Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            1554 - How to backup and recover Microsoft Entra ID

            Modified on Fri, 8 Aug at 6:43 AM

            If you're looking for a Microsoft Entra ID backup solution, you can find more information on our website, or start a free trial here
             

            PAGE CONTENTS

             

            Introduction

            Backing up and restoring Entra ID (formerly Azure Active Directory) forms part of our Microsoft service offering. To add a tenant and recover data, you need to be both a RedApp partner adminstrator or company administrator, and an Entra ID global administrator for your tenant organisation.

             

            What is supported?

            Redstor supports backup and recovery of the following objects. Click through to see supported attributes and relationships.

             

            How to add a tenant

            1. In the RedApp, go to My Company in the sidebar or to the relevant customer company.



            2. Go to the Entra ID product.



            Note: If you have not yet added Entra ID as a product, see Article 1438 for help.


            3. Click Add tenant at the top right.



            4. Click Sign in. You will now need to sign into Microsoft and provide Redstor with permission to access your data for backup. This action requires a global administrator role.



            By switching on the toggle, you can schedule your first backup to start immediately once the tenant has been added. The time the first backup occurs will become the scheduled time for the daily backup of this tenant.


            5. Click Accept to proceed. 



            6. Your tenant will now appear on the list of tenants. You can run a manual backup at any time by expanding the menu in the last column and clicking Backup.



            At the top of the page, you will see a Secure Score for the tenant. This is a representation of the organisation’s overall security posture, as calculated by Microsoft (not by Redstor). More detail can be found in this article from Microsoft's knowledge base. This Secure Score should not be confused with the identity secure score in Entra ID.



            7. Once the backup has completed, you will see a list of protected objects. The Last Backup column shows the most recent date and time that a distinct version of an object was backed up. This can differ for each object based on the latest changes to it that were included in a backup.


            Note: Deleted users in Entra ID will be greyed out.


            For assistance with estimating the number of billable users your tenant will have, see Article 1437 - Seat management: key terms.

             

            How to view object attributes

            You can view the attributes of the latest backed-up version of any object by expanding the menu to the object's right and clicking on View attributes



            Viewing attributes for users requires authenticating with a directory reader role in Entra ID, but groups and other object attributes do not require authentication. After authenticating, you will be able to view attributes without re-authentication for 7 days.


            You have two ways of viewing the attributes: as metadata and as JSON.


            When viewing as metadata, you can search for a specific attribute using the search field at the top left of the dialog.



            The JSON values can be copied by clicking on the copy icon at the top right of the dialog.



            For a list of Entra ID objects that we support, see Article 1554.

             

            How to recover

            Note: 

            • For important information about recovering Entra ID objects, see Limitations of Entra ID object recovery below. 
            • There are two settings available when restoring Entra ID relationships:restore relationships and restore sub-objects. Read more in Article 1612.
            • The process to recover a global administrator will include additional steps to those documented here, and requires assistance from Redstor Support.

             

            1. In your list of protected objects, locate the object you want to recover. For this example, we will recover a user.

            • If you want to recover the latest backed-up version of the user, expand the menu to its right and click Restore.



              A list of restorable versions will be shown, from which you can select only one. This will overwrite the user's existing configuration in Entra ID.

            • If you want to recover an earlier version of the user, expand the menu to the user's right and click on Compare attributes. This can assist you in deciding which version to restore.



              Select any two versions and click Compare.



              To simplify comparison, the option Show only differences will be enabled by default.



              Once you have decided on a version to restore, select that version and click Restore at the bottom right. This will overwrite the user's existing configuration in Entra ID.


            2. Click Yes, confirm to proceed. 



            You will need to authenticate with a Microsoft global administrator role if this is the first time that you are recovering during the current session. After authenticating, you will be able to do recoveries for one hour without re-authentication.


            If a user that was deleted in Entra ID is being restored (i.e. recreated), a password will be displayed in the restore warning dialog. This password is a random default that differs for every user, and should be copied as it will not be accessible elsewhere.



            You can also select multiple objects to recover. Once you click Restore, you will be shown a calendar of possible restore points that include all your selected objects.



              

            Limitations of Entra ID object recovery

            • Whenever you recover Entra ID objects in the RedApp, you may be asked to re-authenticate with Microsoft.
            • If a group without an owner is deleted, the group can be recovered from the Entra ID admin centre, but not from the RedApp, unless you select a restore point at which the group had an owner assigned to it.
            • If a global administrator user is soft-deleted, the user can be recovered from the Entra ID admin centre, but not from the RedApp.
            • If a user with a user principal name that matches another active user is soft-deleted, the user can be recovered from the Entra ID admin centre, but not from the RedApp.
            • Some objects in Entra (specifically users, groups and admin units) can be either soft-deleted or hard-deleted. All other objects can only be hard-deleted.
              • Recovering a soft deletion entails taking the same deleted object out of the Recycle Bin and returning it to its original location.
              • Recovering a hard deletion entails creating a new object (a copy of the object from before deletion) and substituting this for the deleted object in the original location. In the RedApp, the original object will be greyed out and shown as deleted alongside the new object with the same name. Restored hard-deleted objects will have a new ID and creation time. Read more on Microsoft's knowledge base here.
            • With regard to relationships, we backup and recover only the supported relationships listed here.
            • Recovery is not supported for mail-enabled security groups and mail distribution groups.
            • Dynamic groups are backed up, but cannot be recovered.

             

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0