What is the best way to recover an Office 365 user account that has been deleted?
This was a question that came up in discussion during a recent training course. My response was that the approach to take depends, in part, on where the user account was first created. Was it created in Office 365 and is thus a cloud-only account that exists only in Azure Active Directory? Or was it first created in an on-premises Active Directory and then synchronized to the cloud and associated with a corresponding account in Azure Active Directory, perhaps by using Azure AD Connect?
If the user account is cloud-only, then you can recover it from the Deleted Users folder in the Office 365 Admin Center for up to 30 days from the date of deletion.
However, if the user account is synchronized from an on-premises Active Directory, then the account can only be initially deleted on premises – it cannot be deleted first in Azure AD. The deletion from on-premises Active Directory will then be synchronized to the cloud where the user will be moved from the Active Users folder to the Deleted Users folder in the Office 365 Admin Center. One key to a good resolution of this scenario is to have previously set up the following features:
- Windows Server Active Directory Recycle Bin on premises
- Auditing the deletion of user accounts in Office 365
The Active Directory Recycle Bin can be enabled through the AD Admin Center tool on Server 2012, for example. To do this, your Active Directory’s forest functional level must be at least Server 2008 R2, meaning all Domain Controllers in the forest must be running Server 2008 R2, or above.
Auditing of the deletion of user accounts in Office 365 can be configured within the Alerts node of the Office 365 Compliance Center for your tenancy. Note that these alerts are triggered by updates to the Office 365 audit log. In other words, you get the email alert when the record of the deletion is added to the audit log – which may be several hours after the actual deletion. Even so, it still gives you plenty of time to recover the on-premises and cloud-based aspects of the deleted user. To do this you would restore the user from the AD Recycle Bin on premises and then allow directory synchronization to synchronize this action to the cloud. The result is that the on-premises account should once again be associated with the original cloud account – which should automatically move from the Deleted Users folder to the Active Users folder in the Office 365 Admin Center.
Every environment is unique, therefore, I recommend creating several test users and deleting and restoring them to document and confirm the approach that works in your specific environment. Then, in an emergency, you’ll have a documented procedure to follow.