msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Cannot delete Contact objects from Entra ID
Describe the bug
I'm trying to remove a contact object that is synced from on-premises AD, i.e.: OnPremisesSyncEnabled=True For example, on my test tenant (TenantId: 3dacc451-5225-40d6-be6f-70dbfa4fb044), I can get the contact object with:
> Get-MgContact -OrgContactId 21d60e77-75dd-4cdd-b348-738d057a6a07 -Property Id, UserPrincipalName, DisplayName, OnPremisesSyncEnabled | select Id, UserPrincipalName, DisplayName, OnPremisesSyncEnabled
Id UserPrincipalName DisplayName OnPremisesSyncEnabled
-- ----------------- ----------- ---------------------
21d60e77-75dd-4cdd-b348-738d057a6a07 OnpremContact1 True
However, trying to delete this object, will result in the following error:
> Remove-MgDirectoryObject -DirectoryObjectId 21d60e77-75dd-4cdd-b348-738d057a6a07
Remove-MgDirectoryObject_Delete: Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2025-03-25T05:27:38
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"CO1PEPF00005D51"}}
x-ms-resource-unit : 1
Date : Tue, 25 Mar 2025 05:27:37 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
OR:
> Remove-MgContact -OrgContactId 21d60e77-75dd-4cdd-b348-738d057a6a07
Remove-MgContact_Delete: Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2025-03-25T05:28:26
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 08b3bf6d-9fe4-45ed-94e9-26a93fac02e3
client-request-id : f6a12c3d-d3a2-4933-99ab-eef35db957ad
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"CO1PEPF00004BE6"}}
x-ms-resource-unit : 1
Date : Tue, 25 Mar 2025 05:28:26 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
[Update 06/03/2025] The same issue also reproduces with a cloud contact (i.e. mail contact created in Exchange Online). For example:
Remove-MgDirectoryObject_Delete: Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'.
Status: 400 (BadRequest)
ErrorCode: Request_BadRequest
Date: 2025-06-04T05:11:21
Headers:
Date : Wed, 04 Jun 2025 05:11:21 GMT
Transfer-Encoding : chunked
Connection : keep-alive
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : dbdc00b0-7b7c-4dfb-a416-5fd3ba625d30
client-request-id : 168d2322-8cf1-41e5-ae54-382300053264
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"MWH0EPF000B674A"}}
x-ms-resource-unit : 1
X-Cache : CONFIG_NOCACHE
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
Expected behavior
As an Admin, I need the ability to delete a synced object from the cloud if it becomes orphaned (disconnected from the on-premises source object), or simply delete cloud contacts from Entra ID via PowerShell. This functionality works for other object types like users and groups but is not working for Contact objects.
As an Identity EEE working for Microsoft Support, I have encountered many customers facing issues in such scenarios. They had to use Remove-MsolUser, Remove-MsolGroup, Remove-MsolContact, Remove-AzureADUser, Remove-AzureADGroup, or Remove-AzureADContact. However, these legacy PowerShell cmdlets have been deprecated and will stop working soon. Therefore, we need to fix Remove-MgContact as it is the only alternative available, and currently, it lacks feature parity with the legacy cmdlets.
How to reproduce
- Sync a contact object from on-premises AD to Entra ID. The object will have OnPremisesSyncEnabled=True set in the cloud.
- Try to delete the object from the cloud with
Remove-MgContact -OrgContactId <id>orRemove-MgDirectoryObject -DirectoryObjectId <id>
Error result: "Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'." For Example:
$id = '6af01ad9-6801-4fa0-8d4b-644b30f28931'
Remove-EntraContact -OrgContactId $id
Remove-MgContact_Delete: Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2025-06-04T05:07:59 Headers: Date : Wed, 04 Jun 2025 05:07:59 GMT Transfer-Encoding : chunked
Connection : keep-alive Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : e3440c8b-f8c6-442d-9743-fe7297f66b72 client-request-id :
346248b3-00b6-439e-8742-0efa577dbbc5 x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"004","RoleInstance":"MW2PEPF0000E05D"}} x-ms-resource-unit : 1 X-Cache : CONFIG_NOCACHE
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
SDK Version
2.25.0
Latest version known to work for scenario above?
