How to Permanently Remove Deleted Microsoft 365 Users from Azure AD

The original version of this article was written by Paul Cunningham and published on January 15, 2015. This version is revised to reflect the current environment within Microsoft 365.

When you delete a Microsoft 365 user account from the Microsoft 365 admin center, the account enters a soft-deleted state for 30 days. During this time, administrators can recover the account easily if the deletion was not intended. Azure AD restores the account fully except for license assignments. This includes, for example, memberships of Microsoft 365 Groups (and teams), Exchange attributes such as mailbox permissions and delegates, files including shares in OneDrive, etc.

Thirty Day Deleted Account Retention Limit

The 30-day limit for deleted account retention is set by Azure AD. A tenant cannot choose another value. However, if you want to permanently remove a deleted Microsoft 365 user you can use PowerShell. Reasons why you might want to do this include:

• Incorrect provisioning of a user account.
• Preventing a soft-match through Azure AD Connect when the UPN or primary smtp address is the same.
• A mailbox with active hold is to be set to inactive.

Removing Deleted Azure AD Accounts with PowerShell

To remove accounts, you need both the Azure Active Directory PowerShell and Microsoft Online Services modules installed on your computer.

Caution: do not proceed unless you are completely sure that you want to permanently remove the users.

First, connect to Azure Active Directory by running Connect-AzureAD and entering your admin credentials. Also connect to Microsoft Online Services by running the Connect-MSolService cmdlet:

Connect-AzureAD
Connect-MSOlService

After connecting, run the Get-MsOlUser cmdlet to return a list of deleted users together with their object identifier:

Get-MsolUser -ReturnDeletedUsers | Format-Table DisplayName, ObjectId

DisplayName                               ObjectId
-----------                               --------
Chris Bishop                              1368fd78-c2b4-4e14-8e69-65dddc432451
John Beddie                               8dfa381e-685a-4ba6-a12a-6a7b35df8199

After finding the required account in the set returned by Get-MsolUser, you can remove their user object permanently by running the Remove-AzureADMSDeletedDirectoryObject.

Remove-AzureADMSDeletedDirectoryObject -Id 1368fd78-c2b4-4e14-8e69-65dddc432451

Removal is immediate and the account is then irrecoverable.

To permanently remove deleted accounts from Azure AD before their deletion retention period expires, you can pipe the set of objects retrieved by Get-MsolUser to the Remove-AzureADMSDeletedDirectoryObject cmdlet:

Get-MsolUser -ReturnDeletedUsers | Select -ExpandProperty ObjectId | Remove-AzureADMSDeletedDirectoryObject 

Update: Use the Microsoft Graph PowerShell SDK

Microsoft has announced their intention to deprecate the Microsoft Online Services and Azure AD PowerShell modules. You should replace any code using these modules with cmdlets from the Microsoft Graph PowerShell SDK. In this case, to find deleted user accounts, run:

$Uri = "https://graph.microsoft.com/V1.0/directory/deletedItems/microsoft.graph.user"
[array]$DeletedUsers = Invoke-MgGraphRequest -Uri $Uri -Method Get

$DeletedUsers.Value.Foreach({Write-Host $_.DisplayName, $_.id})

Then, to permanently remove a soft-deleted Azure AD account, run the Remove-MgDirectoryDeletedItem cmdlet and pass the object identifier of the account to delete.

Remove-MgDirectoryDeletedItem -DirectoryObjectId 8aa1261a-b63e-4d5e-8acb-174879fc007a