Recovering accidentally deleted service principal objects

The Microsoft Graph API will soon begin supporting the ability to recover accidentally deleted service principal objects, the feature will be rolling out 4/2022.

The Application object already supports this feature.

How to: Restore or remove a recently deleted application with the Microsoft identity platform – Microsoft identity platform

In this how-to, you learn how to restore or permanently delete a recently deleted application registered with the Microsoft identity platform.

And it can be found here.

How it works?

Whenever you delete a service principal using one of the following supported experiences, the service principal is soft-deleted and can be restored.

• Azure AD app registrations portal,
• Enterprise apps portal,
• Delete service principal method for Microsoft Graph API,
• Remove-AzureADServicePrincipal Azure AD PowerShell cmdlet
• Any custom software calling these interfaces

What then?

• Soft-deleted service principal objects are moved to the deleted item container and can be recovered for up to 30 days. After 30 days, they will be permanently deleted and the quota will be released.
• Soft-deleted service principals can be listed using the List deleted items method for Microsoft Graph API or using Get-AzureADMSDeletedDirectoryObject PowerShell cmdlet.
• Soft deleted service principals can be permanently deleted using the Permanently delete item method for Microsoft Graph API or Remove-AzureADMSDeletedDirectoryObject PowerShell cmdlet.

Note! A non-admin user can create no more than 250 Azure AD resources. Both active resources and deleted resources that are available to restore count toward this quota. Only deleted Azure AD resources that were deleted fewer than 30 days ago are available to restore. Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days.
If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.

Service limits and restrictions – Azure Active Directory

Usage constraints and other service limits for the Azure Active Directory service

Quota limits already specified apply when you create an application or service principal using a delegated flow like Azure AD App Registration or the Enterprise Apps Portal. This limitation does not apply when you programmatically interact with the Microsoft Graph API using an application flow.

What you need to do to prepare?

Notify users of this change and update training and documentation as needed. If you have cleanup scripts that permanently remove the application that releases the quota, update those scripts to include the service principal as well.

Users who repeatedly exceed quotas in the course of their normal duties can use the information in the previous section to permanently remove resources they no longer need.