Restoring M365 users via MS Graph Powershell

Hi everyone,

I am looking for a way to restore M365 users in powershell on macOS. I can’t go through the admin center because there the restore is only possible under certain conditions (original domain and license type still exists etc.).

Unfortunately, the good old module MSOnline isn’t available in Powershell under macOS .

Can I somehow manage the recovery via the Graph Powershell? Unfortunately ChatGPT spits out only nonsense, or refers erroneously to MSOnline.

In the end I only need equivalents for the following commands:

Connect-MsolService
Get-MsolUser -ReturnDeletedUsers
Restore-MsolUser -UserPrincipalName "davidchew@contoso.com" -NewUserPrincipalName "davidchew02@contoso.com" -AutoReconcileProxyConflicts

How do I get this to work with MS Graph Powershell?

Kind regards,
compukortschnoi

Hi, welcome to the forum :wave:

The MSOnline module is deprecated on Windows too. Everyone is advised to migrate to the Microsoft Graph PowerShell SDK before 30th June 2023. After that date, MSOnline and other older modules are no longer supported and you may find your scripts stop working as Microsoft switch off older APIs.

You can find mappings between old and new commands here:

1 Like

Hi Matt,

thank you for your reply and the warm welcome. :slight_smile:

I have studied the table and tried to rewrite the above lines for the Graph Powershell:

Connect-MgGraph -Scope Directory.ReadWrite.All
Get-MgUser -All | Format-List ID, UserPrincipalName
Restore-MgDirectoryDeletedItem -DirectoryObjectId a01234bc56789d0d12f34567e8f90f1g

The problems start in the second line. I only get a list of active users. There does not seem to be a -ReturnDeletedUsers switch. How can I get a display of the deleted users?

When I run the third line, I get the following error:

“Restore-MgDirectoryDeletedItem_Restore1: Insufficient privileges to complete the operation.”

I don’t understand this, I did give myself sufficient authorization in line 1. Of course I am global admin too.

Does anyone have any ideas?

Kind regards,
compukortschnoi

Get-MgUser won’t show deleted users, you need to use Get-MgDirectoryDeletedItem.

There is a good guide to using that here:

Be sure to read that thoroughly and, if necessary, read the linked GitHub discussions to understand how to view the data that’s returned. It might look like you’re not getting back any data, but you will be.

If you check the restore query in Graph Explorer, you will see that the scope Directory.ReadWrite.All is not listed. Therefore, it cannot perform a restore action. You should choose one of the following scopes:

AdministrativeUnit.ReadWrite.All
Application.ReadWrite.All
Group.ReadWrite.All
User.ReadWrite.All
1 Like

Unfortunately, it does not work with any of the four scopes, the error message remains the same. :confused:

I will read the first link at my leisure, thank you!

Before posting, I tested it with Directory.ReadWrite.All and User.ReadWrite.All and it worked only when using the latter.

Did the account to be restored have any privileged admin roles? If so, you may also need Directory.AccessAsUser.All.

Hi Matt,

please forgive my late reply.

You put me on the right track: the right scope led to success. The restore was successful. :heart_eyes:

Also the script at Delete and Recover Azure AD User Accounts with PowerShell to list the deleted users worked for me, but after I corrected line 23. Uncorrected it throws an error concerning sort and a broken pipe, so I changed it from

$Report | Sort {$_.Deleted -as [datetime]} | Format-Table UserId, Name, Deleted, "Days Since Deletion", Type -AutoSize

to the following:

$Report | Format-Table UserId, Name, Deleted, "Days Since Deletion", Type -AutoSize

Now I also get a list of all deleted users. Yee-haw!

Thank you for your help!

Kind regards,
compukortschnoi