Microsoft Entra Adds Soft Deletion and Restoration for Cloud Security Groups (2025

Microsoft Entra Adds Soft Deletion and Restoration for Cloud Security Groups

Microsoft is introducing soft deletion and restoration support for cloud security groups in Microsoft Entra ID (formerly Azure AD). This update brings long-awaited recovery capabilities to admins, helping prevent accidental group deletions that can lead to major access disruptions.

What’s New

When a cloud security group is deleted in Microsoft Entra, it no longer disappears immediately. Instead, it moves to a Deleted groups container in the Entra Admin Center, where it can be restored within 30 days.

During this 30-day period:

The group’s members lose access to resources tied to that group.
Admins can restore the group at any time before permanent deletion.
All properties, configurations, and memberships return exactly as they were.
Audit logs continue to record who deleted or restored the group for compliance tracking.

This change aligns with Microsoft’s growing focus on data recovery, zero-trust continuity, and operational resilience across its identity management services.

Why This Matters

Before this update, deleting a cloud security group was permanent—any linked access policies, role assignments, or app permissions disappeared with it. Restoring them meant manually recreating memberships and reapplying configurations.

The new soft-deletion feature:

Reduces the risk of accidental permission loss
Helps maintain business continuity
Simplifies incident recovery
Improves audit compliance

It’s especially useful in large environments where automation or synchronization scripts manage group lifecycles and accidental deletions can cascade into access outages.

How Soft Deletion Works

When a group is deleted:

It’s moved to the Deleted groups blade in Microsoft Entra Admin Center.
Users immediately lose group-based access (e.g., to Teams, SharePoint, or Azure resources).
The group remains recoverable for 30 days.
After 30 days, it’s permanently removed unless restored.

💡 Tip: If your organization uses automation or PowerShell scripts for group cleanup, ensure those scripts handle soft-deleted objects properly. Avoid running commands that hard delete groups before their retention window expires.

Restoring a Deleted Group

You can restore a group in three ways:

1. Using the Entra Admin Center

Go to Microsoft Entra Admin Center → Groups → Deleted groups.
Select the deleted group.
Click Restore group.
Confirm to bring back all settings and memberships.

2. Using PowerShell

Admins can use the Microsoft Graph PowerShell SDK to recover deleted groups:

Connect-MgGraph -Scopes “Group.ReadWrite.All”

Get-MgDirectoryDeletedItem -Filter “group” | Restore-MgDirectoryDeletedItem -DirectoryObjectId <GroupID>

3. Using Microsoft Graph API

Developers or automation systems can use REST API calls to restore groups:

POST https://graph.microsoft.com/v1.0/directory/deletedItems/{group-id}/restore

🧩 All restored groups retain their Group ID, ensuring resource mappings stay consistent.

Rollout Timeline

Phase	Timeline
Public Preview	Late October / Early November 2025
General Availability	Late February / Early March 2026

During public preview, tenants can test the recovery process and update automation scripts to accommodate soft-deletion workflows.

Best Practices for Admins

Review your automation: Ensure lifecycle scripts don’t automatically purge deleted objects.
Monitor group deletions: Use Audit Logs in Microsoft Entra to track group deletions and restorations.
Communicate changes: Inform IT staff and helpdesk teams about the new recovery option.
Train global admins: Encourage testing in non-production environments before rollout.
Integrate alerts: Configure Microsoft 365 Defender or Log Analytics alerts for deletion activities.

Summary

The new soft deletion and restoration feature for cloud security groups in Microsoft Entra gives IT admins a powerful safety net. With this 30-day recovery window, accidental deletions no longer mean lost access or hours of manual reconfiguration.

As this capability rolls out to preview and GA, it’s a good time to review your group lifecycle management policies and automate restoration workflows using Microsoft Graph or PowerShell.

By leveraging this feature, organizations can ensure resilient, recoverable, and auditable access management within Microsoft Entra.

🔗 Suggested Internal Links for Your Blog