About Supported Attributes
About Supported Attributes
On Demand Recovery allows the restoration of Microsoft Entra ID and Microsoft 365 users, groups, applications, service principals, devices, Conditional Access policies and Application Proxy settings. The application can process two types of Microsoft 365 groups: Microsoft 365 groups and security groups. Group membership and ownership is restored for both types of groups.
Objects can be selected in a backup and then restored to Microsoft Entra ID or Microsoft 365 without affecting other objects or attributes. Using the granular restore, objects that were accidentally deleted or modified can be recovered in a few minutes.
The following guide provides attributes for each object type that can be restored by On Demand Recovery.These object types include:
- Entra Users
- Entra Groups
- Service Principals (Enterprise Applications)
- Devices
- Applications (Application Registrations)
- Conditional Access Policy
- Application Proxy
- Country Named Location
- IP Named Location
- Tenant Level Settings
- Administrative Units
For more information on restoring objects, visit the On Demand Recovery documentation.
Entra Users
Users are the representation of an Microsoft Entra work or school user account.
The lists below include all supported Microsoft Entra user attributes that can be restored by On Demand Recovery.
General
| accountEnabled |
True if the account is enabled; otherwise, False. |
| ageGroup |
The age group of the user. |
| appRoleAssignments |
Represents the app roles a user has been granted for an application. |
| assignedLicenses |
The licenses that are assigned to the user, including inherited (group-based) licenses. This property doesn't differentiate directly-assigned and inherited licenses.
 |
NOTE: see Assigned Licenses and Plans list below for detailed information on complex attribute. | |
| businessPhones |
The telephone numbers for the user. |
| city |
The city in which the user is located. |
| companyName |
The company name which the user is associated. This property can be useful for describing the company that an external user comes from. |
| consentProvidedForMinor |
Sets whether consent has been obtained for minors. |
| country |
The country/region in which the user is located. |
| department |
The name of the department in which the user works. |
| directReports |
The users and contacts that report to the user. (The users and contacts that have their manager property set to this user.) |
| displayName |
The name displayed in the address book for the user. This value is usually the combination of the user's first name, middle initial, and last name. |
| employeeHireDate |
The hire date of an employee within an organization's directory. |
| employeeId |
The employee identifier assigned to the user by the organization. |
| employeeType |
The employment status of a user. |
| faxNumber |
The fax number of the user. |
| givenName |
The given name (first name) of the user. |
| identities (B2C only) |
Represents the identities that can be used to sign in to this user account. |
| jobTitle |
The user’s job title. |
| mail |
The SMTP address for the user. |
| mailNickname |
The mail alias for the user. |
| manager |
The user or contact that is this user's manager. |
| memberOf |
The groups, directory roles and administrative units that the user is a member of. |
| mfaState |
Identifies multifactor authentication state for the user.
| |
NOTE: see Multifactor Authentication list below for detailed information on this complex attribute. | |
| mobilePhone |
The primary cellular telephone number for the user. |
| officeLocation |
The office location in the user's place of business. |
| otherMails |
A list of additional email addresses for the user. |
| ownedDevices |
Devices that are owned by the user. |
| ownedObjects |
Get the list of directory objects that are owned by the user. |
| passwordPolicies |
Specifies password policies for the user. |
| postalCode |
The postal code for the user's postal address. The postal code is specific to the user's country/region. |
| registeredDevices |
Devices that are registered for the user. |
| roles |
Specifies administrator roles assigned to a user. |
| state |
The state or province in the user's address. |
| streetAddress |
The street address of the user's place of business. |
| surname |
The user's surname (family name or last name). |
| usageLocation |
A two letter country code (ISO standard 3166). |
| userPrincipalName |
The user principal name (UPN) of the user. |
| userType |
A string value that can be used to classify user types in your directory, such as “Member” and “Guest”. |
Assigned Licenses and Plans
In Microsoft Entra ID licenses and plans are assigned to users to give them access. Licenses and plans can be assigned and unassigned.
When the complex attribute 'assignedLicenses' is selected for restore, the following attributes will also be restored. Individual attributes cannot be selected and are all restored together.
| assignedDateTime (Assigned Plans) |
The date and time at which the plan was assigned. |
| capabilityStatus (Assigned Plans) |
Condition of the capability assignment. |
| disabledPlans |
A collection of the unique identifiers for plans that have been disabled. |
| licenseAssignmentStates |
State of license assignments for this user. |
| service (Assigned Plans) |
The name of the service to activate. |
| servicePlanId (Assigned Plans) |
The plan identifier of the service plan to activate. |
| skuId |
The unique identifier for the SKU. |
| state |
Indicate the current state of this assignment. |
Multifactor Authentication
To secure user sign-in events in Microsoft Entra ID, multifactor authentication can be enabled on user accounts.
