How to restore an Azure AD Group that has been deleted by mistake? - Praveen Kumar
In azure we can create two types of groups,
- Security
- Microsoft 365
Security groups are used to give group members access to applications, resources and assign licenses. Group members can be users, devices, service principals, and other groups.
Microsoft 365 groups are used for collaboration, giving members access to a shared mailbox, calendar, files, SharePoint site, and so on. Group members can only be users.
What happens when you delete a Group?
Microsoft 365 Delete: When you delete a Microsoft 365 group in Azure Active Directory (Azure AD),the deleted group is retained but not visible for 30 days from the deletion date. This behaviour is so that the group and its contents can be restored if needed. This functionality is restricted exclusively to Microsoft 365 groups in Azure AD. It is not available for security groups and distribution groups. Please note that the 30-day group restoration period is not customizable.
View and manage the deleted Microsoft 365 groups that are available to restore:
- Sign in to the Azure AD admin center with a User administrator account.
- Select Groups, then select Deleted groups to view the deleted groups that are available to restore.
On the Deleted groups blade, you can:
- Restore the deleted group and its contents by selecting Restore group.
- Permanently remove the deleted group by selecting Delete permanently. To permanently remove a group, you must be an administrator.
View the deleted Microsoft 365 groups that are available to restore using PowerShell:
#Run the following cmdlet to display all deleted Microsoft 365 groups in your Azure AD organization that are still available to restore.#
Get-AzureADMSDeletedGroup
#Alternately, if you know the objectID of a specific group (and you can get it from the cmdlet in step 1), run the following cmdlet to verify that the specific deleted group has not yet been permanently purged.#
Get-AzureADMSDeletedGroup –Id <objectId>
Restore your deleted Microsoft 365 group using PowerShell: Once you have verified that the group is still available to restore, restore the deleted group with one of the following steps. If the group contains documents, SP sites, or other persistent objects, it might take up to 24 hours to fully restore a group and its contents.
#Run the following cmdlet to restore the group and its contents.#
Restore-AzureADMSDeletedDirectoryObject –Id <objectId>
#Alternatively, the following cmdlet can be run to permanently remove the deleted group.#
Remove-AzureADMSDeletedDirectoryObject –Id <objectId>
To verify that you’ve successfully restored a Microsoft 365 group, run the Get-AzureADGroup –ObjectId cmdlet to display information about the group.
Security Group Delete: When you delete a Security group in Azure Active Directory (Azure AD),the deleted group is not retained. It cannot be recovered. This was really unexpected. To restore deleted security groups, you need to manually recreate them and add the users again. But who has backups or information to recreate the groups and add the users again? Since Azure AD does not have backup for it, administrators should take the backup for security groups to quickly restore those groups if needed. Below is the sample script to take the backup of all groups and save those information in csv file.
Script 1 to backup O365 groups, Security groups as CSV:
$groups = get-azureadgroup -all $true
$results = @()
foreach ($group in $groups){
$users = Get-AzureADGroupMember -ObjectId $group.ObjectId -all $true
foreach ($user in $users){
$items = [ordered]@{
SecuritygroupName = $group.displayname
UserObjectId = $user.ObjectId
UserName = $user.DisplayName
UserPrincipalName = $user.UserPrincipalName
UserType = $user.UserType
}
$results += New-Object PSObject -Property $items
}
}
$results | export-csv -path "$filepath"
Script 2 to delete file older than 30 days to free up space:
This will ensure you will have 30 days historical backups while minimizing usage of your storage space.
#############################################
#Delete file older than 30 days to free up space. This will ensure you will have 30 days historical backups while minimizing usage of your storage space.
#
$limit = (get-date).AddDays(-30)
$folderpath = "\\tempfolder\azureadseuritygroupmembers"
get-childitem -path $folderpath | Where-Object {$_.Extension -eq ".csv" -and $_.CreationTime -lt $limit} | remove-item
#
#############################################
Once we have the backup, we can re-create the deleted security group by using the information avaliable in csv file.
References:
Restore a deleted Microsoft 365 group in Azure Active Directory
Automate Azure tasks using scripts with PowerShell
Learn about groups and access rights in Azure Active Directory