See Soft Deleted Accounts in AzureAD | Restore Soft Deleted Accounts in AzureADSee Soft Deleted Accounts in AzureAD | Restore Soft Deleted Accounts in AzureAD
To see all the accounts in AzureAD:
Get-MsolUser -All $true
Get-AzureADUser -All $true
To see all the "Guest" accounts in AzureAD:
Get-MsolUser -All $true | ? {$_.UserType -eq "Guest"}
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'}
To get the details:
Get-AzureADUser -All $true |where {$_.UserType -eq 'Guest'} |select objectid,userprincipalname
This will return the userprincicpal names of the guest accounts. Usually in the format of:
accountname_domainoutside.com#EXT#@tenant-name-internal.onmicrosoft.com
If you delete a "guest" user or "member" user, the account is "soft-deleted" and is still in AAD. The account will be in this state of 30 days until the account is permanently deleted:
Remove-MsolUser -UserPrincipalName
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Remove-AzureADUser -ObjectID
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
While the account is in this state, the account can be restored. However, the account cannot be added/invited to another Team.
To view account in the state of "soft-deleted":
Get-MsolUser -All -ReturnDeletedUsers
Get-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c
This doesn't help much because we don't know the ObjectId. The only way I could find the ID is by looking at the AAD logs and filter for "Delete User".
To look at the logs, the AzureADPreview module must be installed:
Install-module AzureADPreview
After the AzureADPreview module is installed, run the following to check the logs for user deletion:
Get-AzureADAuditDirectoryLogs -Filter "category eq 'UserManagement' and OperationType eq 'Delete'" |ft
(The "Correlation ID" is the one you want.)
To permanently delete/hard-delete a guest:
Remove-MsolUser -UserPrincipalName
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
-RemoveFromRecycleBin
Remove-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c
To restore an account:
Restore-MsolUser -UserPrincipalName
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Restore-AzureADMSDeletedDirectoryObject -Id aa644285-eb75-4389-886e-7233f096984c
NOTES:
Get-AzureADMSDeletedUser/Restore-AzureADMSDeletedDirectoryObject does not exist, yet.
AzureAD Module v2.0 documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0
AzureAD v2.0-preview documentation: https://docs.microsoft.com/en-us/powershell/module/AzureAD/?view=azureadps-2.0-preview
(Check out the difference in the documentation for "Deleted Objects" section to get a feel of where development is happening.)