Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery On Demand Recovery Module Overview Before You Start Sign up for Quest On Demand Adding a Microsoft Entra Tenant Required Permissions Microsoft 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring Objects Restoring Directory Roles and Application Roles Restoring Users Restoring Groups Restoring Service Principal Objects Restoring Applications Restoring Application Proxy Settings Restoring Multifactor Authentication Settings Restoring Group Licenses Restoring Devices Restoring Conditional Access Policies Backup and Restore of Tenant Level Settings Backup and Restore Administrative Units Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restoring Email Address or Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?

Working with On Demand Recovery

This section provides step-by-step instructions on how to use On Demand Recovery.

Note:

  • For Microsoft 365 tenants: On Demand Recovery can backup and restore Microsoft 365 users, Microsoft 365 groups and security groups. Group membership and ownership is restored for both types of groups. The product does not restore any resources associated with Microsoft 365 groups and Microsoft Teams, such as conversations, Planner tasks and plans.
  • Email notifications about failed backups can be enabled by request. For assistance, contact Quest Support.
  1. Go to Quest On Demand and sign up for Quest On Demand. For more details, refer to Sign up for Quest On Demand.
  2. Add your Microsoft Entra tenant as described in the Tenant Management section in the On Demand Global Settings User Guide.
  3. After the tenant is added, make sure that the permissions required to work with Microsoft Entra tenant are granted. To grant the required permissions, click Go on the tenant tile and check that the Recovery module has the Granted status. For details, please see the Admin Consent Status section in the On Demand Global Settings User Guide. For a list of permissions that need to be granted consent for On Demand Recovery, refer to Consent permissions.

    Note: Microsoft admin consent status is "expired" after 90 days and the Recovery module status is changed to "Not Granted". Once expired, you must grant admin consent again to continue using the module.

  4. To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.
  5. To launch On Demand Recovery, click Recovery on the left pane. The Dashboard screen opens.
  6. To configure a hybrid connection with on-premises Active Directory, see Integration with Recovery Manager for Active Directory.
  7. To configure the backup settings, perform the following steps:
    1. Click Manage backups on the Dashboard screen.
    2. Select the tenant from the list and click Edit. The Configure backup dialog opens.

      • To enable the backup creation, select Enabled next to the Schedule option. On Demand Recovery will attempt up to 4 backups per day. Depending on the completion time required for each, the number of backups may be less.
      • Choose to immediately run the backup by selecting the Run backup immediately option. Deselecting this option will allow backups to only run when scheduled.
      • Specify the backup retention period using the Retention policy option in days. The backup retention policy is also applied to backups that are started manually. If no policy is set, the default retention policy is five years (1825 days). If the retention period is changed, the new policy will only affect new backups.
      • To backup multifactor authentication settings, select the Backup MFA settings option.
        • You will need to specify service account credentials for the tenant when selecting this option. For details about required permissions, see Required permissions.
      • To backup data related to inactive mailboxes, select the Backup data related to inactive mailboxes option.
        • You will need to specify service account credentials for the tenant when selecting this option. For details about required permissions, see Required permissions.
      • To backup Application Proxy settings, select the Backup Application proxy settings and connector groups option.
      • To backup service principal default policies and Conditional Access policies, select the Backup Conditional Access Policies and Service Principal Default Policies option.
        • By selecting this option, service principal default policies such as ClaimIssuancePolicy and TokenIssuancePolicy and their relation to service principals will be backed up.
        • You will need to specify service account credentials for the tenant when selecting this option. For details about required permissions, see Required permissions.
    3. Check the status of the module admin consent.
    4. If you need to run the backup creation manually, go to the Tasks screen, select the Backup task and click Start.
  8. To configure restore settings, go to the Manage restores section on the Restoring Objects page.
  9. To start the backup creation manually, you can use the Create Backup option on the Dashboard screen.
  10. To unpack a backup:
    1. Go to the Backups screen. Here, you will find each packed backup, and the properties associated with that backup.

      Note:The Users column reflects the total number of users including guest accounts. The Guest column reflects only guest accounts.

    2. From the Tenant drop-down list, select the tenant, then select the backup you want.
    3. You can specify predefined or custom date ranges to narrow the search results by selecting Custom range.
    4. Click Unpack in the actions menu.
    5. If the option Unpack service principals and devices is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. For more details about this option, see Backup Unpacking.
    6. In the Backup Unpacking dialog, click Unpack.
  11. When the Unpack backup task is completed, go to the Unpacked Objects screen and select the users and groups that you want to restore and click Restore.

    Note: If you do not unpack a backup, the Unpacked Objects screen will contain no objects or show a list of objects that were extracted from the previously unpacked backup.

  12. In the Restore Objects dialog, select the options for restore. See the To restore objects section in the Restoring Objects page for information on each option.
  13. Also, you can view differences between the selected backup and live Microsoft Entra ID or Microsoft 365 and revert the selected changes using the Differences report tool. For more details, see the Reporting section. You can export the selected report data to the CSV file.
  14. You can view the status of your Restore objects task on the Tasks screen.

  15. Open the Events screen to view errors or warnings, if they occur during the restore operation.
    • Use the Export option to export the selected log data to the CSV format.
    • Use the Acknowledge option to hide events that are not actual anymore. The status of acknowledged events is changed from 'Current' to 'Obsolete'. To view the list of obsolete events, click Obsolete on the left side of the screen.

