Entra ID and Accidental Security Group Deletion

By | August 23, 2024

I recently had to help out a customer with a situation where someone in first level support accidentally deleted an Entra ID security group. That person (let’s call him Eric) was trying to to remove a user from the group using the Entra Portal but ended up deleting the group instead. It transpired that instead of going to the group and removing the member from there, Eric had clicked-through to the group while looking at the user object.

In the example above, if Eric clicks through to the group instead of selecting it and choosing “Remove memberships”, he will see the deletion option for the group.

It’s a reasonably easy mistake to make for someone who is unfamiliar with the tool.

Some learning pointers for Eric aside, the next task was how to go about restoring the group and its membership.

And that’s where things ground to a halt very quickly. While it’s possible to restore Microsoft 365 groups from the Deleted Groups blade in the portal, Entra ID doesn’t offer the same ability to restore deleted security groups.

You might also think that the deletion audit event would include details about the group membership. This would allow you to recreate the group with the same name and rebuild the membership from the audit information. Unfortunately, this level of detail isn’t available in the audit event.

So what can you do? I’d read online that Microsoft might be able to give you the membership details via a support ticket. We tried this option but Microsoft Support came back fairly quickly to say they weren’t able to help.

Ultimately, we had to create a new group and add the members as best we could. It wasn’t ideal.

It seems strange to me that Active Directory Domain Services has two features that can really help but which are a glaring omission from Entra ID. These are the AD Recycle Bin and the Protection From Accidental Deletion Flag. The AD Recycle Bin allows you to quickly restore a deleted object (including a security group, together with its membership) within a few seconds. The Protection From Accidental Deletion Flag is useful in that it requires an administrator to remove the flag before deleting the object.

So if you can’t restore a deleted security group, what are some good options to avoid accidental deletion of security groups in Entra ID? Well, there are a few things you can try.

The first is to mark important groups as role-enabled (also known as role-assignable). This ensures that only those with highly privileged Entra ID roles (e.g. Privileged Role Administrator, Global Admin) can delete the group. You would expect admins in those roles to know how to avoid accidental group deletion. Bear in mind that you can only role-enable group at creation time, and there is a limit of 500 role-enabled groups in a single tenant.

The second option is to place the group inside an Administrative Unit and set up delegation so that Eric and his first level support team can only modify the membership and do not have the ability to delete the group. This option requires a bit of setup and the admin overhead is unlikely to make this option feasible for large numbers of groups.

Assuming you have a hybrid environment, a third option is to master the group in Active Directory Domain Services. From there, you have the AD Recycle bin and Protection From Accidental Deletion options as mentioned above. I don’t personally like this option as it seems like a retrograde step for those wanting to move out of hybrid towards a cloud-only environment.

If you want to explore non-native solutions for recovering from deletions, one option is to look at services such as Semperis Disaster Recovery for Entra Tenant.

In summary, there is no built-in capability within Entra ID to restore hard-deleted security groups. Your best option currently is to try to avoid accidental deletion through improved delegation or to investigate 3rd party solutions.

Further reading: Recoverability best practices in Microsoft Entra ID – Microsoft Entra | Microsoft Learn

3 thoughts on “Entra ID and Accidental Security Group Deletion

  1. Pingback: Restore Deleted Groups Only Possible for Some Group Types

  2. Mr.P

    “I’d read online that Microsoft might be able to give you the membership details via a support ticket. We tried this option but Microsoft Support came back fairly quickly to say they weren’t able to help.”
    I am surprised by the fact Microsoft support did not help you. We had the same problem (someone had deleted a security group), but Microsoft gave us the users’ ids (10k+ users) that were members of the deleted group, and we recreated the group using the provided list.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.