M365Corner

🔧 New: User Management Graph PowerShell Toolkit

Simplify user tasks like bulk creation, updates, password resets, deletions, license checks & more — all from one place.

🚀 Launch Toolkit
M365 PowerShell

Remove-MgDirectoryDeletedItem — Permanently Delete Soft-Deleted Azure AD Objects

When a Microsoft 365 user or group is deleted in Azure AD (Entra ID), it moves to the Deleted Items container for a limited retention period (typically 30 days). If you’re certain you no longer need a deleted object, you can permanently delete it using the Remove-MgDirectoryDeletedItem cmdlet. This ensures it cannot be restored and is completely removed from the tenant.


i) Cmdlet Syntax

Remove-MgDirectoryDeletedItem -DirectoryObjectId <directory-object-id>

Required scope (recommended):

Connect-MgGraph -Scopes "Directory.ReadWrite.All"


ii) Usage Examples

Removing a Single Microsoft 365 Directory Object Permanently

Step 1: Get the Directory Object ID to be removed

Use the appropriate helper cmdlet based on the object type you want to permanently delete.

  • If deleting a user

    • # List deleted users and pick one

    Get-MgDirectoryDeletedItemAsUser |
Select-Object Id, DisplayName, UserPrincipalName, DeletedDateTime |
Sort-Object DeletedDateTime -Descending
  • If deleting a group

    • # List deleted groups and pick one

    Get-MgDirectoryDeletedItemAsGroup |
Select-Object Id, DisplayName, Mail, GroupTypes, DeletedDateTime |
Sort-Object DeletedDateTime -Descending

    Copy the Id of the directory object you wish to permanently delete.

Step 2: Pass the fetched Directory Object ID to Remove-MgDirectoryDeletedItem

  • Reference example you provided
    • Remove-MgDirectoryDeletedItem -DirectoryObjectId ae22d08d-1ef5-4ac0-b36b-376864f6b63a

Step 3: Confirm deletion

After permanent deletion, the object will no longer appear in deleted items:

  • Get-MgDirectoryDeletedItemAsUser  # Should return nothing

Removing All Microsoft 365 Directory Objects Permanently

You can remove all soft deleted Microsoft 365 Directory Objects by piping the results from Get-MgDirectoryDeletedItemAsUser or Get-MgDirectoryDeletedItemAsGroup to Remove-MgDirectoryDeletedItem cmdlet and looping through each item in the list using a ForEach-Object cmdlet.

You can also confirm the deletion by running Get-MgDirectoryDeletedItemAsUser or Get-MgDirectoryDeletedItemAsGroup, depending on your requirements. 

Get-MgDirectoryDeletedItemAsUser -All | ForEach-Object { Remove-MgDirectoryDeletedItem -DirectoryObjectId $_.Id -Confirm:$false }

iii) Cmdlet Tips

  • Permanent Action: This cmdlet permanently removes the object from the tenant. Once executed, recovery is impossible.
  • Retention Period: Deleted users and groups typically remain recoverable for up to 30 days unless manually removed using this cmdlet.
  • Use with caution: It’s recommended to export the list of deleted objects before bulk removals for audit or compliance reference.
  • Scope & Permissions: Requires Directory.ReadWrite.All permissions and admin privileges.
  • Automation Safety: When using loops or automation, include confirmation prompts or logging to avoid accidental removals.
  • Cross-check before delete: Always verify the object’s DisplayName, UPN, or Mail property before executing removal.

iv) Use Cases

  • Tenant clean-up: Permanently remove stale or irrelevant deleted users or groups to keep your directory tidy.
  • Security & compliance: Eliminate soft-deleted accounts that should no longer exist for compliance reasons.
  • Post-migration maintenance: Remove old user or group remnants after tenant consolidation or migration.
  • Storage management: Free up resources and simplify directory queries by reducing clutter in deleted items.

v) Possible Errors & Solutions

Error Likely Cause How to Fix
Authorization_RequestDenied or Insufficient privileges to complete the operation. You’re missing admin privileges or required Graph permissions. Reconnect with Connect-MgGraph -Scopes "Directory.ReadWrite.All" and ensure you’re a Global Admin or Directory Admin.
ResourceNotFound The provided ID does not exist or is already permanently deleted. Run Get-MgDirectoryDeletedItemAsUser or Get-MgDirectoryDeletedItemAsGroup again to fetch current IDs.
Forbidden The account or app lacks directory write permissions. Grant Directory.ReadWrite.All admin consent for the signed-in account or service principal.
BadRequest Incorrect or invalid Directory Object ID format. Double-check the ID value—it must be a valid GUID.
OperationNotAllowed Trying to remove an object that is currently being restored or synced. Wait until the restore or sync process completes, then retry the deletion.

vi) Conclusion

Remove-MgDirectoryDeletedItem is the final step in managing the lifecycle of directory objects within Azure AD. It allows administrators to permanently delete users or groups that no longer need retention in the Deleted Items container. Always verify the object ID and ensure you truly intend to delete it, as this action cannot be undone. Use this cmdlet judiciously for effective directory hygiene and compliance management.


Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                

                

                

                

                

            

        

    


 
            

        

    

    
    
    
    

        

            © m365corner.com. All Rights Reserved.
            Design by HTML Codex