• User accounts can be manually deleted by using the Office 365 portal.
• User accounts can be manually deleted or deleted through a script by using Windows Azure Active Directory Module for Windows PowerShell.
• User accounts can be manually deleted by using Exchange Control Panel in Exchange Online.
• User accounts can be deleted through a synchronized deletion if directory synchronization filtering changes exclude the on-premises Active Directory user object from the synchronization set. (Directory synchronization filtering changes are also known as scoping.)
• User accounts can be deleted through a synchronized deletion if the on-premises user object was deleted from the on-premises Active Directory schema.

Back to the top | Give Feedback

Before you start

When a user object is deleted, it’s not immediately and completely removed from Windows Azure Active Directory (Windows Azure AD) authentication system. The user object is put in a deleted state and no longer appears in the ordinary user listing. However, it’s present in the Windows Azure AD database and can be recovered for an organization within 30 days. To determine whether a user object is eligible to be recovered from a deleted state, follow these steps:

1. In the Office 365 portal, look up user accounts that were deleted through the portal. To do this, follow these steps:
   1. Sign in to the Office 365 portal (https://portal.microsoftonline.com) by using administrative credentials.
   2. Do one of the following:
      • In Office 365, click Admin, click Office 365, and then in the left navigation pane, click Users and groups.
      • In Office 365 pre-upgrade, click Admin, and then and then in the left navigation pane, under Management, click Users.
   3. Do one of the following:
      • In Office 365, click Deleted users, and then look for the user who you want to recover.
      • In Office 365 pre-upgrade, on the Users page, click Deleted, and then look for the user who you want to recover.
2. Using Windows Azure Active Directory Module for Windows PowerShell, follow these steps:
   1. Click Start, click All Programs, click Windows Azure Active Directory, and then click Windows Azure Active Directory Module for Windows PowerShell.
   2. Type the following commands in the order in which they are presented. Make sure that you press Enter after you type each command.

      • $cred = get-credential

        Note When you’re prompted, enter your Office 365 credentials.

      • Connect-MSOLService -credential:$cred

      • Get-MsolUser –ReturnDeletedUsers

Resolution 1: Use the Office 365 portal or the Windows Azure Active Directory Module for Windows PowerShell to recover a deleted user account

To recover a user account that was deleted manually, use one of the following methods:

• Use the Office 365 portal to recover the user account. For more information about how to do this, go to one of the following Microsoft websites:
  • In Office 365: Delete or restore users
  • In Office 365 pre-upgrade:
    • Office 365 for enterprises (pre-upgrade): Delete or restore users
    • Office 365 for small businesses (pre-upgrade): Delete or restore users
• Use the Windows Azure Active Directory Module for Windows PowerShell to recover the user account. To do this, typeone of the following commands, and then press Enter:

  • Restore-MsolUser -ObjectId <Guid> -AutoReconcileProxyConflicts -NewUserPrincipalName <string>

  • Restore-MsolUser -UserPrincipalName <string> -AutoReconcileProxyConflicts -NewUserPrincipalName <string>

    In these commands, the following conventions are used:

    • The UserPrincipalName and ObjectID parameters uniquely identify the user object to be restored.
    • The AutoReconcileProxyConflictsparameter is optional and is used in scenarios in which another user object is granted the target user object’s proxy address after that address was deleted.
    • The NewUserPrincipalNameparameter is optionally used in scenarios in which another user object is granted the target user object’s user principal name (UPN) after that UPN was deleted.

Resolution 2: Recover a user account that was deleted because directory synchronization filtering (scoping) changes exclude the on-premises Active Directory user object

To recover deleted user accounts, make sure that directory synchronization filtering is set in such a way that the scope includes the objects that you want to recover. For more information, go to the following Microsoft website:

Resolution 3: Recover a user account that was deleted because the on-premises user object was deleted from the on-premises Active Directory schema

To recover an item that was deleted from the on-premises Active Directory schema, follow these steps:

1. Try to restore the deleted item from the Active Directory recycle bin. For more information about how to do this, go to the following Microsoft website:
   Active Directory Recycle Bin Step-by-Step Guide

   Notes

   • The Active Directory recycle bin is available only with the functional level of Windows 2008 R2 or later versions.
   • For the Active Directory recycle bin to be useful in recovering an item, it must be enabled before the item is deleted.
2. If the Active Directory recycle bin is unavailable, or if the object in question is no longer in the recycle bin, try to recover the deleted item by using the AdRestore tool. To do this, follow these steps:
   1. Install the AdRestore tool from the following Microsoft TechNet website:
      http://technet.microsoft.com/en-us/sysinternals/bb963906.aspx
   2. Use AdRestore together with a search filter to locate the deleted on-premises user object.The following is an example of how to use AdRestore to enumerate all user objects that have a “UserA” string in their name:

      C:>adrestore.exe UserA
      AdRestore v1.1 by Mark Russinovich
      Sysinternals - www.sysinternals.com
      
      Enumerating domain deleted objects:
      cn: MailboxA
      DEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3f
      distinguishedName: CN=UserAADEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3f,CN=Deleted Objects,DC=Domain,DC=com
      lastKnownParent: OU=OnPremises,DC=Domain,DC=com
      
      Found 1 item matching search criteria.

