Soft-delete for security groups is finally supported in Entra ID

Not a day to soon, security groups can now be soft-deleted, something that has been around for Office groups for ever.

Recently Microsoft added soft-delete support for Conditional Access poclies, but this is in my mind an even bigger improvement.

If you take a look in any tenant today, you will likely find more groups than you will ever need. Especially if you allow the organization to create their own groups on demand.

Groups by their self has no real value, but they are usually used to assign permissions, applications policies and so on. Deleting one group can mess up a lot of things if you don't know what it used for so having a method to get everything back the way it was makes it easier when you want to clean things up.

What do you need to do?

Absolutely nothing, but I would recommend that you verify that the feature is enabled in your tenant before you go wild on your group deletion.

Create a new security group (TestSoftDeleteSecurityGroup) and delete it immediately.

Navigate to Entra ID -> Groups -> Deleted groups and verify that you can find the group.

Select the group and click Restore group.

What is restored?

All properties are maintained, including ObjectID, group memberships, and application assignments

Restore using Graph API

# Connect with necessary scope
Connect-MgGraph -Scopes Group.ReadWrite.All

# Find your deleted group
$groupName = "TestSoftDeletedSecurityGroup"
$filter = "displayName eq '$groupName'"
$uri = "beta/directory/deleteditems/microsoft.graph.group?`$filter=$filter"
$group = Invoke-MgGraphRequest -Uri $uri -OutputType PSObject | Select -Expand value

Verify that it actually returns the group you want to restore, then run

# Restore the group
$uri = "beta/directory/deleteditems/$($group.id)/restore"
Invoke-MgGraphRequest -Method POST -Uri $uri