ANAVEM
EnglishFrancais
ANAVEM
Reference
Languagefr
How to Restore a Deleted Microsoft 365 Hybrid User Account

How to Restore a Deleted Microsoft 365 Hybrid User Account

Learn to restore a deleted user account in a hybrid environment by recovering from Active Directory Recycle Bin, syncing with Microsoft Entra Connect, and verifying access restoration.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 17, 2026 15 min 6
mediummicrosoft-365 6 steps 15 min

Why is Restoring Hybrid User Accounts Different from Cloud-Only Accounts?

In a Microsoft 365 hybrid environment, user accounts originate from your on-premises Active Directory and synchronize to the cloud via Microsoft Entra Connect (formerly Azure AD Connect). This creates a fundamental difference in how deletions and restorations work compared to cloud-only environments.

When a hybrid user is deleted, the deletion typically starts in Active Directory and syncs to Microsoft 365. Simply restoring the user from Microsoft 365's deleted users list won't work properly because Active Directory remains the authoritative source. Attempting a cloud-only restoration creates conflicts and can result in duplicate accounts or synchronization errors.

What Makes This Process Critical for IT Administrators?

The hybrid restoration process requires careful coordination between on-premises and cloud systems. You must restore the user from the Active Directory Recycle Bin first, then force synchronization to update the cloud directory. This maintains the proper relationship between the on-premises source account and its cloud representation.

Understanding this process is essential because incorrect restoration attempts can lead to orphaned accounts, broken mailbox access, and synchronization conflicts that are difficult to resolve. The stakes are high when dealing with user access restoration, especially for executives or users with critical business functions.

Related: Microsoft 365 E7 at $99/User/Month: Copilot AI + Agent 365

Related: How to Import PST Files into Exchange Online in Microsoft

What Will You Accomplish in This Tutorial?

By following this guide, you'll master the complete hybrid user restoration workflow. You'll learn to identify deleted users in both environments, use Active Directory Administrative Center and PowerShell commands for restoration, force synchronization cycles, and verify that users can access their Microsoft 365 services again. This knowledge will make you confident in handling one of the most stressful IT scenarios - restoring access for deleted user accounts.

Implementation Guide

Full Procedure

01

Verify the Deleted User in Microsoft 365 Admin Center

Before starting the restoration process, confirm the user appears in Microsoft 365's deleted users list. This step helps verify the deletion and provides context for the restoration.

Open your browser and navigate to the Microsoft 365 admin center. Sign in with your Global Admin or User Admin credentials.

In the left navigation pane, expand Users and click Deleted users. Look for your deleted user in the list. The user should appear here if deleted within the last 30 days.

Pro tip: Note the deletion date and any associated licenses. This information will be useful when reassigning licenses after restoration.

If you don't see the user in the deleted users list, they may have been permanently deleted or the 30-day retention period has expired. In this case, you'll need to rely entirely on the on-premises Active Directory restoration.

Verification: Take a screenshot or note the user's display name, username, and deletion date for reference during the restoration process.

02

Access the Domain Controller and Open Active Directory Administrative Center

Connect to your Domain Controller where the Active Directory Recycle Bin is enabled. You'll need Domain Admin privileges to access deleted objects.

Log into your Domain Controller using Remote Desktop or direct console access. Ensure you're signed in with an account that has Domain Admin permissions.

Open the Active Directory Administrative Center by clicking Start and typing dsac.exe, or navigate to Server Manager > Tools > Active Directory Administrative Center.

In the Active Directory Administrative Center, you'll see your domain listed in the left pane. Click on your domain name to expand it.

Warning: If Active Directory Recycle Bin wasn't enabled before the user was deleted, you won't see deleted objects here. You'll need to use authoritative restore with ntdsutil instead.

Verification: Confirm you can see the domain structure and that the Deleted Objects container appears when you expand your domain.

03

Locate and Restore the User from Active Directory Recycle Bin

Navigate to the Deleted Objects container to find and restore your deleted user account. This is the critical step that will restore the user as the authoritative source.

In the Active Directory Administrative Center, click on Deleted Objects under your domain. You'll see a list of all deleted Active Directory objects.

Locate your deleted user account. You can use the search box at the top right to filter by display name or username. Look for the user object with the correct name and deletion timestamp.

Right-click on the deleted user object and select Restore. The user will be restored to their original Organizational Unit (OU).

Alternatively, you can use PowerShell for more precise control. Open PowerShell as Administrator on the Domain Controller and run:

Get-ADObject -Filter {isdeleted -eq $TRUE -and sAMAccountName -eq "username"} -IncludeDeletedObjects | Restore-ADObject

Replace "username" with the actual sAMAccountName. You can also search by display name:

Get-ADObject -Filter {isdeleted -eq $TRUE -and displayName -like "*John Doe*"} -IncludeDeletedObjects | Restore-ADObject
Pro tip: Use the PowerShell method when you need to restore multiple users or want to script the process. The GUI method is better for single user restorations.

Verification: Check that the user no longer appears in the Deleted Objects container and verify they're back in their original OU by navigating to Active Directory Users and Computers.

04

Force Synchronization with Microsoft Entra Connect

After restoring the user in on-premises Active Directory, you need to force a synchronization cycle to push the changes to Microsoft 365. This ensures the cloud directory reflects the restoration.

Connect to your Microsoft Entra Connect server using Remote Desktop or direct access. Sign in with an account that has local administrator privileges on the sync server.

Open Windows PowerShell as Administrator. You can do this by right-clicking the PowerShell icon and selecting "Run as administrator".

Execute the following command to start a delta synchronization cycle:

Start-ADSyncSyncCycle -PolicyType Delta

The delta sync will process only the changes since the last synchronization, which is faster and more efficient for single user restorations.

If you encounter issues or want to ensure all objects are synchronized, you can run a full synchronization instead:

Start-ADSyncSyncCycle -PolicyType Initial
Warning: Full synchronization takes much longer and processes all objects. Only use this if delta sync fails or if you suspect broader synchronization issues.

Monitor the synchronization progress by checking the output. You should see confirmation that the sync cycle has started successfully.

Verification: Wait for the sync to complete (typically 2-5 minutes for delta sync). You can check the sync status with Get-ADSyncScheduler to see the last sync time and next scheduled sync.

05

Verify User Restoration in Microsoft 365 Admin Center

Return to the Microsoft 365 admin center to confirm the user has been successfully restored and is no longer in the deleted users list.

Navigate back to the Microsoft 365 admin center and refresh your browser. Go to Users > Deleted users first.

The restored user should no longer appear in the deleted users list. If they're still there, wait an additional 10-15 minutes as synchronization can take time to propagate across all Microsoft 365 services.

Next, navigate to Users > Active users. Your restored user should now appear in the active users list with their original display name and username.

Click on the user's name to open their profile. Check the following details:

  • Display name and contact information are correct
  • Department and job title are restored
  • Group memberships are intact
  • Licenses may need to be reassigned

If the user appears but shows no licenses assigned, you'll need to reassign them. Click on Licenses and apps tab and assign the appropriate licenses based on your organization's requirements.

Pro tip: Keep a record of users' original license assignments in a spreadsheet. This makes restoration much faster when you need to reassign licenses after account recovery.

Verification: Confirm the user shows as "Active" status and has the correct primary email address. The synchronization source should show as "Synced with Active Directory".

06

Test User Access and Functionality

The final step is to verify that the restored user can actually sign in and access their Microsoft 365 services. This confirms the restoration was completely successful.

Contact the user or test the account yourself (if you have the credentials) by attempting to sign in to Microsoft 365 services.

Try accessing the following services to ensure full functionality:

  • Outlook Web App: Navigate to outlook.office.com
  • Microsoft 365 Portal: Go to portal.office.com
  • Teams: Access via web browser or desktop application
  • SharePoint: Test access to any sites the user previously had permissions to

During the first sign-in attempt, you might encounter temporary issues or redirect errors. This is normal immediately after restoration as authentication tokens and cached credentials need to refresh.

Warning: If you see HTTP 500 redirect errors during sign-in, don't panic. These are common immediately after account restoration and typically resolve within 30 minutes as the authentication system updates.

If the user cannot sign in after 30 minutes, check the following:

# Check sync errors in PowerShell on Entra Connect server
Get-ADSyncConnectorRunStatus

You can also verify the user's cloud identity status:

# Install and connect to Microsoft Graph PowerShell if not already done
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "User.Read.All"

# Check user status
Get-MgUser -Filter "userPrincipalName eq 'user@yourdomain.com'" | Select-Object DisplayName, AccountEnabled, UserPrincipalName

Verification: The user should be able to sign in successfully and access their email, calendar, and other Microsoft 365 services. Email delivery should resume normally, and the user should see their historical data intact.

Frequently Asked Questions

What happens if Active Directory Recycle Bin wasn't enabled before user deletion?+
If Active Directory Recycle Bin wasn't enabled, you cannot use the simple restore method described in this tutorial. You'll need to perform an authoritative restore using ntdsutil, which is more complex and requires restoring from a backup. Alternatively, you can recreate the user account with the same attributes, but this may cause synchronization issues and data loss. Always enable AD Recycle Bin as a preventive measure.
Can I restore a hybrid user directly from Microsoft 365 admin center?+
While technically possible, restoring a hybrid user directly from Microsoft 365 creates a cloud-only account that conflicts with the on-premises source. This results in synchronization errors and requires complex hard matching procedures using PowerShell to link the accounts via ImmutableID. Always restore from Active Directory first to maintain proper hybrid identity relationships.
How long does Microsoft Entra Connect take to sync restored users?+
Delta synchronization typically completes within 2-5 minutes after running Start-ADSyncSyncCycle. However, propagation across all Microsoft 365 services can take up to 30 minutes. Full synchronization takes longer depending on your directory size. You can monitor sync status using Get-ADSyncScheduler to see completion times and any errors.
Will restored users keep their original licenses and mailbox data?+
Mailbox data is typically retained for 30 days in Microsoft 365 even after user deletion, so email and calendar data should be intact after restoration. However, license assignments are usually lost during deletion and must be manually reassigned through the Microsoft 365 admin center. Group memberships from Active Directory are restored automatically during sync.
What should I do if the restored user cannot sign in after 30 minutes?+
Check for synchronization errors using Get-ADSyncConnectorRunStatus on your Entra Connect server. Verify the user appears in both Active Directory and Microsoft 365 with matching attributes. Ensure the user's OU is within the synchronization scope. If issues persist, check the user's ImmutableID matches between on-premises and cloud using PowerShell, and consider running a full synchronization cycle.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#microsoft-365#active-directory#hybrid-identity

Further Intelligence

Deepen your knowledge with related resources

How to Install Office 365 Offline for Enterprise Deployment
tutorial
General

How to Install Office 365 Offline for Enterprise Deployment

Deep Dive
How to Bulk Import Active Directory Users from CSV Using PowerShell
tutorial
DevOps

How to Bulk Import Active Directory Users from CSV Using PowerShell

Deep Dive
How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server
tutorial
Networking

How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...