   3. Use AdRestore together with the -r switch to restore the user object.The following is an example of how to use AdRestore to restore the UserA object:

      C:>adrestore.exe Usera –r
      AdRestore v1.1 by Mark Russinovich
      Sysinternals - www.sysinternals.com
      
      Enumerating domain deleted objects:
      cn: UserA
      DEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3f
      distinguishedName: CN=MailboxAADEL:3c45a0ae-ebc5-490d-a4b4-4b20d3e34a3f,CN=Deleted Objects,DC=Domain,DC=com
      lastKnownParent: OU=OnPremises,DC=Domain,DC=com
      
      Do you want to restore this object (y/n)? y
      Restore succeeded.
      
      Found 1 item matching search criteria.

   4. Enable the user object in Active Directory. When the object is restored, it’s disabled at first. Therefore, you have to enable it. If it’s necessary, first reset the user object’s password, and then enable the user object in Active Directory Users and Computers.To enable the user object in Active Directory Users and Computers, follow these steps:
      1. In Active Directory Users and Computers, right-click the user, and then click Reset Password.
      2. Enter a new password in the New password and Confirm password boxes, and then click OK.
      3. Right-click the user, click Enable Account, and then click OK.
         

         You receive the following error message. (This error message is expected.)

         Windows cannot enable object <MailboxName> because:
         Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

         After you receive this error message, reset the user’s password in Active Directory Users and Computers.

   5. Configure the user logon name. The user logon name (also known as the user principal name, or UPN) isn’t set from the restored user object. You have to update the user logon name, especially if the user is a federated account.To configure the user logon name, follow these steps:
      1. In Active Directory Users and Computers, right-click the user, and then click Properties.
      2. Click Account, enter a name in the User logon name box, and then click OK.

Finally, if you can’t recover the deleted user account through the Active Directory recycle bin or by using the AdRestore tool, perform an authoritative restore of the deleted user objects in Active Directory.

Warning Make sure that only the user objects that you want to restore are marked as authoritative. Active Directory objects that are marked as authoritative in the restore process may cause many Active Directory service issues.

For more information about how to perform an authoritative restore of Active Directory objects, go to the following Microsoft website:

Warning Objects that are restored by using resolution 3 may not have all service attributes (Exchange Online, Lync Online, and so on) automatically repopulated after the restore action. Use the appropriate service management tools to repopulate the on-premises object attributes before the next directory synchronization interval propagates the restore action to the cloud directory.

For example, for an object that was formerly mail-enabled in Exchange Online, you may want to use Windows PowerShell cmdlets to repopulate the Exchange Online attributes. In the following example, the User1 object is repopulated with Exchange Online attributes for the contoso.onmicrosoft.com tenant:

Enable-RemoteMailbox -Identity User1 -RemoteRoutingAddress [email protected]

If the following conditions are true, resolution 3 won’t work:

• Restoring the object by using the Active Directory recycle bin isn’t an available option.
• Restoring the object by using the AdRestore tool isn’t an available option.
• Active Directory authoritative restoring isn’t an available option.

In this situation, contact Office 365 Support for help.

Back to the top | Give Feedback

• A new user is created who uses a unique user ID value that was formerly assigned to the deleted user.
• A new user is created who uses a unique email address value that was formerly assigned to the deleted user.

When these conflicts occur, conflicting attributes must be updated to remove the conflict before user recovery can be completed. If a conflict occurs during user recovery, the user will experience one of the following symptoms when a user recovery is tried:

• Windows PowerShell returns one of the following error messages:Error message 1
  Restore-MsolUser : The specified user account cannot be restored because of the following error: Error Type UserPrincipalName

  Error message 2

  Restore-MsolUser : The specified user account cannot be restored because of the following error: Error Type proxyAddress

  To restore users who are in this state, you can correct the conflict by using the following parameters when you run theRestore-MSOLUser cmdlet:

  • AutoReconcileProxyConflicts
  • NewUserPrincipalName

  Note When you use the AutoReconcileProxyConflicts parameter, any conflicting email addresses are removed from the deleted user before you continue with the recovery process.

• The Office 365 portal shows the equivalent error messages in the form of the Windows PowerShell error states that were mentioned earlier. For example, you see the following:
  

  To restore users who are in this state, complete the form, and make sure that you specify how you want to correct the conflict.

Back to the top | Give Feedback