Merge pull request #206349 from omondiatieno/recover-and-delete

recovery and deletion docs

Author: Maggiemouse1

.openpublishing.redirection.active-directory.json

@@ -10825,7 +10825,13 @@
       "source_path": "articles/active-directory/manage-apps/howto-enforce-signed-saml-authentication.md",
       "redirect_url": "/azure/active-directory/manage-apps/howto-saml-token-encryption",
       "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/active-directory/manage-apps/recover-deleted-apps-faq.md",
+      "redirect_url": "/azure/active-directory/manage-apps/delete-recover-faq",
+      "redirect_document_id": false
     }
 
+
   ]
 }

articles/active-directory/develop/howto-remove-app.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 11/15/2020
+ms.date: 07/28/2022
 ms.author: ryanwi
 ms.custom: aaddev
 ms.reviewer: marsma, aragra, lenalepa, sureshja
@@ -48,9 +48,9 @@ To delete an application, be listed as an owner of the application or have admin
 
 ## Remove an application authored by another organization
 
-If you are viewing **App registrations** in the context of a tenant, a subset of the applications that appear under the **All apps** tab are from another tenant and were registered into your tenant during the consent process. More specifically, they are represented by only a service principal object in your tenant, with no corresponding application object. For more information on the differences between application and service principal objects, see [Application and service principal objects in Azure AD](./app-objects-and-service-principals.md).
+If you're viewing **App registrations** in the context of a tenant, a subset of the applications that appear under the **All apps** tab are from another tenant and were registered into your tenant during the consent process. More specifically, they're represented by only a service principal object in your tenant, with no corresponding application object. For more information on the differences between application and service principal objects, see [Application and service principal objects in Azure AD](./app-objects-and-service-principals.md).
 
-In order to remove an application’s access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Administrator access, and can remove the application through the Azure portal or use the [Azure AD PowerShell Cmdlets](/previous-versions/azure/jj151815(v=azure.100)) to remove access.
+In order to remove an application’s access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Administrator access. To learn how to delete a service principal, see [Delete an enterprise application](../manage-apps/delete-application-portal.md).
 
 ## Next steps
 

articles/active-directory/develop/howto-restore-app.md

@@ -9,21 +9,19 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
 ms.workload: identity
-ms.date: 3/22/2021
+ms.date: 07/28/2022
 ms.author: arcrowe
 ms.custom: aaddev
 #Customer intent: As an application developer, I want to know how to restore or permanently delete my recently deleted application from the Microsoft identity platform.
 ---
 
 # Restore or remove a recently deleted application with the Microsoft identity platform
-After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties. After that 30-day window passes, app registrations cannot be restored and the permanent deletion process may be automatically started.  This functionality only applies to applications associated to a directory.  It is not available for applications from a personal Microsoft account, which cannot be restored.
 
-You can view your deleted applications, restore a deleted application, or permanently delete an application using the App registrations experience under Azure Active Directory (Azure AD) in the Azure portal.
+After you delete an app registration, the app remains in a suspended state for 30 days. During that 30-day window, the app registration can be restored, along with all its properties. After that 30-day window passes, app registrations can't be restored, and the permanent deletion process may be automatically started. This functionality only applies to applications associated to a directory. It isn't available for applications from a personal Microsoft account, which can't be restored.
 
-Note that neither you nor Microsoft customer support can restore a permanently deleted application or an application deleted more than 30 days ago.
+You can view your deleted applications, restore a deleted application, or permanently delete an application using the **App registrations** experience under Azure Active Directory (Azure AD) in the Azure portal.
 
-> [!IMPORTANT]
-> The deleted applications portal UI feature [!INCLUDE [PREVIEW BOILERPLATE](../../../includes/active-directory-develop-preview.md)]
+Neither you nor Microsoft customer support can restore a permanently deleted application or an application deleted more than 30 days ago.
 