When the complex attribute 'MFAState' is selected for restore, the following attributes will also be restored. Individual attributes cannot be selected and are all restored together.
| Default MFA method |
| Email authentication methods |
| Phone authentication methods |
| SMS sign-on status |
| User state of MFA settings |
Hybrid User
| onPremisesDistinguishedName |
Contains the on-premises Active Directory distinguished name or DN. |
| onPremisesDomainName |
Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. |
| onPremisesExtensionAttributes |
Contains extensionAttributes 1-15 for the user. |
| onPremisesImmutableId |
This property is used to associate an on-premises Active Directory user account to their Microsoft Entra user object. |
| onPremisesSamAccountName |
Contains the on-premises samAccountName synchronized from the on-premises directory. |
| onPremisesSecurityIdentifier |
Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. |
| onPremisesUserPrincipalName |
The on-premises UPN of the user. |
Entra Groups
The lists below include all supported Microsoft Entra group attributes that can be restored by On Demand Recovery.
General
| appRoleAssignments |
Represents the app roles a group has been granted for an application. |
| assignedLicenses |
The licenses that are assigned to the group.
| |
NOTE: see Assigned Licenses and Plans list below for detailed information on complex attribute. | |
| description |
An optional description for the group. |
| displayName |
The display name for the group. |
| groupTypes |
Specifies the group type and its membership. If the collection contains Unified, the group is a Microsoft 365 group; otherwise, it's either a security group or distribution group.
| |
NOTE: distribution groups are not supported by On Demand Recovery. | |
| isAssignableToRole |
Indicates whether this group can be assigned to an Microsoft Entra role. |
| mail |
The SMTP address for the group. |
| mailEnabled |
Specifies whether the group is mail-enabled. |
| mailNickname |
The mail alias for the group. |
| memberOf |
Groups and administrative units that this group is a member of. |
| members (Enterprise Applications/Service Principals) |
|
| members (Groups and Directory Roles) |
|
| members (Users) |
|
| membershipRule |
The rule that determines members for this group if the group is a dynamic group. |
| membershipRuleProcessingState |
Indicates whether the dynamic membership processing is on or paused. |
| owners |
The owners of the group. |
| preferredDataLocation |
The preferred data location for the Microsoft 365 group. By default, the group inherits the group creator's preferred data location. |
| roles |
|
| securityEnabled |
Specifies whether the group is a security group. |
| theme |
Specifies a Microsoft 365 group's color theme. |
| visibility |
Specifies the group join policy and group content visibility for groups. Possible values are: Private, Public, or HiddenMembership. |
Assigned Licenses and Plans
Groups can be used in Microsoft Entra ID to assign licenses and plans to large numbers of users or to assign user access to deployed enterprise applications. When a user becomes a member of a group they are automatically assigned the appropriate licenses.
When the complex attribute "AssignedLicenses" is selected to be restored, the following attributes will also be restored. Individual attributes cannot be selected and are all restored together.
| disabledPlans |
A collection of the unique identifiers for plans that have been disabled. |
| skuId |
The unique identifier for the SKU. |
Hybrid Group
| onPremisesDomainName |
| onPremisesSamAccountName |
| onPremisesSecurityIdentifier |
Entra Devices
The list below includes all supported Microsoft Entra device attributes that can be restored by On Demand Recovery.
|
|
Note: On Demand Recovery supports Microsoft Entra joined and registered devices. On Demand Recovery does not support Hybrid devices. |
General
| accountEnabled |
True if the account is enabled; otherwise, False. |
| alternativeSecurityIds |
|
| approximateLastSignInDateTime |
The approximate date and time of the previous sign in of the device. |
| complianceExpirationDateTime |
The timestamp when the device is no longer deemed compliant. |
| deviceId |
Unique Identifier set by Microsoft Entra Device Registration Service at the time of registration. This is an alternate key that can be used to reference the device object. |
| deviceMetadata |
Metadata information of the device. |
| deviceVersion |
Version of the device. |
| displayName |
The display name for the device. |
| isManaged |
True if the device is managed by a Mobile Device Management (MDM) app; otherwise, false. |
| operatingSystem |
The type of operating system on the device. |
| operatingSystemVersion |
The version of the operating system on the device. |
| physicalIds |
Physical IDs for the device. |
| registeredOwners |
The user that cloud joined the device or registered their personal device. |
| registeredUsers |
Collection of registered users of the device. For cloud joined devices and registered personal devices, registered users are set to the same value as registered owners at the time of registration. |
| systemLabels |
List of labels applied to the device by the system. |
