Soft Delete in Microsoft Entra Conditional Access: Easily Restore Deleted Policies

Thanks to Soft Delete, a deleted policy in Microsoft Entra Conditional Access remains available for up to 30 days and can be fully restored during this retention period. This enables the complete recovery of deleted policies without significant effort, including all conditions, assignments, and access controls.

A variety of scenarios can lead to policies being deleted: accidental removal, faulty automations, tenant clean-ups or malicious changes. Soft Delete ensures rapid recovery and prevents the permanent loss of critical access rules as well as time-consuming rebuilds.

This new capability, currently in Public Preview, introduces a recycle-bin-like mechanism to Microsoft Entra ID. It extends the existing recovery concept in Entra ID, which has previously been available for objects such as users and groups.

This article outlines the requirements for Soft Delete in Microsoft Entra Conditional Access and demonstrates how deleted policies can be restored both in the Microsoft Entra admin center and via PowerShell.

Table of contents hide

1 Prerequisites and Licensing

1.1 Licensing

1.2 Roles

2 View and Restore Deleted Policies in the Microsoft Entra Admin Center

2.1 View Deleted Policies

2.2 Restore a Deleted Policy

3 View and Restore Deleted Policies Using PowerShell and Microsoft Graph

3.1 View Deleted Policies

3.2 Restore a Deleted Policy

4 Conclusion

Prerequisites and Licensing

Licensing

The Soft Delete feature is available in all tenants that use Microsoft Entra Conditional Access.
Microsoft Entra Conditional Access is included in Microsoft Entra ID P1.

Roles

The following role is suitable for displaying or restoring deleted policies according to the principle of least privilege.

Role	Permission
Conditional Access Administrator	Can view and restore deleted policies

View and Restore Deleted Policies in the Microsoft Entra Admin Center

View Deleted Policies

With the introduction of Soft Delete in Microsoft Entra Conditional Access, deleted policies are now available in a dedicated view in the Microsoft Entra Admin Center. This overview lists all policies that can be restored within the 30-day retention period.

Microsoft Entra admin center (https://entra.microsoft.com) > Entra ID > Conditional Access > Deleted Policies

Screenshot showing the Deleted Policies view in Microsoft Entra Conditional Access, including soft-deleted CA policies and retention details.

Restore a Deleted Policy

There are two options for deleted policies:

Delete permanently
Permanently removes the policy from Microsoft Entra ID (hard delete)
Restore
Restores the deleted policy, including all conditions, assignments and access controls

Screenshot showing the action menu for a soft-deleted Conditional Access policy in Microsoft Entra, with options to permanently delete or restore the policy.

A restored policy immediately reappears in its original state. However, it is recommended to first restore it in Report-only (1) mode to verify the configuration before manually enabling the policy.
Select Restore (2).

Screenshot showing the restore dialogue for a soft-deleted Conditional Access policy in Microsoft Entra, including the option to restore the policy in Report-Only mode.

The Microsoft Entra Conditional Access policy is now available again under Policies for further editing.

Screenshot showing a restored Conditional Access policy in Microsoft Entra, displayed in the Policies list in Report-Only mode.

View and Restore Deleted Policies Using PowerShell and Microsoft Graph

PowerShell and the Microsoft Graph API enable the management of Soft Delete in Microsoft Entra Conditional Access. The following examples use the current beta endpoints of Microsoft Graph, which provide the Soft Delete capability for Conditional Access.

View Deleted Policies

The following command lists all deleted policies that are still within the 30-day recovery period. The output includes the display name (1), the object ID (2), and the deletion date (3) of each policy.

Connect-MgGraph -Scopes "Policy.Read.All"
$uri = "https://graph.microsoft.com/beta/identity/conditionalAccess/deletedItems/policies"
Invoke-MgGraphRequest -Uri $uri -OutputType PSObject |
Select-Object -ExpandProperty value |
Select-Object displayName, id, deletedDateTime

Connect-MgGraph -Scopes "Policy.Read.All"

$uri = "https://graph.microsoft.com/beta/identity/conditionalAccess/deletedItems/policies"

Invoke-MgGraphRequest -Uri $uri -OutputType PSObject |

Select-Object -ExpandProperty value |

Select-Object displayName, id, deletedDateTime

PowerShell screenshot showing a Microsoft Graph API query returning displayName, ID, and deletedDateTime for a soft-deleted Conditional Access policy.

Restore a Deleted Policy

Restoring a policy returns it to its original state. In the following PowerShell example, replace the value of the $policyId variable with the value retrieved in the previous step.

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
$policyId = "c989ab82-96bb-4f60-b985-86b21deafbc4"
$restoreUri = "https://graph.microsoft.com/beta/identity/conditionalAccess/deletedItems/policies/$policyId/restore"
Invoke-MgGraphRequest -Uri $restoreUri -Method POST

Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

$policyId = "c989ab82-96bb-4f60-b985-86b21deafbc4"

$restoreUri = "https://graph.microsoft.com/beta/identity/conditionalAccess/deletedItems/policies/$policyId/restore"

Invoke-MgGraphRequest -Uri $restoreUri -Method POST

PowerShell screenshot showing the Microsoft Graph API restore request for a soft-deleted Conditional Access policy, including the returned policy details.

It is recommended to set the policy to Report-only mode so that it can be reviewed in the Microsoft Entra admin center after restoration and then manually enabled. The Report-only mode is enabled by setting the state value to enabledForReportingButNotEnforced.

$updateUri = "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$policyId"
$body = @{
    state = "enabledForReportingButNotEnforced"
} | ConvertTo-Json
Invoke-MgGraphRequest -Uri $updateUri -Method PATCH -Body $body -ContentType "application/json"
$getUri = "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$policyId"
Invoke-MgGraphRequest -Uri $getUri -Method GET -OutputType PSObject

$updateUri = "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$policyId"

$body = @{

state = "enabledForReportingButNotEnforced"

} | ConvertTo-Json

Invoke-MgGraphRequest -Uri $updateUri -Method PATCH -Body $body -ContentType "application/json"

$getUri = "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$policyId"

Invoke-MgGraphRequest -Uri $getUri -Method GET -OutputType PSObject

PowerShell screenshot showing a Microsoft Graph API PATCH request updating a restored Conditional Access policy to the state enabledForReportingButNotEnforced.

Conclusion

The introduction of Soft Delete in Microsoft Entra Conditional Access represents a significant contribution to security and stability. Deleted policies can now be restored with minimal effort. Soft Delete therefore adds a valuable additional layer of protection and demonstrates how Microsoft continues to strengthen the resilience of the Entra platform. A small but powerful update.