| title | Get deleted item (directory object) |
|---|---|
| description | Retrieve the properties of a recently deleted application, group, service principal, or user from deleted items. |
| author | vimranga |
| ms.localizationpriority | medium |
| ms.subservice | entra-directory-management |
| doc_type | apiPageType |
| ms.date | 06/23/2025 |
Namespace: microsoft.graph
Retrieve the properties of a recently deleted application, group, servicePrincipal, administrative unit, or user object from deleted items.
Retrieve the properties of a recently deleted directory object from deleted items. The following types are supported:
- administrativeUnit
- application
- agentIdentityBlueprint
- agentIdentity
- agentIdentityBlueprintPrincipal
- certificateBasedAuthPki
- certificateAuthorityDetail
- group
- servicePrincipal
- user
[!INCLUDE national-cloud-support]
The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
|---|---|---|---|
| administrativeUnit | AdministrativeUnit.Read.All | Not supported. | AdministrativeUnit.Read.All |
| application | Application.Read.All | Not supported. | Application.Read.All |
| agentIdentity | AgentIdentity.Read.All | Not supported. | AgentIdentity.Read.All |
| agentIdentityBlueprint | AgentIdentityBlueprint.Read.All | Not supported. | AgentIdentityBlueprint.Read.All |
| agentIdentityBlueprintPrincipal | AgentIdentityBlueprintPrincipal.Read.All | Not supported. | AgentIdentityBlueprintPrincipal.Read.All |
| certificateBasedAuthPki | PublicKeyInfrastructure.Read.All | Not supported. | PublicKeyInfrastructure.Read.All |
| certificateAuthorityDetail | PublicKeyInfrastructure.Read.All | Not supported. | PublicKeyInfrastructure.Read.All |
| group | Group.Read.All | Not supported. | Group.Read.All |
| servicePrincipal | Application.Read.All | Not supported. | Application.Read.All |
| user | User.Read.All | Not supported. | User.Read.All |
[!INCLUDE rbac-directory-deleted-items-apis]
GET /directory/deletedItems/{object-id}Important
For soft deleted security groups, the securityEnabled property returns false instead of true due to a known limitation.
To identify the group type, use the groupTypes property:
["Unified"]indicates a Microsoft 365 group.- An empty array (
[]) indicates a security group.
This method supports the OData Query Parameters to help customize the response.
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Accept | application/json |
Don't supply a request body for this method.
If successful, this method returns a 200 OK response code and a directoryObject object in the response body.
The following example shows a request.
GET https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects/$entity",
"id":"46cc6179-19d0-473e-97ad-6ff84347bbbb",
"displayName":"SampleGroup",
"groupTypes":["Unified"],
"mail":"example@contoso.com",
"mailEnabled":true,
"mailNickname":"Example",
"securityEnabled":false,
"visibility":"Public"
}