Never worked
Known Workarounds
Alternatively, use Delete directoryObject Graph call to delete objects in Entra ID via Graph Explorer or Invoke-MgGraphRequest.
Example using Invoke-MgGraphRequest from Microsoft.Graph PowerShell SDK
1 - Connect to the tenant
Connect-MgGraph -Scopes "Directory.ReadWrite.All"
2 - Set the ObjectId of the target Entra directory object
$objId = 'ffab####-####-####-####-####3106####'
3 - Get the Entra directory object with the ObjectId (via beta endpoint)
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/directoryObjects/$objId" -OutputType PSObject
4 - DELETE the Entra directory object (via beta endpoint)
Invoke-MgGraphRequest -Method DELETE -Uri "https://graph.microsoft.com/beta/directoryObjects/$objId"
Debug output
Click to expand log
PS C:\> Remove-EntraContact -OrgContactId 21d60e77-75dd-4cdd-b348-738d057a6a07 -Debug
DEBUG: ============================ TRANSFORMATIONS ============================
DEBUG: Debug : True
DEBUG: OrgContactId : 21d60e77-75dd-4cdd-b348-738d057a6a07
DEBUG: =========================================================================
DEBUG: [CmdletBeginProcessing]: - Remove-MgContact begin processing with parameterSet 'Delete'.
DEBUG: [Authentication]: - AuthType: 'Delegated', TokenCredentialType: 'InteractiveBrowser', ContextScope: 'CurrentUser', AppName: 'Microsoft Graph Command Line Tools'.
DEBUG: [Authentication]: - Scopes: [Application.Read.All, Application.ReadWrite.All, AuditLog.Read.All, Contacts.Read, Contacts.ReadWrite, Directory.AccessAsUser.All, Directory.Read.All, Directory.ReadWrite.All, email, Group.Read.All, Group.ReadWrite.All, OnPremDirectorySynchronization.Read.All, OnPremDirectorySynchronization.ReadWrite.All, openid, Organization.Read.All, Organization.ReadWrite.All, OrgContact.Read.All, profile, ServicePrincipalEndpoint.ReadWrite.All, Synchronization.ReadWrite.All, User.EnableDisableAccount.All, User.ManageIdentities.All, User.Read, User.Read.All, User.ReadWrite.All, UserAuthenticationMethod.Read.All, UserAuthenticationMethod.ReadWrite, UserAuthenticationMethod.ReadWrite.All].
Confirm
Are you sure you want to perform this action?
Performing the operation "Remove-MgContact_Delete" on target "Call remote 'DELETE /contacts/{orgContact-id}' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
DELETE
Absolute Uri:
https://graph.microsoft.com/v1.0/contacts/21d60e77-75dd-4cdd-b348-738d057a6a07
Headers:
User-Agent : PowerShell/7.5.0,EntraPowershell/1.0.1,Remove-EntraContact
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
Accept-Encoding : gzip
SdkVersion : graph-powershell/2.25.0
client-request-id : 9eb1b2d0-06b9-474b-a748-3ccdf70bd79c
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
BadRequest
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : 1d7558f4-ceab-4950-a6f6-ea0f2d936a49
client-request-id : 9eb1b2d0-06b9-474b-a748-3ccdf70bd79c
x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"CO1PEPF00005FB6"}}
x-ms-resource-unit : 1
Date : Tue, 25 Mar 2025 05:55:14 GMT
Body:
{
"error": {
"code": "Request_BadRequest",
"message": "Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'.",
"innerError": {
"date": "2025-03-25T05:55:15",
"request-id": "1d7558f4-ceab-4950-a6f6-ea0f2d936a49",
"client-request-id": "9eb1b2d0-06b9-474b-a748-3ccdf70bd79c"
}
}
}
Remove-MgContact_Delete: Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2025-03-25T05:55:15 Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security :
max-age=31536000 request-id : 1d7558f4-ceab-4950-a6f6-ea0f2d936a49 client-request-id : 9eb1b2d0-06b9-474b-a748-3ccdf70bd79c x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US 2","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"CO1PEPF00005FB6"}} x-ms-resource-unit
: 1 Date : Tue, 25 Mar 2025 05:55:14 GMT
Recommendation: See service error codes: https://learn.microsoft.com/graph/errors
DEBUG: [CmdletEndProcessing]: - Remove-MgContact end processing.
