Soft-delete for Entra ID groups: what changed and when

Microsoft Entra ID · Identity & Access Management

If you've ever accidentally deleted a security group in Microsoft Entra ID and then spent the next hour scrambling to recreate it from memory, you'll know exactly why this update matters. Microsoft has finally extended soft-delete support to cloud security groups — closing a recovery gap that has frustrated admins for years.

A bit of history

Soft-delete isn't new to Entra ID. Microsoft introduced it for Microsoft 365 Groups back in early 2017, giving admins a 30-day window to restore accidentally deleted groups — complete with their connected resources like SharePoint sites and Planner boards. Applications and users followed, also gaining soft-delete status.

But cloud security groups? Until late 2025, deleting one meant it was gone. Permanently. No recycle bin, no restore button. You had to rebuild the group from scratch, re-add all members, and then hope you hadn't missed anyone with access to something critical.

What's new

Announced via Message Center notification MC1183299 on 6 November 2025, Entra ID now places deleted cloud security groups into a soft-deleted state for 30 days — giving admins time to restore them with all settings, membership, and ownership intact.

Here's the rollout timeline:

Late October 2025

Public preview begins. Feature available via Entra admin center, Microsoft Graph v1.0 API, and Graph PowerShell SDK.

November 2025

Public preview rollout completes.

Late February – Early March 2026

General Availability worldwide.

After 30 days

Soft-deleted groups are permanently (hard) deleted and cannot be recovered.

How to restore a soft-deleted group

Head to the Microsoft Entra admin center, navigate to Identity > Groups > All groups, and select Deleted groups. Pick the group and hit Restore group. You can also use PowerShell with Restore-MgDirectoryDeletedItem or the deletedItems Microsoft Graph API.

Keep in mind: while a group sits in the soft-deleted state, its members immediately lose access to any resources protected by that group — SharePoint sites, app assignments, Conditional Access policies, and so on. Restoring the group reapplies all of that access based on the original configuration.

Important caveats

This feature covers cloud-only security groups — both assigned and dynamic membership types. 

Groups that are synced from on-premises Active Directory via Entra Connect Sync or Cloud Sync are not eligible for soft-delete and will still be hard-deleted immediately. 

The 30-day retention window is also not customizable. Distribution lists and mail-enabled security groups remain outside the scope of this feature for now.

What you should do now

If you run automation or scripts that manage group lifecycle — say, a cleanup job that deletes stale groups — review them. Deleted groups will now land in a soft-deleted state rather than disappearing instantly, which could affect your automation logic if it expects immediate hard deletion. Also worth tagging your critical security groups and documenting who's responsible for recovery, so that if something goes wrong, there's a clear escalation path before the 30-day window closes.

It's a small change in Microsoft's changelog — but for any admin who's been burned by an accidental group deletion, it's a very welcome safety net.