Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you learn how to restore a soft deleted enterprise application in your Microsoft Entra tenant. Soft deleted enterprise applications can be restored from the recycle bin within the first 30 days after their deletion. After the 30-day window, the enterprise application is permanently deleted and can't be restored.
If you deleted an application registration in its home tenant through app registrations in the Microsoft Entra admin center, the enterprise application, which is its corresponding service principal also got deleted.
If you restore the deleted application registration through the Microsoft Entra admin center, its corresponding service principal, is also restored. You therefore be able to recover the service principal's previous configurations, except its previous policies such as Conditional Access policies, which aren't restored.
Prerequisites
To restore an enterprise application, you need:
- A Microsoft Entra user account. If you don't already have one, you can Create an account.
- One of the following roles:
- Cloud Application Administrator
- Application Administrator
- owner of the service principal.
- A soft deleted enterprise application in your tenant.
Take the following steps to recover a recently deleted enterprise application. For more information on frequently asked questions about deletion and recovery of applications, see Deleting and recovering applications FAQs.
View restorable enterprise applications using Microsoft Entra PowerShell
Make sure you're using the Microsoft Entra PowerShell module.
You need to sign in as at least a Cloud Application Administrator.
Run the following command to view the recently deleted enterprise application.
Connect-Entra -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes 'Application.Read.All' Get-EntraDeletedServicePrincipal
Replace ID with the object ID of the service principal that you want to restore.
View restorable enterprise applications using Microsoft Graph PowerShell
Run
Connect-MgGraph -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes "Application.ReadWrite.All". You need to sign in as at least a Cloud Application Administrator.To view the recently deleted enterprise applications, run the following command.
Get-MgDirectoryDeletedItem -DirectoryObjectId <id>
Replace ID with the object ID of the service principal that you want to restore.
Restore an enterprise app using Microsoft Entra PowerShell
To restore the soft-deleted enterprise application, run the following command:
Connect-Entra -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes 'Application.ReadWrite.All' #get the deleted service principal by filtering by the display name. $deletedServicePrincipal = Get-EntraDeletedServicePrincipal -Filter "DisplayName eq 'test-App1-Deleted'" #assign the value returned to a variable and restore the deleted service principal Id = $deletedServicePrincipal.Id Restore-EntraDeletedDirectoryObject -Id $deletedServicePrincipal.Id
Restore an enterprise app using Microsoft Graph PowerShell
To restore the enterprise application, run the following command:
Restore-MgDirectoryDeletedItem -DirectoryObjectId <id>
Replace ID with the object ID of the service principal that you want to restore.
Soft-deleted managed identity service principals can be viewed but can't be recovered or permanently deleted by customers.
Warning
Permanently deleting an enterprise application is an irreversible action. Any present configurations on the app are lost. Carefully review the details of the enterprise application to be sure you still want to hard delete it.
Permanently delete an enterprise app using Microsoft Entra PowerShell
To permanently delete a soft deleted enterprise application, run the following command:
Connect-Entra -Environment China -ClientId 'YOUR_CLIENT_ID' -TenantId 'YOUR_TENANT_ID' -Scopes 'Application.ReadWrite.All'
#get the deleted service principal by filtering by the display name.
$deletedServicePrincipal = Get-EntraDeletedServicePrincipal -Filter "DisplayName eq 'test-App1-Deleted'"
#assign the value returned to a variable and permanently delete the service principal
$Id = $deletedServicePrincipal.Id
Remove-EntraDeletedDirectoryObject -Id $deletedServicePrincipal.Id
Permanently delete an enterprise app using Microsoft Graph PowerShell
To permanently delete the soft deleted enterprise application, run the following command:
Remove-MgDirectoryDeletedItem -DirectoryObjectId <id>