How to Restore Deleted Conditional Access Policies in Microsoft Entra ID

Microsoft Entra Conditional Access policies are the central component of an organization’s security posture. They dictate who can access what resources, and under which specific conditions, making them critical of any modern identity and Zero Trust framework. However, even the most meticulous IT administrators can make mistakes. An accidental deletion of a Conditional Access policy (CA) can cause a security gap or lock users out of critical applications, causing significant disruption. Thankfully, Microsoft has now added the ability to restore Conditional Access policies in Entra ID. This blog post will walk you how to restore a deleted Conditional Access policy.

Earlier, deleted Conditional Access policies in Microsoft Entra ID were permanently removed and could not be recovered.

Now, Entra ID supports soft delete and backup/restore capabilities. When a CA policy is deleted, it moves to a soft-deleted state instead of being removed immediately.

• These policies are retained for 30 days after deletion.
• During this retention period, administrators can view, restore, or permanently delete them.
• After the 30-day period, the policy is permanently deleted and cannot be recovered through any interface or Graph API.

This retention design helps organizations recover deleted objects from accidental deletions and supports better governance by providing a restoration window before permanent removal.

Only users with specific administrative roles or permissions in Microsoft Entra ID can restore deleted Conditional Access policies.

Prerequisites to recover Conditional Access policies using Entra admin center:

Restoring a deleted Conditional Access policy isn’t available to everyone. You’ll need to be signed in with one of the following roles in Microsoft Entra ID:

• Conditional Access Administrator
• Security Administrator
• Global Administrator

Note: For security and least privilege access best practices, it’s recommended to use the Conditional Access Administrator role.

Prerequisites to recover deleted Conditional Access policies using Microsoft Graph Explorer:

You can also restore deleted Conditional Access policies through the Microsoft Graph API (beta), which requires specific delegated permissions.

• For listing deleted items: Policy.Read.ConditionalAccess
• For restoring an item: Policy.ReadWrite.ConditionalAccess

If your account doesn’t have the required permissions, you’ll encounter the following error in Graph Explorer:

Forbidden – 403 – 2534 ms
Either the signed-in user does not have sufficient privileges, or you need to consent to one of the permissions on the Modify permissions tab.

The Microsoft Entra admin center provides a user-friendly interface for viewing and restoring soft-deleted Conditional Access policies.

1. Sign in to the Microsoft Entra admin center using an account with one of the required roles.
2. Navigate to Entra ID > Conditional Access > Deleted Policies (Preview). The Deleted Policies tab displays the Policy name, Deleted date time, Permanent deletion date, and Deleted by fields.
3. Locate the deleted Conditional Access policy you want to restore from the list.
4. On the right side of the policy entry, click the ellipsis (…) menu icon. From the dropdown menu, select Restore.
5. In the dialog box, choose whether to restore it in Report-only mode or in its previous state (e.g., On)
6. Click the Restore button to complete the process. The policy will vanish from the “Deleted Policies” list and reappear in your main Policies list.

Currently, Microsoft Entra admin center doesn’t expose the “deletedBy” property accurately for Conditional Access policies. However, this information can be found in Microsoft Entra audit logs.

⚠️ Important: Restoring a policy to its previous configuration can cause unexpected behavior. It’s best to restore it in Report-only mode, review the results, and enable it only after thorough validation.

For automation or advanced recovery scenarios, you can use the Microsoft Graph API to restore deleted Conditional Access policies.

View Soft-Deleted Conditional Access Policies Using MS Graph API

Use this Graph API query to identify Conditional Access policies that were deleted but are still recoverable.

1. Sign in to the Microsoft Graph Explorer using your Microsoft 365 account.
2. In the HTTP request bar, set the method to GET.
3. To view all soft-deleted Conditional Access policies in your tenant using Graph API endpoint, enter the following request URL:
   
   https://graph.microsoft.com/beta/conditionalAccess/deletedItems/policies

   1	https://graph.microsoft.com/beta/conditionalAccess/deletedItems/policies

4. Go to the Modify permissions tab, locate Policy.Read.ConditionalAccess, and click Consent to grant the required permission.
5. Finally, click on Run query.
   
   

This returns each policy with the following details: id, displayName, deletedDateTime, policy details and more. Note the Id of the policy you want to restore; you’ll need this Object ID in the next step to specify which deleted Conditional Access policy to recover using Graph Explorer.

Recover Soft-Deleted Conditional Access Policies Using MS Graph Explorer

To restore the soft-deleted Conditional Access policy using Graph Explorer, follow the below steps.

1. In the HTTP request bar, set the method to POST.
2. To restore a soft-deleted Conditional Access policy, enter the following request URL, replacing {policy-id} with the actual GUID of the deleted CA policy you want to restore.
   
   https://graph.microsoft.com/beta/conditionalAccess/deletedItems/policies/{policy-id}/restore

   1	https://graph.microsoft.com/beta/conditionalAccess/deletedItems/policies/{policy-id}/restore

3. Go to the Modify permissions tab, locate Policy.ReadWrite.ConditionalAccess, and click Consent to grant the required permission.
4. Click on Run query to execute the request.

Once successfully recovered, the deletedDateTime attribute becomes empty, and the policy reappears in the Conditional Access policies blade in Entra ID.

The ability to recover deleted Conditional Access policies in Microsoft Entra ID is a valuable addition to identity governance. It bridges a long-standing operational gap, giving administrators a safeguard against accidental deletions. Feel free to reach us through the comments section if you have any queries.