Introduction
Microsoft Entra Backup and Recovery is an integrated solution offering advanced tools for backing up and recovering critical directory objects. Tailored for IT professionals, this solution enables efficient restoration of elements following accidental modifications or compromises.
Why use Microsoft Entra?
Microsoft Entra ensures the security and continuity of critical data for organizations implementing a robust cloud strategy.
Prerequisites
To benefit from Microsoft Entra Backup and Recovery, you must meet the following criteria:
- Your tenant must belong to a workforce configuration. External ID and Azure AD B2C tenants are not supported.
- Microsoft Entra ID P1 or P2 licenses are required.
- Access requires one of the following roles:
- Microsoft Entra Backup Reader: Read access to backups, difference reports, and recovery history.
- Microsoft Entra Backup Administrator: Full access to trigger restore operations or create reports. This role includes Global Administrator permissions.
Attention to roles
Ensure you assign administrative roles correctly to avoid configuration errors or inappropriate access.
Main Features
Microsoft Entra Backup and Recovery provides several powerful tools:
- View available backups.
- Create difference reports to compare current states to previous backups.
- Selective or full recovery of modified objects.
- Detailed history of recovery actions.
Tip for optimal restoration
Before any operation, generate a difference report to analyze changes and precisely select objects to restore.
Recoverable Objects and Properties
Restoration is limited to certain object types and their supported properties. This list evolves with Microsoft updates:
Users
Recoverable properties include, among others:
- DisplayName
- GivenName
- UserPrincipalName
- TelephoneNumber
Groups
Properties include:
- DisplayName
- Description
- MailNickname
Applications and Service Principal
Application objects contain properties such as DisplayName and Notes while service principals include AccountEnabled and Description.
Policies and Settings
- Conditional access policies.
- Named locations.
- Authentication methods.
For the comprehensive list of supported properties, visit the official Microsoft Graph documentation.
Managing Limitations
Execution Duration
Operation duration varies depending on the tenant:
- Initial loading: up to 2.5 hours for large tenants.
- Repeated operations: significantly faster thanks to cached data usage.
Permanently Deleted Objects
Only objects deleted in a reversible manner can be restored. Permanent deletions require creating a new object.
On-premises AD Sync
Objects synchronized from an on-premises Active Directory are visible in reports but cannot be restored via Microsoft Entra Backup and Recovery.
Critical point
Configure a robust on-premises AD solution for objects managed outside the cloud to ensure continuity of your operations.
Soft Delete: A Pillar of Recovery
Soft delete preserves deleted objects temporarily, providing a 30-day recovery window. Unlike hard deletion, it maintains data integrity and relationships.
| Deletion Type | What Happens? | Can It Be Recovered? |
|---|---|---|
| Soft delete | Object deleted then recoverable | Yes |
| Hard delete | Object permanently erased | No |
Quick Guide: Create a Difference Report
Access the backup on the Entra portal
Sign in to the Microsoft Entra portal and locate the backup and recovery section.
Generate a difference report
Select a specific backup and click on the report option. Apply filters for targeted analysis.
1# PowerShell example2Get-MgBackupDifferences -BackupId {BackupGUID} -Filters {ObjectType}Analyze the report
Review the listed modifications before proceeding with a restore.
Glossary of Key Terms
- Soft delete: Reversible deletion allowing temporary recovery.
- Hard delete: Permanent deletion with no possibility of restoration.
- Workforce Tenant: Cloud directory dedicated to managing employee identities.
- Microsoft Graph: API for managing Microsoft 365 and Azure AD data.
