Organization grow and change their needs as time goes on. This is a given for any company in today’s world. As we shift more into a cloud-first landscape, your identity becomes more key to daily operations. IT Admins will need to maintain a close eye on who has access, through system such as Azure Active Directory (AD). Part of this process will be cleaning up and deleting older accounts as time goes on. You may ask, “What if I accidently delete someone in Azure, are they gone forever?” The answer to that is no. Not yet at least. How can we know that a user account is inaccessible? When, if ever, are your Azure AD Objects really deleted? Let’s go ahead and explore this topic briefly

 

AD Object Deletion in Azure

The topic of user accounts in general are well understood, and Azure does not differ here. The account that a person logs in to will have rights and privileges assigned to match their job duties. If the person in question transfers and no longer needs the account, it should be deleted. When deleted, the user account is first soft-deleted. This means that the account cannot be logged into, but can be restored or permanently deleted by a Global Administrator. Once an account has been in this soft-delete state for 30 days, the account will be permanently deleted and cannot be restored. This is a handy feature if you accidently delete someone. Think of this as the next iteration of the Windows Recycle Bin, just accounts instead of documents.

 

What is Covered

Something else to note here is that this soft-delete is applied to more than just user accounts. AD Groups and Applications are covered with soft-deletes as well. Groups will work in the same way as user accounts, with a 30 day grace period. However, applications are a little more complicated.

Applications also fall into the 30 day grace period, but this is only been recently enabled for public preview by Microsoft. Before this, there was not any time limit on the soft-delete status for Azure Apps. This meant that the application could be restored at any time, even months later.

From our test environment, with soft-deleted Applications from 2019. Still available for restoration in 2021

From our test environment, with soft-deleted Applications from 2019. Still available for restoration in 2021

At the time, an admin would need to permanently delete these applications with a PowerShell commandlet in order to get them out. Before early 2021, there was no UI in the Azure Portal to even review deleted apps.

 

Security Concerns

Soft-deletes are useful for mistakes, but only in that case. You should permanently remove the AD object as soon as possible once the action is confirmed. Restoring these users, groups, and apps can also restore the permissions granted to them at time of deletion. Applications are of particular concern with the context of the Solarwinds and Kaseya attacks in mind. A compromised application that is not properly cleaned and instead restored can continue to wreak havoc through sensitive information leaks and privileged account actions.

 

Wrap-Up

Azure AD has many features, one of which is object soft-deletes. This is a handy feature for administration flubs, but can expose unnecessary risk. Good practice for security-minded organizations should be to permanently delete AD objects once no longer needed.