 ## Required permissions
 You must have one of the following roles to permanently delete applications.
@@ -50,9 +48,9 @@ Review the list of applications. Only applications that have been deleted in the
 
 ## Restore a recently deleted application
 
-When an app registration is deleted from the organization, the app is in a suspended state and its configurations are preserved. When you restore an app registration, its configurations are also restored.  However, if there were any organization-specific settings in **Enterprise applications** for the application's home tenant, those will not be restored.  
+When an app registration is deleted from the organization, the app is in a suspended state, and its configurations are preserved. When you restore an app registration, its configurations are also restored. However, if there were any organization-specific settings in **Enterprise applications** for the application's home tenant, those won't be restored.  
 
-This is because organization-specific settings are stored on a separate object, called the service principal.  Settings held on the service principal include permission consents and user and group assignments for a certain organization; these configurations will not be restored when the app is restored. For more information, see [Application and service principal objects](app-objects-and-service-principals.md). 
+This is because organization-specific settings are stored on a separate object, called the service principal.  Settings held on the service principal include permission consents and user and group assignments for a certain organization; these configurations won't be restored when the app is restored. To learn how to restore the service principal with its previous configurations, see [Restore a recently deleted enterprise application](../manage-apps/restore-application.md).
 
 
 ### To restore an application

articles/active-directory/manage-apps/delete-application-portal.md

@@ -1,51 +1,117 @@
 ---
-title: 'Quickstart: Delete an enterprise application'
+title: 'Delete an enterprise application'
 description: Delete an enterprise application in Azure Active Directory.
 services: active-directory
 author: omondiatieno
 manager: CelesteDG
 ms.service: active-directory
 ms.subservice: app-mgmt
-ms.topic: quickstart
+ms.topic: how-to
 ms.workload: identity
-ms.date: 03/24/2022
+ms.date: 07/28/2022
 ms.author: jomondi
 ms.reviewer: sureshja
-ms.custom: mode-other
+zone_pivot_groups: enterprise-apps-all
+
 #Customer intent: As an administrator of an Azure AD tenant, I want to delete an enterprise application.
 ---
 
-# Quickstart: Delete an enterprise application
+# Delete an enterprise application
+
+In this article, you learn how to delete an enterprise application that was added to your Azure Active Directory (Azure AD) tenant. 
 
-In this quickstart, you use the Azure Active Directory Admin Center to delete an application that was added to your Azure Active Directory (Azure AD) tenant.
+When you delete and enterprise application, it will be held in a suspended state in the recycle bin for 30 days. During the 30 days, you can [Restore the application](restore-application.md). Deleted items are automatically hard deleted after the 30-day period. For more information on frequently asked questions about deletion and recovery of applications, see [Deleting and recovering applications FAQs](delete-recover-faq.yml).
 
-It is recommended that you use a non-production environment to test the steps in this quickstart.
 
 ## Prerequisites
 
 To delete an enterprise application, you need:
 
 - An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
-- Completion of the steps in [Quickstart: Add an enterprise application](add-application-portal.md).
+- An [enterprise application added to your tenant](add-application-portal.md)
 
 ## Delete an enterprise application
 
-To delete an enterprise application:
+:::zone pivot="portal"
 
-1. Go to the [Azure Active Directory Admin Center](https://aad.portal.azure.com) and sign in using one of the roles listed in the prerequisites.
+1. Sign in to the [Azure AD portal](https://portal.azure.com) and sign in using one of the roles listed in the prerequisites.
 1. In the left menu, select **Enterprise applications**. The **All applications** pane opens and displays a list of the applications in your Azure AD tenant. Search for and select the application that you want to delete. For example, **Azure AD SAML Toolkit 1**.
 1. In the **Manage** section of the left menu, select **Properties**.
 1. At the top of the **Properties** pane, select **Delete**, and then select **Yes** to confirm you want to delete the application from your Azure AD tenant.
 
