Forum Discussion
Solved
Get-AzureADMSDeletedGroup vs. 'Get-UnifiedGroup -IncludeSoftDeletedGroups'
Hello, I have a question reqarding deleted Office 365 Groups.
I have the two scenarios:
1st: I run "Get-AzureADMSDeletedGroup | ?{$_.DeletedDateTime -gt $DeletedGroupsStartDate }" and get 5 deleted groups.
2nd: I run "Get-UnifiedGroup -IncludeSoftDeletedGroups | ?{$_.WhenSoftDeleted -gt $DeletedGroupsStartDate}" and get 7 groups.
Is there a difference between the two commands? I expect the two commands should show the same results. I don't understand why the result of the 2 commands is different.
Best regards
Tobias
Yesterday I found the cause. There are 2 issues preventing the EXO and AAD cmdlets returning the same results for deleted groups.
- The time zone in AAD is UTC, EXO returns the results in the local time. So I changed the date filter for deleted groups in AAD to UTC.
- The main issue is Get-AzureADMSDeletedGroup does not return all deleted groups by default (and shows not information the results are limited). The cmdlet provides an additional parameter All.
Get-AzureADMSDeletedGroup -all:$true
-All
If true, return all group members. If false, return the number of objects specified by the Top parameterWithout the parameter Get-AzureADMSDeletedGroup returns just 100 results and the date filter was not applied to all deleted groups in AAD.
I did the same tests, one for the last 5 days and one for 30 days. Both commands include now the same results.
9 Replies
- cfiessinger
Microsoft
Tobias these two cmdlets should return the same results (assuming the data between Azure AD and Exchange has been synched), can you consistently reproduce the issue?
I tested the commands again. Here is a screenshot of the commands and results. It's easy to compare. The Id of Get-AzureADMSDeletedGroup is connected to ExternalDirectoryObjectId of Get-UnifiedGroup. Two Ids are still missing in the deleted groups.
Well, the first one returns *only* deleted Groups. The second one *includes* deleted Groups, but will also return any *active* Groups that match the query. It's not an -InactiveGroupsOnly parameter :)
Apart from that, one returns the objects from Azure AD, the other from the ExODS, so they are representing different object classes, with different properties, etc. Technically, the two should be linked, but there can be a slight disconnect, especially if you have recently made changes. But in general the two "representations" should be kept in sync.
VasilMichev wrote:
Well, the first one returns *only* deleted Groups. The second one *includes* deleted Groups, but will also return any *active* Groups that match the query. It's not an -InactiveGroupsOnly parameter :)
Hm, how can be a group active if the group was deleted? :) I checked the 2 groups from the 2nd case, both groups are really deleted. Not available in OWA and the SPO sites are also changed to NoAccess.
First I thought maybe the groups were restored by the owner and the property WhenSoftDeleted not replaced. But it's not the case. After a restore of a deleted test group the property is empty.
@Tobias, what I meant was that the Get-UnifiedGroup cmdlet run with this parameter will return both active and deleted groups, which you can easily confirm if you remove the filter. We have the same situation with the Get-Mailbox cmdlets, however for it we also have the -InactiveMailboxOnly which will filter out any active mailboxes.
Now, having seen the full code in your screenshot, the Groups returned definitely match the soft-deleted criteria. So you should be seeing the same between Get-UnifiedGroup and Get-AzureADMSDeletedGroup output. Which brings us to the other possible scenario, issue with the sync between ExODS and Azure AD, for which you should open a support case.
