The original version of this article was written by Paul Cunningham and published on January 15, 2015. This version is revised to reflect the current environment within Microsoft 365.
When you delete a Microsoft 365 user account from the Microsoft 365 admin center, the account enters a soft-deleted state for 30 days. During this time, administrators can recover the account easily if the deletion was not intended. Azure AD restores the account fully except for license assignments. This includes, for example, memberships of Microsoft 365 Groups (and teams), Exchange attributes such as mailbox permissions and delegates, files including shares in OneDrive, etc.
Thirty Day Deleted Account Retention Limit
The 30-day limit for deleted account retention is set by Azure AD. A tenant cannot choose another value. However, if you want to permanently remove a deleted Microsoft 365 user you can use PowerShell. Reasons why you might want to do this include:
- Incorrect provisioning of a user account.
- Preventing a soft-match through Azure AD Connect when the UPN or primary smtp address is the same.
- A mailbox with active hold is to be set to inactive.
Removing Deleted Azure AD Accounts with PowerShell
To remove accounts, you need both the Azure Active Directory PowerShell and Microsoft Online Services modules installed on your computer.
Caution: do not proceed unless you are completely sure that you want to permanently remove the users.
First, connect to Azure Active Directory by running Connect-AzureAD and entering your admin credentials. Also connect to Microsoft Online Services by running the Connect-MSolService cmdlet:
Connect-AzureAD Connect-MSOlService
After connecting, run the Get-MsOlUser cmdlet to return a list of deleted users together with their object identifier:
Get-MsolUser -ReturnDeletedUsers | Format-Table DisplayName, ObjectId DisplayName ObjectId ----------- -------- Chris Bishop 1368fd78-c2b4-4e14-8e69-65dddc432451 John Beddie 8dfa381e-685a-4ba6-a12a-6a7b35df8199
After finding the required account in the set returned by Get-MsolUser, you can remove their user object permanently by running the Remove-AzureADMSDeletedDirectoryObject.
Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451
Removal is immediate and the account is then irrecoverable.
To permanently remove deleted accounts from Azure AD before their deletion retention period expires, you can pipe the set of objects retrieved by Get-MsolUser to the Remove-AzureADMSDeletedDirectoryObject cmdlet:
Get-MsolUser -ReturnDeletedUsers | Select -ExpandProperty ObjectId | Remove-AzureADMSDeletedDirectoryObject
Update: Use the Microsoft Graph PowerShell SDK
Microsoft has announced their intention to deprecate the Microsoft Online Services and Azure AD PowerShell modules. You should replace any code using these modules with cmdlets from the Microsoft Graph PowerShell SDK. In this case, to find deleted user accounts, run:
$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user" [array]$DeletedUsers = Invoke-MgGraphRequest -Uri $Uri -Method Get $DeletedUsers.Value.Foreach({Write-Host $_.DisplayName, $_.id})
Then, to permanently remove a soft-deleted Azure AD account, run the Remove-MgDirectoryDeletedItem cmdlet and pass the object identifier of the account to delete.
Remove-MgDirectoryDeletedItem -DirectoryObjectId 8aa1261a-b63e-4d5e-8acb-174879fc007a
Thanks for posting this. It worked as described.
Thanks for the information Tony, but I have a doubt, what is the difference between “Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin” and “Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451”? I’m really a noobie about it
Both are functionally the same and remove a user account object permanently from Azure AD. The Remove-MsOlUser cmdlet is just older. The other is based on the Azure AD Graph (which will be replaced by the Microsoft Graph in due course).
Thank you so much!
I found there is an AAD interface that allows the permanent delete of an account that is in the 30 day “soft-delete” state. It is displayed as in Preview state, but it works. While in the Admin Center, choose the “Show all” option, choose the Azure Active Directory admin center, choose Users, choose “Deleted users”, find the user in the list and select. The “Delete permanently” action will enable, and click to execute.
Yep. Hopefully, Microsoft will make this a non-preview feature very soon.
Very Helpful Thanks