Conditional Access – Soft delete

Julian Rasmussen

Previously, deleting a Conditional Access (CA) policy in Microsoft Entra ID was permanent, once removed, it couldn’t be recovered. in short – it was gone!

Now, Entra ID got a soft delete with backup and restore capabilities. When a CA policy is deleted, it enters a soft-deleted state instead of being immediately purged. This feature is in Preview (at least at 02.12.2025).

  • Retention period: 30 days
  • During this time, admins can view, restore, or permanently delete the policy.
  • After 30 days, the policy is irreversibly deleted and cannot be recovered via any interface or Graph API.

This design reduces the risk of accidental deletions and strengthens governance by providing a recovery window before permanent removal if someone does a wrong move.

Pre-req

Not everyone has this capability of course, only users with specific administrative roles in Entra ID.

Prerequisites for recovery in the Entra admin center:
To restore a deleted CA policy, you must be signed in with one of these roles:

  • Conditional Access Administrator
  • Security Administrator
  • Global Administrator

Best practice: For security and least privilege, use the Conditional Access Administrator role whenever possible.

And if you are to restore from Microsoft Graph, you need to be granted or grant your self this scope

  • Read out deleted policy: Policy.Read.ConditionalAccess
  • Restore an policy: Policy.ReadWrite.ConditionalAccess

When querying for deleted CA Policies we use this endpoint – https://graph.microsoft.com/beta/conditionalAccess/deletedItems/policies
When doing a restore of a CA Policy from Graph – https://graph.microsoft.com/beta/conditionalAccess/deletedItems/policies/{policy-id}/restore

Restore a deleted Conditional Access Policy

When using Microsoft Entra admin center to restore a Conditional Access Policy, this is how it’s done:

  1. Sign in to the Microsoft Entra admin center with an account that has one of the required roles (Conditional Access Administrator, Security Administrator, or Global Administrator).
  2. Navigate to:
    Entra ID → Conditional Access → Deleted Policies (Preview)
    This tab shows details like Policy Name, Deleted Date, Permanent Deletion Date, and Deleted By (when writing this blogpost the deleted by is not showing the correct value).
  3. Find the policy you want to restore in the list.
  4. Click the ellipsis (…) menu next to the policy and select Restore.
  5. In the dialog box, choose if you want to keep Previous state or change it to Report-only mode after restore
  6. Click Restore. The policy will disappear from the Deleted Policies list and reappear in your main Policies list.

⚠️ Important

Restoring a policy to its previous configuration may lead to unexpected behavior.
To minimize risk:

  • Enable the policy only after full validation
  • First restore in Report-only mode
  • Review the results thoroughly

Related Posts