as described.

  6. Jose Aguinaga

    Thanks for the information Tony, but I have a doubt, what is the difference between “Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin” and “Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451”? I’m really a noobie about it

    1. Avatar photo
      Tony Redmond

      Both are functionally the same and remove a user account object permanently from Azure AD. The Remove-MsOlUser cmdlet is just older. The other is based on the Azure AD Graph (which will be replaced by the Microsoft Graph in due course).

      1. Jose Aguinaga

        Thank you so much!

  7. Terry

    I found there is an AAD interface that allows the permanent delete of an account that is in the 30 day “soft-delete” state. It is displayed as in Preview state, but it works. While in the Admin Center, choose the “Show all” option, choose the Azure Active Directory admin center, choose Users, choose “Deleted users”, find the user in the list and select. The “Delete permanently” action will enable, and click to execute.

    1. Avatar photo
      Tony Redmond

      Yep. Hopefully, Microsoft will make this a non-preview feature very soon.

  8. Brian

    Very Helpful Thanks

Leave a Reply