Recovering accidentally deleted service principal objects

The Microsoft Graph API will soon begin supporting the ability to recover accidentally deleted service principal objects, the feature will be rolling out 4/2022.

The Application object already supports this feature.

And it can be found here.

How it works?

Whenever you delete a service principal using one of the following supported experiences, the service principal is soft-deleted and can be restored.

What then?

Note! A non-admin user can create no more than 250 Azure AD resources. Both active resources and deleted resources that are available to restore count toward this quota. Only deleted Azure AD resources that were deleted fewer than 30 days ago are available to restore. Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days.
If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.

Quota limits already specified apply when you create an application or service principal using a delegated flow like Azure AD App Registration or the Enterprise Apps Portal. This limitation does not apply when you programmatically interact with the Microsoft Graph API using an application flow.

What you need to do to prepare?

Notify users of this change and update training and documentation as needed. If you have cleanup scripts that permanently remove the application that releases the quota, update those scripts to include the service principal as well.

Users who repeatedly exceed quotas in the course of their normal duties can use the information in the previous section to permanently remove resources they no longer need.

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *