What are You Looking For?

Mezba Uddin
onOctober 3, 2025

How to Restore Deleted Conditional Access Policies Using PowerShell

Restore deleted Conditional Access Policies
2 min read

Conditional Access (CA) policies are essential to protecting your Microsoft 365 environment. They control who can access resources and under what conditions. But one major limitation is that deleted CA policies cannot be restored from the Entra admin center.

Fortunately, PowerShell, in combination with Microsoft Graph, provides a reliable way to list and recover deleted policies, saving administrators from the tedious task of recreating them manually.

How to Recover Deleted Conditional Access Policies Using Microsoft Graph?

First, you need to connect PowerShell to Microsoft Graph with read permissions to access policy data:

Connect-MgGraph -Scope "Policy.Read.All"

This allows you to query the list of deleted policies.

List Deleted Conditional Access Policies

Once connected, you can retrieve all deleted CA policies with the following command:

$uri = "/beta/identity/conditionalAccess/deletedItems/policies"
Invoke-MgGraphRequest -Uri $uri -OutputType PSObject | Select -ExpandProperty Value

The output includes details of all deleted policies. The id attribute of each policy is crucial, as it identifies the specific policy you want to restore.

Listing Other Deleted Policy Types

PowerShell can also list other deleted policy objects:

Policy Type PowerShell URI
Cross-tenant access policies /policies/deletedItems/crossTenantPartners/
Cross-tenant identity sync policies /policies/deletedItems/crossTenantSyncPolicyPartners/
Named locations /identity/conditionalAccess/deletedItems/namedLocations

Restore a Deleted Conditional Access Policy

After identifying the policy ID, you need write permissions to restore it:

Connect-MgGraph -Scope "Policy.ReadWrite.ConditionalAccess"

$policyId = "<deleted conditional access policy ID>"
$uri = "beta/identity/conditionalAccess/deletedItems/policies/$policyId/restore"
Invoke-MgGraphRequest -Uri $uri -Method Post

After executing this command, the policy is restored and becomes immediately active in your tenant.

Few Considerations

  • Permissions: Policy.Read.All for listing and Policy.ReadWrite.ConditionalAccess for restoring.

  • Availability: Currently, these APIs work only in the Global Microsoft cloud. They are not supported in US Gov L4/L5 or China 21Vianet deployments.

  • Beta API: As these commands use the /beta Graph endpoint, features may change before being promoted to v1.0.

Conclusion

PowerShell provides a simple and effective way to recover deleted Conditional Access policies in Microsoft 365. By leveraging Graph API commands in PowerShell, administrators can avoid security gaps and prevent the need to rebuild policies from scratch.

With this approach, accidental deletions no longer have to disrupt your environment—restoration is just a few commands away.

Mezba Uddin
onOctober 3, 2025
35 Views
Share
Previous Article

How to Use Agent Mode in Microsoft 365 Copilot

Next Article

Switch to Microsoft 365 Idle Session Timeout - Alternative for Activity-based Timeouts

Write a Comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Read Next

Subscribe to Newsletter

Subscribe to our email newsletter to get the latest posts delivered right to your email.
Powered by Amail.