     :::image type="content" source="media/delete-application-portal/delete-application.png" alt-text="Delete an enterprise application.":::
 
-## Clean up resources
+:::zone-end
+
+:::zone pivot="aad-powershell"
+
+> [!IMPORTANT]
+> Make sure you're using the AzureAD module. This is important if you've installed both the [AzureAD](/powershell/module/azuread/?preserve-view=true&view=azureadps-2.0) module and the AzureADPreview module.
+1. Run the following commands:
+
+    ```powershell
+    Remove-Module AzureADPreview
+    Import-Module AzureAD
+    ```
+
+1. Connect to Azure AD PowerShell:
+
+   ```powershell
+   Connect-AzureAD
+   ```
+1. Get the list of enterprise applications in your tenant.
+   
+   ```powershell
+   Get-AzureADServicePrincipal
+   ```
+1. Record the object ID of the enterprise app you want to delete.
+1. Delete the enterprise application.
+   
+   ```powershell
+   Remove-AzureADServicePrincipal $ObjectId 'd4142c52-179b-4d31-b5b9-08940873507b'
+   ```
+:::zone-end
+
+:::zone pivot="ms-powershell"
+
+1. Connect to Microsoft Graph PowerShell:
+
+   ```powershell
+   Connect-MgGraph -Scopes 'Application.Read.All'
+   ```
+
+1. Get the list of enterprise applications in your tenant.
+   
+   ```powershell
+   Get-MgServicePrincipal   
+   ```
+1. Record the object ID of the enterprise app you want to delete.
+1. Delete the enterprise application.
+   
+   ```powershell
+   Remove-MgServicePrincipal -ServicePrincipalId 'd4142c52-179b-4d31-b5b9-08940873507b'
+
+:::zone-end
+
+
+:::zone pivot="ms-graph"
+
+Delete an enterprise application using [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. To get the list of applications in your tenant, run the following query.
+   
+   ```http
+   GET /servicePrincipals
+   ```
+1. Record the ID of the enterprise app you want to delete.
+1. Delete the enterprise application.
+   
+   ```http
+   DELETE /servicePrincipals/{id}
+   ```
 
-When you are done with this quickstart series, consider deleting the application to clean up your test tenant. Deleting the application was covered in this quickstart.
+:::zone-end
 
 ## Next steps
 
-Learn more about planning a single sign-on deployment.
-> [!div class="nextstepaction"]
-> [Plan single sign-on deployment](plan-sso-deployment.md)
+- [Restore a deleted enterprise application](restore-application.md)

articles/active-directory/manage-apps/delete-recover-faq.yml

@@ -0,0 +1,98 @@
+### YamlMime:FAQ
+metadata:
+  title: Deletion and recovery of applications FAQ
+  description: Find answers to frequently asked questions (FAQs) about recovering deleted apps and service principals.
+  
+  services: active-directory
+  ms.service: active-directory
+  ms.subservice: app-mgmt
+  ms.topic: faq
+  ms.workload: identity
+  ms.date: 07/28/2021
+  ms.author: jomondi
+  author: omondiatieno
+  manager: celesteDG
+  ms.reviewer: sureshja
+  ms.collection: M365-identity-device-management
+
+title: Deletion and recovery of applications FAQ
+summary: |
+  The following are some frequently asked questions (FAQs) on deletion and recovery of applications.
+
+sections:
+  - name: Single section - ignored 
+    questions:
+      - question: |
+          When I create applications, I'm getting Directory_QuotaExceeded error. How can I avoid this problem? 
+        answer: |
+            > A non-admin user can create no more than 250 Azure AD resources that include applications and service principals. Both active resources and deleted resources that are available to restore count toward this quota. Even if you delete more applications that you don't need, they'll still add count to the quota. To free up the quota, you need to [permanently delete](restore-application.md#permanently-delete-an-enterprise-application) objects in the deleted items container.
+            >
+            > For more information about the service limits, see [Azure resource management](/azure/azure-resource-manager/management/azure-subscription-service-limits?msclkid=6cb6cc54c68711ec93eb9539fce3cc28#active-directory-limits).
+            >
+            >
+      - question: |
+          Where can I find all the deleted applications and service principals? 
+        answer: |
+            > Soft-deleted application and service principal objects go into the deleted items container and remain available to restore for up to 30 days. After 30 days, they're permanently deleted, and this frees up the quota.
+            >
+            > To learn how to view deleted application objects through the Azure portal, see [View restorable applications](/develop/howto-restore-app.md#to-view-your-restorable-applications).
+            >
+            > Deleted service principals can't be viewed through the Azure portal. To learn how to view your restorable service principals using PowerShell or Microsoft Graph API, see [View restorable service principals](restore-application.md#view-restorable-enterprise-applications).
