Microsoft Entra: Soft deletion and restoration for cloud security groups
Services
Summary
Microsoft Entra introduces soft deletion and restoration for cloud security groups, allowing recovery within 30 days while preserving settings, ownership, and membership. Rollout begins in late October 2025 (preview) and February 2026 (general availability). Deleted groups remove access until restored; audit logs track actions.
Details
To help organizations recover from accidental or malicious deletions, Microsoft Entra is introducing soft deletion and restoration for cloud security groups. This feature allows deleted groups to be restored within 30 days, preserving their settings, ownership, and membership—reducing the need to rebuild access models from scratch.
When this will happen:
- Public preview: Rollout began in late in October 2025 and is expected to complete by early November 2025.
- General availability (Worldwide): Rollout begins in late February 2026 and is expected to complete by early March 2026.
How this affects your organization:
Who is affected:
- Admins managing Microsoft Entra cloud security groups.
- Users whose access is governed by security groups.
What will happen:
- Deleted cloud security groups will enter a soft deleted state and appear in the Deleted groups blade.
- During soft deletion:
- Access granted via the group is removed.
- The group is restorable for up to 30 days.
- After 30 days, the group is permanently deleted.
- Restoration recovers:
- Group properties (name, description, type)
- Settings (roles, policies)
- Ownership and membership (assigned and dynamic)
- Admin tools supported:
- Microsoft Entra admin center
- Microsoft Graph
- PowerShell
- Audit logs will capture deletion, restoration, and hard delete actions.
- Users lose access via the group during soft deletion; restoring the group reapplies access based on the group’s previous configuration.
- If a resource (for example, a SharePoint site, app, or policy scope) is protected by a soft deleted group, affected users immediately lose access via that group. If users had direct or alternate access paths, those remain unchanged.
What you can do to prepare:
- Identify critical groups:
- Inventory and tag critical security groups that gate access to sensitive resources.
- Update admin runbooks:
- Add steps to restore a deleted group before attempting to rebuild it.
- Test in a pilot (after preview reaches your tenant):
- Create a test security group, grant it access to a nonproduction resource, soft delete, validate access removal, then restore and confirm access returns as expected
- If you automate group management, validate your automation handles soft deleted objects and does not immediately hard delete them.
- Communicate to helpdesk and resource owners:
- Create guidelines on how to check deleted groups, how to restore, and when to escalate before recreating a group.
Learn more:
- Recover from deletions in Microsoft Entra ID - Microsoft Entra | Microsoft Learn
- Recoverability best practices in Microsoft Entra ID | Azure Docs | Microsoft Learn
- Restore a deleted Microsoft 365 group - Microsoft Entra ID | Microsoft Learn
MS Graph documentation:
- Delete group - Microsoft Graph API - Microsoft Graph v1.0 | Microsoft Learn
- List deleted items (directory objects) - Microsoft Graph v1.0 | Microsoft Learn
- Restore deleted directory object item - Microsoft Graph v1.0 | Microsoft Learn
- Permanently delete an item (directory object) - Microsoft Graph v1.0 | Microsoft Learn
Compliance considerations:
No compliance considerations identified, review as appropriate for your organization.