When running a Microsoft Entra access review for OneDrive, you may see entries labeled as “Unknown” in the principal column. These entries appear for users, groups, or service principals that existed at the time the review was created but have since been deleted from the tenant. This article explains why these unknown principals appear, what risks they may pose, and how to identify and remove them from your OneDrive access reviews.
Key Takeaways: Handling Unknown Principals in OneDrive Access Reviews
- Microsoft Entra admin center > Identity Governance > Access Reviews: The review interface shows “Unknown” when a previously assigned reviewer, user, or group has been deleted from the tenant.
- Microsoft 365 admin center > Users > Deleted users: Restore a deleted user within 30 days to recover their identity and resolve the unknown principal label.
- Azure AD PowerShell module (AzureAD): Use the Get-AzureADDeletedDirectoryObject cmdlet to find deleted objects and confirm whether an unknown principal was a user, group, or service principal.
Why OneDrive Access Reviews Show Unknown Principals
An access review in Microsoft Entra ID evaluates who has access to a resource such as a OneDrive site. The review lists every principal that has been assigned review permissions, membership, or direct access. When a principal is deleted from the tenant after the review was created, Microsoft Entra ID cannot resolve its display name or user principal name. The interface then shows “Unknown” in the principal column.
There are three common scenarios that produce unknown principals:
Deleted User Accounts
A user who was part of the review scope is removed from the tenant. The user’s object ID remains in the review, but the display name is no longer available. This is the most frequent cause of unknown principals in OneDrive access reviews.
Deleted Groups
A group that was assigned to review OneDrive access is deleted. The group’s object ID persists in the review record, but Microsoft Entra ID cannot retrieve its name.
Deleted Service Principals
An application or service principal that had delegated access to OneDrive is removed. The service principal’s object ID remains, but the display name is lost. This scenario is less common but can occur when an app registration is deleted without first removing its permissions.
Steps to Identify and Remove Unknown Principals from OneDrive Access Reviews
Follow these steps to locate the source of unknown principals and clean up your access reviews.
- Open the Access Review in Microsoft Entra Admin Center
Sign in to the Microsoft Entra admin center. Go to Identity Governance > Access Reviews. Find the review that contains unknown principals and click its name. - Identify the Unknown Principal’s Object ID
In the review results, locate the row where the principal column shows “Unknown”. Click the row to open the details pane. The Object ID field shows the GUID of the deleted principal. Copy this GUID. - Determine the Principal Type Using PowerShell
Open Windows PowerShell as an administrator. Run the following commands to install the Azure AD module if you have not done so:Install-Module AzureADConnect-AzureAD
Then run:Get-AzureADDeletedDirectoryObject -Id "GUID"
Replace GUID with the object ID you copied. The output shows the object type, which will be User, Group, or ServicePrincipal. - Restore the Deleted Principal if Needed
If the principal is a user and was deleted within the last 30 days, you can restore it. Go to the Microsoft 365 admin center > Users > Deleted users. Find the user by their display name or UPN, select the user, and click Restore. After restoration, the access review will show the user’s name instead of “Unknown”. - Remove the Unknown Principal from the Review
If you do not need to restore the principal, you can remove it from the access review. In the access review details, select the checkbox next to the unknown principal row. Click Remove. Confirm the removal. The principal will no longer appear in the review results. - Audit Remaining Unknown Principals
After removal, run the access review again to confirm no new unknown principals appear. If the review is recurring, check the next instance to ensure the deleted principal is not re-added automatically.
If Unknown Principals Persist After Removal
Unknown Principal Reappears in the Next Review Cycle
If the access review is configured as recurring, the unknown principal may reappear because the review template still references the deleted object ID. To stop this, edit the review settings and remove the deleted principal from the scope. Go to the review’s settings page, under Scope, remove any user or group that no longer exists. Save the changes.
No Object ID Is Displayed for the Unknown Principal
In rare cases, the details pane for the unknown principal may not show an Object ID. This occurs when the principal object was permanently deleted and its GUID is no longer available. In this situation, you cannot restore the principal. You must remove the row from the review as described in step 5. If the row cannot be removed, contact Microsoft Support with the review ID and tenant ID.
Unknown Principal Is a Service Principal That Still Exists
A service principal may appear as “Unknown” if its display name property is empty. This can happen when an app registration is created programmatically without a display name. To fix this, locate the service principal in Microsoft Entra ID > Applications > Enterprise applications. Find the app by its object ID. Edit its properties and add a display name. The access review will update within 24 hours.
Deleted Principal vs Unknown Principal: Key Differences
| Item | Deleted Principal | Unknown Principal |
|---|---|---|
| Display name in review | Shows the former display name until the object is permanently deleted | Shows “Unknown” because the object is no longer resolvable |
| Object ID | Visible in the details pane | Visible in the details pane |
| Restoration window | 30 days for users, 30 days for groups, no restoration for service principals | Same as deleted principal; depends on object type |
| Risk level | Low if the user was intentionally removed | Low if the principal was intentionally deleted; medium if the deletion was unauthorized |
When you see an unknown principal in a OneDrive access review, the first step is to verify whether the deletion was intentional. Check the Microsoft Entra audit logs for the Delete user, Delete group, or Delete service principal event. Look at the date and time of the deletion. If the deletion was unauthorized, restore the principal immediately and investigate the cause of the deletion.
To view audit logs, go to Microsoft Entra admin center > Identity > Monitoring & health > Audit logs. Filter by the date range of the access review and the activity “Delete user” or “Delete group”. Match the object ID of the unknown principal to the target ID in the audit log entry.
You can now identify the source of unknown principals in OneDrive access reviews and decide whether to restore or remove them. For recurring reviews, update the review scope to exclude deleted objects. As an advanced tip, export the access review results to CSV using the “Download” button in the review details page. This gives you a permanent record of all principals, including their object IDs, even after they are removed from the review.