Recover deleted user accounts in Microsoft 365
When users leave an organization, its Microsoft 365 tenant no longer requires their user accounts. To ensure the security of its system, an organization must delete these accounts so these users can no longer access the organization's Microsoft 365 tenant. When an administrator deletes a user account, the assigned Microsoft 365 license for that user becomes available. The administrator can then assign this license to another user.
Deleting a user account
To delete one or more users using the Microsoft 365 admin center, complete the following steps:
- In the Microsoft 365 admin center, in the left-hand navigation pane, select Users and then select Active users.
- Select the users that you want to delete and then select the Delete user option that appears on the menu bar.
- In the Delete users pane that appears, select Delete users.
- Once the system successfully deletes the user, select Close.
You can also use Microsoft Graph PowerShell to delete user accounts by using the Remove-MgUser command with the –UserId string parameter. For example:
Remove-MgUser -UserId '5c442efb-5e66-484a-936a-91b6810bed14'
Restoring a deleted user account
When you delete a user account, it becomes inactive, and the user can't sign in to access Microsoft 365 services. However, sometimes an organization must restore a deleted user account. To support this scenario, Microsoft 365 keeps the account as a "soft deleted" inactive account for 30 days after deletion. This 30 day grace period enables an organization to restore deleted user accounts, if necessary.
The following diagram shows how deleted users are still a part of their managed tenant, and that a recovery operation simply reactivates a Microsoft 365 user account.
To restore a user using the Microsoft 365 admin center, complete the following steps:
- In the Microsoft 365 admin center, in the left-hand navigation pane, select Users and then select Deleted users.
- Select the deleted user that you want to restore and then select the Restore user option that appears on the menu bar.
- Select how you want to assign the user password and then select Restore.
You can also use Windows PowerShell to restore deleted user accounts. Microsoft Graph PowerShell uses the Restore-MgDirectoryDeletedItem cmdlet to restore a recently deleted application, group, servicePrincipal, administrative unit, or user object from the deleted items "container." Deleted items remain available to restore for up to 30 days. After 30 days, system permanently deletes the items. When recovering a deleted group, you can recover all group types except for Security groups. When you delete a Security group, the system permanently deletes it, and you can't recover it.
The previous PowerShell example showed how to delete a user account whose Object ID was "5c442efb-5e66-484a-936a-91b6810bed14." The following example shows how to restore this deleted user account using the Restore-MgDirectoryDeletedItem cmdlet:
Restore-MgDirectoryDeletedItem -DirectoryObjectId '5c442efb-5e66-484a-936a-91b6810bed14'