The original version of this article was written by Paul Cunningham and published on January 15, 2015. This version is revised to reflect the current environment within Microsoft 365.
When you delete a Microsoft 365 user account from the Microsoft 365 admin center, the account enters a soft-deleted state for 30 days. During this time, administrators can recover the account easily if the deletion was not intended. Azure AD restores the account fully except for license assignments. This includes, for example, memberships of Microsoft 365 Groups (and teams), Exchange attributes such as mailbox permissions and delegates, files including shares in OneDrive, etc.
Thirty Day Deleted Account Retention Limit
The 30-day limit for deleted account retention is set by Azure AD. A tenant cannot choose another value. However, if you want to permanently remove a deleted Microsoft 365 user you can use PowerShell. Reasons why you might want to do this include:
- Incorrect provisioning of a user account.
- Preventing a soft-match through Azure AD Connect when the UPN or primary smtp address is the same.
- A mailbox with active hold is to be set to inactive.
On Demand Migration
Migrate all your workloads and Active Directory with one comprehensive Office 365 tenant-to-tenant migration solution.
Removing Deleted Azure AD Accounts with PowerShell
To remove accounts, you need both the Azure Active Directory PowerShell and Microsoft Online Services modules installed on your computer.
Caution: do not proceed unless you are completely sure that you want to permanently remove the users.
First, connect to Azure Active Directory by running Connect-AzureAD and entering your admin credentials. Also connect to Microsoft Online Services by running the Connect-MSolService cmdlet:
Connect-AzureAD Connect-MSOlService
After connecting, run the Get-MsOlUser cmdlet to return a list of deleted users together with their object identifier:
Get-MsolUser -ReturnDeletedUsers | Format-Table DisplayName, ObjectId DisplayName ObjectId ----------- -------- Chris Bishop 1368fd78-c2b4-4e14-8e69-65dddc432451 John Beddie 8dfa381e-685a-4ba6-a12a-6a7b35df8199
After finding the required account in the set returned by Get-MsolUser, you can remove their user object permanently by running the Remove-AzureADMSDeletedDirectoryObject.
Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451
Removal is immediate and the account is then irrecoverable.
To permanently remove deleted accounts from Azure AD before their deletion retention period expires, you can pipe the set of objects retrieved by Get-MsolUser to the Remove-AzureADMSDeletedDirectoryObject cmdlet:
Get-MsolUser -ReturnDeletedUsers | Select -ExpandProperty ObjectId | Remove-AzureADMSDeletedDirectoryObject
Update: Use the Microsoft Graph PowerShell SDK
Microsoft has announced their intention to deprecate the Microsoft Online Services and Azure AD PowerShell modules. You should replace any code using these modules with cmdlets from the Microsoft Graph PowerShell SDK. In this case, to find deleted user accounts, run:
$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user"
[array]$DeletedUsers = Invoke-MgGraphRequest -Uri $Uri -Method Get
$DeletedUsers.Value.Foreach({Write-Host $_.DisplayName, $_.id})
A more developed form of the Graph API request which is similar to how the Microsoft Entra admin center fetches deleted Azure AD accounts is shown below. I used the Graph X-ray add-on to sniff behind the scenes to discover the code they used.
$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user?`$select=id,displayName,userPrincipalName,userType,deletedDateTime,deletedDateTime,id,userPrincipalName&`$top=999&`$count=true"
[array]$DeletedUsers = Invoke-GraphRequest -Uri $Uri -Method Get
$DeletedUsers = $DeletedUsers.Value | Sort-Object {$_.deletedDateTime -as [datetime]} -descending
Then, to permanently remove a soft-deleted Azure AD account, run the Remove-MgDirectoryDeletedItem cmdlet and pass the object identifier of the account to delete.
Remove-MgDirectoryDeletedItem -DirectoryObjectId 8aa1261a-b63e-4d5e-8acb-174879fc007a
Tony, I have a user who has an issue with their account. It seems to think there’s an On-Prem Exchange server. Its only one user affected here. But Microsoft wont help because they say it says managed. While I could do a purge of the user like this and then add them back to solve the issue, I have concerns because I don’t want them to lose their data in email and OneDrive etc. If I purge the account and recreate it, will Microsoft note the same upn and restore the data to that account?
If you purge an account and recreate it, you can assign the same UPN but the new account won’t have the same object identifier as the original. That will be your problem because the workloads use object identifiers (GUIDs, so always unique) to link data together. But I would push back on Microsoft support and ask for further help. If there’s a problem with an account, they should be able to figure out why. I assume that you didn’t do anything to cause the problem, which would then allow Microsoft off the hook…
If you want to delete and recreate, backup everything first. You could do a content search to find everything in the account (assuming Office 365 E3 or above) and export it to a PST (mailbox) and individual files (OneDrive). Then use that data to recreate information for the new account.
But all of this is expressed with the strong caveat that I do not know the precise details of your circumstances, which is why you should work with Microsoft support as they can sign into your tenant to see what’s happening there.
This article was beneficial. Thank you. If anyone has a list larger than 100 users, it will not be displayed. The output is truncated at 100. Using the code shown in this article, it can be solved by just modifying this one line – $Uri = “https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user?`$top=999” You need the ` to escape the $ in PowerShell. 999 is the largest value that can be used. Other methods can be used, such as Invoke-RestMethod to output @odata.nextlink, which is where the rest of the results are stored if your list exceeds 999 values.
All true. The Graph API for users returns 100 objects by default. If you want more, you’ve got to ask for them.
BTW, here’s another approach: https://office365itpros.com/2022/03/23/delete-azure-ad-user-accounts/
Thanks for posting this. It worked as described.
Thanks for the information Tony, but I have a doubt, what is the difference between “Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin” and “Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451”? I’m really a noobie about it
Both are functionally the same and remove a user account object permanently from Azure AD. The Remove-MsOlUser cmdlet is just older. The other is based on the Azure AD Graph (which will be replaced by the Microsoft Graph in due course).
Thank you so much!
I found there is an AAD interface that allows the permanent delete of an account that is in the 30 day “soft-delete” state. It is displayed as in Preview state, but it works. While in the Admin Center, choose the “Show all” option, choose the Azure Active Directory admin center, choose Users, choose “Deleted users”, find the user in the list and select. The “Delete permanently” action will enable, and click to execute.
Yep. Hopefully, Microsoft will make this a non-preview feature very soon.
Very Helpful Thanks