Configuration
OS: Windows 11 24H2
PS C:\> $PSVersionTable
Name Value
---- -----
PSVersion 7.5.0
PSEdition Core
GitCommitId 7.5.0
OS Microsoft Windows 10.0.26100
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Other information
Don't hesitate to reach out if you have any questions.
As of Nov 2024, the Remove-MgContact uses Graph v1.0 which can't delete directory contacts, only mailbox folder contacts. Trying to delete a contact object throws the error: Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'. To delete a directory contact object you'll have to use the Beta endpoint.
Alternatively, use Delete directoryObject Graph call to delete objects in Entra ID via Graph Explorer or Invoke-MgGraphRequest.
Example using Invoke-MgGraphRequest from Microsoft.Graph PowerShell SDK
1 - Connect to the tenant
Connect-MgGraph -Scopes "Directory.ReadWrite.All"
2 - Set the ObjectId of the target Entra directory object
$objId = 'ffab####-####-####-####-####3106####'
3 - Get the Entra directory object with the ObjectId (via beta endpoint)
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/directoryObjects/$objId" -OutputType PSObject
4 - DELETE the Entra directory object (via beta endpoint)
Invoke-MgGraphRequest -Method DELETE -Uri "https://graph.microsoft.com/beta/directoryObjects/$objId"
As of Nov 2024, the
Remove-MgContactuses Graph v1.0 which can't delete directory contacts, only mailbox folder contacts. Trying to delete a contact object throws the error:Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'. To delete a directory contact object you'll have to use the Beta endpoint.Alternatively, use Delete directoryObject Graph call to delete objects in Entra ID via Graph Explorer or
Invoke-MgGraphRequest.Example using Invoke-MgGraphRequest from Microsoft.Graph PowerShell SDK
1 - Connect to the tenant
Connect-MgGraph -Scopes "Directory.ReadWrite.All"
2 - Set the ObjectId of the target Entra directory object$objId = 'ffab####-####-####-####-####3106####'
3 - Get the Entra directory object with the ObjectId (via beta endpoint)Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/directoryObjects/$objId" -OutputType PSObject
4 - DELETE the Entra directory object (via beta endpoint)Invoke-MgGraphRequest -Method DELETE -Uri "https://graph.microsoft.com/v1.0/directoryObjects/$objId"
Changing the last command with beta version it works fine for me. Thank you!!
As of Nov 2024, the
Remove-MgContactuses Graph v1.0 which can't delete directory contacts, only mailbox folder contacts. Trying to delete a contact object throws the error:Data contract version does not allow 'Delete' operations against instances of resource 'OrgContact'. To delete a directory contact object you'll have to use the Beta endpoint. Alternatively, use Delete directoryObject Graph call to delete objects in Entra ID via Graph Explorer orInvoke-MgGraphRequest. Example using Invoke-MgGraphRequest from Microsoft.Graph PowerShell SDK 1 - Connect to the tenant Connect-MgGraph -Scopes "Directory.ReadWrite.All" 2 - Set the ObjectId of the target Entra directory object $objId = 'ffab####-####-####-####-####3106####' 3 - Get the Entra directory object with the ObjectId (via beta endpoint) Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/directoryObjects/$objId" -OutputType PSObject 4 - DELETE the Entra directory object (via beta endpoint) Invoke-MgGraphRequest -Method DELETE -Uri "https://graph.microsoft.com/beta/directoryObjects/$objId"Changing the last command with beta version it works fine for me. Thank you!!
Thanks for calling that out, fixed it now.