Restoring an Entra ID user will update its attributes, link to manager, role assignments, group ownerships, group and unit memberships, and licenses. 

Important: Before you begin your restore, ensure the Entra ID service account that was used to create the connector is assigned the global admin role.


Restore an Entra ID user

1. Open the Connectors page and select the desired connector. 

2. Locate the user in your connector.

3. Optional: If you want to restore an older version of the object, click the Snapshots Viewer icon, then select an earlier snapshot. You will now be viewing data from that particular time.

4. Select ••• > Restore.

Tip: To preview the attributes and relationships and to compare them to older versions, select ••• > Object metadata. You can also initiate the restore directly from this previewer. 

5. Click Yes to restore the user. 

Note: To restore multiple users at time, select the items. In the toolbar, select Restore.

What happens when a user is restored

  • Attributes restored
    The user's attributes, licenses, authmethods, and photo are recreated (if missing) or updated (it still existing).
  • Relationships reestablished
    The following relationships are reestablished:
    • Memberships - links to groups and admin units that the user is a member of 
    • Ownerships - links to groups that the user is an owner of
    • Role assignments - links to roles that are assigned to this user
    • Manager - the link to the user's manager
      Note: A relationship can be reestablished only if the linked object still exists in Entra ID.
  • New ID and creation time
    • If the user no longer exists in Entra ID, it will receive a new object ID and creation time. 
    • If the user is in the "Deleted users" folder (i.e., it has not yet been permanently deleted), it will be restored with its original ID and creation time (but deletion time property will change to null).
      Note: Restoring users will recreate them with new IDs, but duplicates will not be created if restored from the same snapshot. Users are recognized by their attributes, and existing users in Entra ID will be overwritten.

This diagram shows the relationships that are restored:


 

Restore limitations

  • If the user was a member of a distribution group or mail-enabled security group, we cannot reestablish the links to these groups due to an API limitation. In this case, the restore job will be marked as incomplete, and these relationships will be skipped.
  • Due to a Microsoft Graph public API limitation, a user with on-premises sync enabled cannot be restored. 
  • Authentication methods are not restored.

Note: A user's group-inherited roles are not displayed in the UI, but they are backed up and restored.