The original version of this article was written by Paul Cunningham and published on January 15, 2015. This version is revised to reflect the current environment within Microsoft 365.

When you delete a Microsoft 365 user account from the Microsoft 365 admin center, the account enters a soft-deleted state for 30 days. During this time, administrators can recover the account easily if the deletion was not intended. Azure AD restores the account fully except for license assignments. This includes, for example, memberships of Microsoft 365 Groups (and teams), Exchange attributes such as mailbox permissions and delegates, files including shares in OneDrive, etc.

Thirty Day Deleted Account Retention Limit

The 30-day limit for deleted account retention is set by Azure AD. A tenant cannot choose another value. However, if you want to permanently remove a deleted Microsoft 365 user you can use PowerShell. Reasons why you might want to do this include:

  • Incorrect provisioning of a user account.
  • Preventing a soft-match through Azure AD Connect when the UPN or primary smtp address is the same.
  • A mailbox with active hold is to be set to inactive.

The Experts Conference 2023 European Roadshow

Join us April 17-21 for practical security insights into hybrid AD and Microsoft 365.

See the Agenda

Removing Deleted Azure AD Accounts with PowerShell

To remove accounts, you need both the Azure Active Directory PowerShell and Microsoft Online Services modules installed on your computer.

Caution: do not proceed unless you are completely sure that you want to permanently remove the users.

First, connect to Azure Active Directory by running Connect-AzureAD and entering your admin credentials. Also connect to Microsoft Online Services by running the Connect-MSolService cmdlet:

Connect-AzureAD
Connect-MSOlService

After connecting, run the Get-MsOlUser cmdlet to return a list of deleted users together with their object identifier:

Get-MsolUser -ReturnDeletedUsers | Format-Table DisplayName, ObjectId

DisplayName                               ObjectId
-----------                               --------
Chris Bishop                              1368fd78-c2b4-4e14-8e69-65dddc432451
John Beddie                               8dfa381e-685a-4ba6-a12a-6a7b35df8199

After finding the required account in the set returned by Get-MsolUser, you can remove their user object permanently by running the Remove-AzureADMSDeletedDirectoryObject.

Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451

Removal is immediate and the account is then irrecoverable.

To permanently remove deleted accounts from Azure AD before their deletion retention period expires, you can pipe the set of objects retrieved by Get-MsolUser to the Remove-AzureADMSDeletedDirectoryObject cmdlet:

Get-MsolUser -ReturnDeletedUsers | Select -ExpandProperty ObjectId | Remove-AzureADMSDeletedDirectoryObject 

Update: Use the Microsoft Graph PowerShell SDK

Microsoft has announced their intention to deprecate the Microsoft Online Services and Azure AD PowerShell modules. You should replace any code using these modules with cmdlets from the Microsoft Graph PowerShell SDK. In this case, to find deleted user accounts, run:

$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user"
[array]$DeletedUsers = Invoke-MgGraphRequest -Uri $Uri -Method Get

$DeletedUsers.Value.Foreach({Write-Host $_.DisplayName, $_.id})

Then, to permanently remove a soft-deleted Azure AD account, run the Remove-MgDirectoryDeletedItem cmdlet and pass the object identifier of the account to delete.

Remove-MgDirectoryDeletedItem -DirectoryObjectId 8aa1261a-b63e-4d5e-8acb-174879fc007a

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Frank Cifelli

    Thanks for posting this. It worked as described.

  2. Jose Aguinaga

    Thanks for the information Tony, but I have a doubt, what is the difference between “Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin” and “Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451”? I’m really a noobie about it

    1. Avatar photo
      Tony Redmond

      Both are functionally the same and remove a user account object permanently from Azure AD. The Remove-MsOlUser cmdlet is just older. The other is based on the Azure AD Graph (which will be replaced by the Microsoft Graph in due course).

      1. Jose Aguinaga

        Thank you so much!

  3. Terry

    I found there is an AAD interface that allows the permanent delete of an account that is in the 30 day “soft-delete” state. It is displayed as in Preview state, but it works. While in the Admin Center, choose the “Show all” option, choose the Azure Active Directory admin center, choose Users, choose “Deleted users”, find the user in the list and select. The “Delete permanently” action will enable, and click to execute.

    1. Avatar photo
      Tony Redmond

      Yep. Hopefully, Microsoft will make this a non-preview feature very soon.

  4. Brian

    Very Helpful Thanks

Leave a Reply