Reputation: 869
Restore Deleted Directory Azure Active Driectory Object - Azure Graph API
We have a cleanup process for our on-prem AD that requires on prem accounts to be deleted while preserving the single sign on services of azure. This means we need the ability to convert azure accounts to "Cloud Managed" accounts.
My research (And successful testing) has said this can be accomplished by moving the on-prem user to an OU that is outside of dirsync scope.
The issue is that while this action does the desirable conversion to "Cloud Managed" it also moves the azure account to "DeletedObjects"
How do I programmatically restore the cloud-only account out of the DeletedObjects? (Microsoft.Azure.ActiveDirectory.GraphClient v 2.1.1)
public static bool RestoreDeletedUser(Guid ObjectId)
{
ActiveDirectoryClient activeDirectoryClient = AuthenticationHelper.GetActiveDirectoryClientAsApplication();
Task<IPagedCollection<IDirectoryObject>> userQuery = activeDirectoryClient.DeletedDirectoryObjects.Where(u => u.ObjectId.Equals(ObjectId.ToString())).ExecuteAsync();
userQuery.Wait();
IPagedCollection<IDirectoryObject> userQueryResult = userQuery.Result;
List<IDirectoryObject> user = userQueryResult.CurrentPage.ToList();
if (user.Count == 1)
{
user.First().restore(); //What do I do here? .restore is not a function.
}
return false;
}
Upvotes: 4
Views: 668
Answers (1)
Reputation: 9664
You can restore deleted users through newer Microsoft Graph API https://graph.microsoft.com or it's SDK. I'll cover the underlying API and related code shortly.
I think the restore capability is NOT available with older Azure AD Graph API https://graph.windows.net or it's SDK, which is what your current code is using. I did not find this stated anywhere explicitly so there is a chance I may be wrong about this, but I say this based on two things:
Microsoft's comparison blog for older Azure AD Graph and newer Microsoft Graph API's - Microsoft Graph or the Azure AD Graph (Look at the comparison table)
Azure AD Graph API documentation - I could see some restore capability mentioned with application object here but nothing with regards to User. Looking through client SDK code also, I couldn't find any methods to restore.
Overall it's anyway a strong recommendation to use newer Microsoft Graph API over older Azure AD Graph API as you can read in the above mentioned link.
How to Restore User with Microsoft Graph API
Using .NET Client SDK
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
await graphClient.Directory.DeletedItems["{object-id}"]
.Restore()
.Request()
.PostAsync()
Underlying API - Restore deleted item
POST https://graph.microsoft.com/v1.0/directory/deletedItems/{id}/restore
Upvotes: 3
Related Questions
- Azure - get deleted users - Using Get-AzureADUser
- Graph API to find out users deleted om AAD
- Can we restore the deleted applications in Azure Active Directory from Graph API?
- Microsoft Graph API v1.0 self service reset password missing
- How to reset password in Azure AD user?
- How to reset password using Microsoft Graph Client SDK(C#)?
- Resetting a user's password using Microsoft Graph
- Azure AD + Graph API: How to reconsent after new permissions?
- Using Graph API is it possible to get the password back for an Application?
- Recovering Azure Active Directory after deleting ADFS trust relationship