1554 - How to backup and recover Microsoft Entra ID

Page contents

Introduction

What is supported?

How to add a tenant

How to view object attributes

How to recover a user

How to recover a group

Limitations of Entra ID object recovery

Introduction

Backing up and restoring Entra ID (formerly Azure Active Directory) forms part of our Microsoft service offering. To add a tenant and recover data, you need to be both a RedApp partner adminstrator or company administrator, and an Entra ID global administrator for your tenant organisation.

• For more information, see Article 1573 - Entra ID backup and recovery: frequently asked questions.
• Read more about Entra ID roles in this article on Microsoft's knowledge base.
• Microsoft's best practices for recoverability of Entra ID are documented here.

What is supported?

Redstor supports backup and recovery of the following objects. Click through to see supported attributes and relationships.

• Admin units
• App registrations
• Authentication method policies
• Conditional Access policies
• Enterprise applications
• Groups
• Intune device compliance policies
• Roles
• Users

Guides

Use the guides below to manage your Entra ID backups.

How to add a tenant

1. In the RedApp, go to My Company in the sidebar or to the relevant customer company.

2. Go to the Entra ID product.

Note: If you have not yet added Entra ID as a product, see Article 1438 for help.

3. Click Add tenant at the top right.

4. Click Sign in. You will now need to sign into Microsoft and provide Redstor with permission to access your data for backup. This action requires a global administrator role.

By switching on the toggle, you can schedule your first backup to start immediately once the tenant has been added. The time the first backup occurs will become the scheduled time for the daily backup of this tenant.

5. Click Accept to proceed. 

6. Your tenant will now appear on the list of tenants. You can run a manual backup at any time by expanding the menu in the last column and clicking Backup.

At the top of the page, you will see a Secure Score for the tenant. This is a representation of the organisation’s overall security posture, as calculated by Microsoft (not by Redstor). More detail can be found in this article from Microsoft's knowledge base. This Secure Score should not be confused with the identity secure score in Entra ID.

7. Once the backup has completed, you will see a list of protected objects. The Last Backup column shows the most recent date and time that a distinct version of an object was backed up. This can differ for each object based on the latest changes to it that were included in a backup.

Note: Deleted users in Entra ID will be greyed out.

For assistance with estimating the number of billable users your tenant will have, see Article 1437 - Seat management: key terms.

How to view object attributes

You can view the attributes of the latest backed-up version of any object by expanding the menu to the object's right and clicking on View attributes. 

Viewing attributes for users requires authenticating with a directory reader role in Entra ID, but groups and other object attributes do not require authentication. After authenticating, you will be able to view attributes without re-authentication for 7 days.

You have two ways of viewing the attributes: as metadata and as JSON.

When viewing as metadata, you can search for a specific attribute using the search field at the top left of the dialog.

The JSON values can be copied by clicking on the copy icon at the top right of the dialog.

For a list of Entra ID objects that we support, see Article 1554.

How to recover a user

Note:

• For important information about recovering Entra ID objects, see Article 1554. 
• The process to recover a global administrator will include additional steps to those documented here, and requires assistance from Redstor Support.

1. In your list of protected objects, locate the user you want to recover.

• If you want to recover the latest backed-up version of the user, expand the menu to its right and click Restore. 
  
   
  
  A list of restorable versions will be shown, from which you can select only one. This will overwrite the user's existing configuration in Entra ID.
  
  
• If you want to recover an earlier version of the user, expand the menu to the user's right and click on Compare attributes. This can assist you in deciding which version to restore.
  
   
  
  Select any two versions and click Compare.
  
   
  
  To simplify comparison, the option Show only differences will be enabled by default.
  
   
  
  Once you have decided on a version to restore, select that version and click Restore at the bottom right. This will overwrite the user's existing configuration in Entra ID.

2. Click Yes, confirm to proceed. 

You will need to authenticate with a Microsoft global administrator role if this is the first time that you are recovering during the current session. After authenticating, you will be able to do recoveries for one hour without re-authentication.

If a user that was deleted in Entra ID is being restored (i.e. recreated), a password will be displayed in the restore warning dialog. This password is a random default that differs for every user, and should be copied as it will not be accessible elsewhere.

How to recover a group

Note: For important information about recovering Entra ID objects, see Article 1554. 

1. In your list of protected objects, go to Groups.

2. Locate the group you want to recover. Expand the menu to its right and click Restore. This will overwrite the object's existing configuration in Entra ID.

3. Click Yes, confirm to proceed. 

You will need to authenticate with a Microsoft global administrator role if this is the first time that you are recovering during the current session. After authenticating, you will be able to do recoveries for one hour without re-authentication.

Limitations of Entra ID object recovery

• Whenever you recover Entra ID objects in the RedApp, you may be asked to re-authenticate with Microsoft.
• If a group without an owner is deleted, the group can be recovered from the Entra ID admin centre, but not from the RedApp, unless you select a restore point at which the group had an owner assigned to it.
• If a global administrator user is soft-deleted, the user can be recovered from the Entra ID admin centre, but not from the RedApp.
• If a user with a user principal name that matches another active user is soft-deleted, the user can be recovered from the Entra ID admin centre, but not from the RedApp.
• Some objects in Entra (specifically users, groups and admin units) can be either soft-deleted or hard-deleted. All other objects can only be hard-deleted.
  • Recovering a soft deletion entails taking the same deleted object out of the Recycle Bin and returning it to its original location.
  • Recovering a hard deletion entails creating a new object (a copy of the object from before deletion) and substituting this for the deleted object in the original location. In the RedApp, the original object will be greyed out and shown as deleted alongside the new object with the same name. Restored hard-deleted objects will have a new ID and creation time. Read more on Microsoft's knowledge base here.
• With regard to relationships, we backup and recover only the supported relationships listed here.
• Recovery is not supported for mail-enabled security groups and mail distribution groups.
• Dynamic groups are backed up, but cannot be recovered.