| title | List deleted items (directory objects) |
|---|---|
| description | Retrieve a list of recently deleted items from deleted items. |
| author | vimranga |
| ms.localizationpriority | medium |
| ms.subservice | entra-directory-management |
| doc_type | apiPageType |
| ms.date | 06/23/2025 |
Namespace: microsoft.graph
Retrieve a list of recently deleted directory objects. Currently, deleted items functionality is only supported for the application, servicePrincipal, group, administrative unit, and user resources.
Retrieve a list of recently deleted directory objects from deleted items. The following types are supported:
- administrativeUnit
- application
- agentIdentityBlueprint
- agentIdentity
- agentIdentityBlueprintPrincipal
- certificateBasedAuthPki
- certificateAuthorityDetail
- group
- servicePrincipal
- user
[!INCLUDE national-cloud-support]
The following table shows the least privileged permission or permissions required to call this API on each supported resource type. Follow best practices to request least privileged permissions. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Supported resource | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
|---|---|---|---|
| administrativeUnit | AdministrativeUnit.Read.All | Not supported. | AdministrativeUnit.Read.All |
| application | Application.Read.All | Not supported. | Application.Read.All |
| agentIdentity | AgentIdentity.Read.All | Not supported. | AgentIdentity.Read.All |
| agentIdentityBlueprint | AgentIdentityBlueprint.Read.All | Not supported. | AgentIdentityBlueprint.Read.All |
| agentIdentityBlueprintPrincipal | AgentIdentityBlueprintPrincipal.Read.All | Not supported. | AgentIdentityBlueprintPrincipal.Read.All |
| certificateBasedAuthPki | PublicKeyInfrastructure.Read.All | Not supported. | PublicKeyInfrastructure.Read.All |
| certificateAuthorityDetail | PublicKeyInfrastructure.Read.All | Not supported. | PublicKeyInfrastructure.Read.All |
| group | Group.Read.All | Not supported. | Group.Read.All |
| servicePrincipal | Application.Read.All | Not supported. | Application.Read.All |
| user | User.Read.All | Not supported. | User.Read.All |
[!INCLUDE limited-info]
[!INCLUDE rbac-directory-deleted-items-apis]
GET /directory/deletedItems/microsoft.graph.administrativeUnit
GET /directory/deletedItems/microsoft.graph.application
GET /directory/deletedItems/microsoft.graph.certificateBasedAuthPki
GET /directory/deletedItems/microsoft.graph.certificateAuthorityDetail
GET /directory/deletedItems/microsoft.graph.servicePrincipal
GET /directory/deletedItems/microsoft.graph.group
GET /directory/deletedItems/microsoft.graph.userImportant
For soft deleted security groups, the securityEnabled property returns false instead of true due to a known limitation.
To identify the group type, use the groupTypes property:
["Unified"]indicates a Microsoft 365 group.- An empty array (
[]) indicates a security group.
The OData cast type is a required part of the URI and calling GET /directory/deleteditems without a type is not supported.
This method supports the query parameters that are supported by the resource that is specified by the OData cast. That is, $count, $expand, $filter, $orderby, $search, $select, and $top query parameters. This API returns 100 objects by default and supports returning up to 999 objects per page using $top.
Some queries are supported only when you use the ConsistencyLevel header set to eventual and $count. For example:
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.group?&$count=true&$orderby=deletedDateTime desc&$select=id,displayName,deletedDateTime
ConsistencyLevel: eventualThis example requires the ConsistencyLevel header because the $orderby and $count query parameters are used in the query.
The $orderby OData query parameter is supported on the deletedDateTime, displayName, and userPrincipalName properties of the deleted object types. On the deletedDateTime property, the query requires adding the advanced query parameters (ConsistencyLevel header set to eventual and $count=true query string).
| OData cast | Properties supporting $orderby | Example |
|---|---|---|
| microsoft.graph.user | deletedDateTime, displayName, userPrincipalName | /directory/deletedItems/microsoft.graph.user?$orderby=userPrincipalName |
| microsoft.graph.group | deletedDateTime, displayName | /directory/deletedItems/microsoft.graph.group?$orderby=deletedDateTime asc&$count=true |
| microsoft.graph.application | deletedDateTime, displayName | /directory/deletedItems/microsoft.graph.application?$orderby=displayName |
| microsoft.graph.device | deletedDateTime, displayName | /directory/deletedItems/microsoft.graph.device?$orderby=deletedDateTime&$count=true |
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Accept | application/json |
Don't supply a request body for this method.
If successful, this method returns a 200 OK response code and collection of directoryObject objects in the response body.
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.group
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#groups",
"value": [
{
"id":"46cc6179-19d0-473e-97ad-6ff84347bbbb",
"displayName":"SampleGroup",
"groupTypes":["Unified"],
"mail":"example@contoso.com",
"mailEnabled":true,
"mailNickname":"Example",
"securityEnabled":false,
"visibility":"Public"
}
]
}Example 2: Retrieve the count of deleted user objects and order the results by the deletedDateTime property
GET https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.group?$count=true&$orderby=deletedDateTime asc&$select=id,DisplayName,deletedDateTime
ConsistencyLevel: eventual
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(id,displayName,deletedDateTime)",
"@odata.count": 2,
"value": [
{
"id": "c31799b8-0683-4d70-9e91-e032c89d3035",
"displayName": "Role assignable group",
"deletedDateTime": "2021-10-26T16:56:36Z"
},
{
"id": "74e45ce0-a52a-4766-976c-7201b0f99370",
"displayName": "Role assignable group",
"deletedDateTime": "2021-10-26T16:58:37Z"
}
]
}