Microsoft Entra: Soft deletion and restoration for cloud security groups

Microsoft Entra introduces soft deletion and restoration for cloud security groups, allowing recovery within 30 days while preserving settings, ownership, and membership. Rollout begins in late October 2025 (preview) and February 2026 (general availability). Deleted groups remove access until restored; audit logs track actions. To help organizations recover from accidental or malicious deletions, Microsoft Entra is introducing soft deletion and restoration for cloud security groups. This feature allows deleted groups to be restored within 30 days, preserving their settings, ownership, and membership—reducing the need to rebuild access models from scratch. When this will happen: Public preview: Rollout began in late in October 2025 and is expected to complete by early November 2025. General availability (Worldwide): Rollout begins in late February 2026 and is expected to complete by early March 2026. How this affects your organization: Who is affected: Admins managing Microsoft Entra cloud security groups. Users whose access is governed by security groups. What will happen: Deleted cloud security groups will enter a soft deleted state and appear in the Deleted groups blade. During soft deletion: Access granted via the group is removed. The group is restorable for up to 30 days. After 30 days, the group is permanently deleted. Restoration recovers: Group properties (name, description, type) Settings (roles, policies) Ownership and membership (assigned and dynamic) Admin tools supported: Microsoft Entra admin center Microsoft Graph PowerShell Audit logs will capture deletion, restoration, and hard delete actions. Users lose access via the group during soft deletion; restoring the group reapplies access based on the group’s previous configuration. If a resource (for example, a SharePoint site, app, or policy scope) is protected by a soft deleted group, affected users immediately lose access via that group. If users had direct or alternate access paths, those remain unchanged. What you can do to prepare: Identify critical groups: Inventory and tag critical security groups that gate access to sensitive resources. Update admin runbooks: Add steps to restore a deleted group before attempting to rebuild it. Test in a pilot (after preview reaches your tenant): Create a test security group, grant it access to a nonproduction […]

The post Microsoft Entra: Soft deletion and restoration for cloud security groups appeared first on M365 Admin.