+            >
+            >
+      - question: |
+          How do I restore deleted applications or service principals?
+        answer: |
+            > To learn how to restore recently deleted application registrations through the Azure portal, see [Restore application registrations](../develop/howto-restore-app.md).
+            >
+            > To learn how to restore recently deleted service principals, see [Restore service principals](restore-application.md). This method is also applicable for restoring recently deleted application registrations using PowerShell or Microsoft Graph API.
+      - question: |
+          How do I permanently delete soft deleted applications or service principals?
+        answer: |
+            > To permanently delete application registrations through the Azure portal, see [Permanently delete an application](../develop/howto-restore-app.md#permanently-delete-an-application). 
+            >
+            > To permanently delete a service principal, see [Permanently delete a service principal](restore-application.md#permanently-delete-an-enterprise-application). This method is also applicable for permanently deleting application registrations using PowerShell or Microsoft Graph API.
+      - question: |
+          Can I configure the interval in which applications and service principals are permanently deleted by Azure AD?
+        answer: |
+            > No. You can't configure the periodicity of hard deletion.
+            >
+      - question: |
+          I lost my SAML SSO configurations after deleting and restoring my application through app registrations in the Azure portal. How can I restore my configurations?
+        answer: |
+            > The SAML SSO configurations are stored on the service principal object. When you restore an application from the **App registrations** UI, it recovers the app object but creates a new service principal. The SAML SSO configurations done earlier to the app are lost when restoring a deleted application using the **App registrations** UI.
+            >
+            > To correct this problem, delete the new service principal the **App registrations** experience created and [Restore the original service principal](restore-application.md).
+            >
+            > If you didn't record the service principal before deleting the application, use the [list deleted items](/graph/api/directory-deleteditems-list?tabs=http) API to fetch the deleted service principal and filter the results by the client's application ID (**appId**) property using the following syntax:
+            >
+            > `https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.servicePrincipal?$filter=appId eq '{appId}'`. 
+            > Once you've retrieved the object ID of the deleted service principal, proceed to [restore](restore-application.md) it.
+      - question: |
+          Why can't I recover managed identities?
+        answer: |
+            > [Managed identities](../managed-identities-azure-resources/overview.md) are a special type of service principals. Deleted managed identities can't be recovered currently.
+            >
+            >
+      - question: |
+          I can't see the provisioning data from a recovered service principal. How can I recover it? 
+        answer: |
+            > After recovering a service principal, you may initially see the error in the following screenshot. This issue will resolve itself between 40 mins and 1 day. If you'd like the provisioning job to start immediately, you can hit restart to force the provisioning service to run again. Hitting restart will trigger an initial cycle that can take time for customers with 100K+ users or group memberships. 
+            >
+            > :::image type="content" source="media/delete-application-portal/recover-user-provisioning.png" alt-text="Screenshot of recovering user provisioning data.":::
+            >
+      - question: |
+          I recovered my application that was configured for application proxy. I can't see app proxy configurations after the recovery. How can I recover it back? 
+        answer: |
+            > App proxy configurations can't be recovered through the portal UI. Use the API to recover app proxy settings. Expect a delay of up to 24 hours as the app proxy data gets synced back.
+      - question: |
+          I can't see the policies I set on the service principal object after the recovery. How can I recover them? 
+        answer: |
+            > Policies can't be recovered currently. When you restore a service principal, you'll have to configure the policies again.
+            >
+            >
+
+additionalContent: |
+  ## Next steps
+    * [Restore a service principal](restore-application.md)
+    * [Restore an application registration](../develop/howto-restore-app.md)