Restoring a role will update its attributes and assignments to users and groups. 

Restore an Entra ID role

Before you restore, ensure the Entra ID service account that was used to create the connector is assigned the global admin role.

1. Locate the role in your connector.

2. Optional: If you want to restore an older version of the object, click the Snapshots Viewer icon, and then select an earlier snapshot. You will now be viewing data from that particular time.

3. Select ••• > Restore.

Tip: To preview the attributes and relationships and to compare them to older versions, select ••• > Object metadata. You can also restore directly from the previewer. 

4. Select whether to restore subobjects.
Subobjects can be users and groups with this role.

  • If you select Restore only this object, click Next.
  • If you select Also restore subobjects, click Next. Then select the restore method and click Next

5. Review the summary and click Restore.

Note: Roles can be restored in bulk, but the option to restore related items will be disabled. 

What happens when I restore a role

Restoring a role will restore its attributes and reestablish the following relationships: 

  • Role assignments - links to all users and groups that are assigned this role (all users and groups will be assigned this role)

Assignments to users and groups will be restored only if these objects still exist in Entra ID. 

Only custom roles can be deleted from Entra ID. If the role has been deleted from Entra ID, all attributes and relationships will be recreated. The original template ID will be restored.

This diagram shows the relationships that are restored:

Restoring a role together with subobjects

A role's subobjects are users and groups assigned with the role. 

Enabling subobjects restore will create missing subobjects. This means for each missing user and group we will restore attributes and relationships. All recreated users and groups will receive new IDs.

If you select create missing and update existing subobjects:

  • We will create users and groups with this role that have been deleted and reassign the role to them.
  • For each existing user, we will update its attributes, link to manager, role assignments, group ownerships, group and unit memberships, and licenses.
  • For each existing group, we will update its attributes, links to members and owners, group and unit memberships, role assignments, and licenses.

If you select only create missing subobjects:

  • We will create users and groups that have been deleted and reassign the role to them.
  • We will not be update the attributes, relationships, and licenses of existing users and groups.

Note: We cannot reestablish deleted users' memberships to distribution and mail-enabled groups. In this case, the restore job will be marked as incomplete, and these relationships will be skipped.