Backup Unpacking

In the Backup Unpacking dialog, you have the option to Unpack service principals, devices, and conditional access policies. If this option is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. Otherwise, you will see changes related to users, groups, service principals, devices, and Conditional Access policies. The table below provides the full list of objects and changes that will be shown on the corresponding screens.

If the Unpack service principals, devices, and conditional access policies option is NOT selected, the following items will be shown:

Unpacked Objects view

  • User
  • Group
  • Administrative Unit
  • User Authentication Settings
  • User Authorization Settings
  • External Identities Settings
  • Group Lifecycle Policy
  • Directory Setting

Differences view

  • User
  • Group
  • DirectoryLinkChange
  • DirectoryRoleLinkChange
  • Administrative Unit
  • User Authentication Settings
  • User Authorization Settings
  • External Identities Settings
  • Group Lifecycle Policy
  • Directory Setting

If the Unpack service principals, devices, and conditional access policies option is selected, the following items will be shown:

Unpacked Objects view

  • User
  • Group
  • Service Principal
  • Administrative Unit
  • Country Named Location
  • IP Named Location
  • Conditional Access Policy
  • Device
  • Directory Setting
  • External Identities Settings
  • Group Lifecycle Policy
  • User Authorization Settings
  • User Authentication Settings

Differences view

  • User
  • Group
  • Service Principal
  • Administrative Unit
  • Country Named Location
  • IP Named Location
  • Conditional Access Policy
  • Device
  • Directory Setting
  • External Identities Settings
  • Group Lifecycle Policy
  • User Authorization Settings
  • User Authentication Settings
  • OAuth2PermissionGrant
  • AppRoleAssignment
  • OwnerLinkChange
  • GroupOwnerLinkChange
  • DirectoryRoleLinkChange
  • RegisteredOwnerDeviceLinkChange
  • RegisteredUserDeviceLinkChange
  • DirectoryLinkChange
  • AdministrativeUnitLinkChange
  • GroupLifecyclePolicyLinkChange
  • CompliantNetworkNamedLocation
  • ApplicationOwnerLinkChange
  • ScopedRoleMembership

Perform differences during the unpack is selected by default. The differences operation will automatically begin. If this is not selected, then only the unpack operation will be performed.

Restoring Objects

After you complete an Unpack backup task, go to the Unpacked Objects tab to select the objects that you want to restore.

Note: If you do not unpack a backup, the Unpacked Objects tab does not display any objects or shows a list of objects that were extracted from the previously unpacked backup.

You can choose one of the following views to see the unpacked objects:

  • List View - This view lists the unpacked objects from your backup. You can select objects to export to a CSV file or select objects to restore.
  • Objects - This view displays the number of unpacked objects by category in graph form. You can use the filters to display specific types of objects.

Manage restore

To manage restores, you will need to input your service account credentials to verify that the account has sufficient permissions to restore multifactor authentication. To do this:

  1. On the Dashboard tab, click Manage Restores.

Policy Backup will be enabled if you have configured the Backup Conditional Access Policies and Service Principal Default Policies and option in the Configure backup dialog. MFA settings will be enabled if you have configured the Backup MFA settings option in the Configure backup dialog.

  1. A list of tenants will appear. Select the name of the tenant that you would like to specify account credentials.
  2. On the Configure Restore screen, enter the username and password credentials for the service account.

  1. Click Save.

Note: Restore service credentials are no longer required for restoring service principal default policies but are required for restoring multifactor authentication settings, data related to inactive mailboxes and Conditional Access policies. For the required directory roles needed to restore these features, go to the Service Account Permissions section.

To restore objects

  1. On the Unpacked Objects tab, in List View, click the check boxes next to the objects that you want to restore.
    1. You can use the Search field to search for specific objects to restore.
    2. You can use the filters to display specific objects that you want to restore. The following filters are available:
      • Tenant - allows you to filter objects by a specified tenant.
      • Backup - allows you to filter objects by a specified backup.
      • Type - allows you to filter objects by type.
      • User Type - allows you to filter objects by type of user.
      • Microsoft Entra Connect - allows you to filter by objects synced from a hybrid environment.
      • MFA - allows you to filter objects by multifactor authentication setting.
      • Mail Enabled - allows you to filter by objects that have a mailbox (enabled) or do not have a mailbox (disabled).

Caution:The Restore button will be disabled when objects from multiple tenants are selected. To display the Restore button, please select a single tenant.

  1. Click Restore.
  2.  In the Restore Objects dialog, you can select the following options:
    • Restore deleted objects from Recycle Bin - This restores accidentally deleted objects from the Recycle Bin. On Demand Recovery preserves original object identifiers (GUID).
    • If a user or group is not found in Recycle Bin, create a new one - This recreates permanently deleted users, groups, and subgroups. This option recreates users and groups with attributes that are required for object identification. If you need to restore all attributes for the object including membership information (links), use this option together with the Restore all attributes option.
    • If a hybrid user already exists in Microsoft Entra ID, delete it before the restore operation - This action lets you preserve the original cloud mailbox of a hybrid user after restore in the following scenario:
      1. There is a hybrid user. This user is deactivated by the administrator for some reason.
      2. Then the user returns, and the account is enabled again by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.
      3. We want to use the original cloud mailbox for the user. The only one way to do this is to restore the user from a backup. But before the restore, the newly created cloud user must be removed from Microsoft Entra ID using this option.
    • Restore all attributes - This restores all object attributes including membership information (links). If this option is not selected, you can specify specific attributes that you want to restore by clicking Browse. .
    • Restore specific attributes - see below
    • Specify password for the encrypted backup - This allows you to type a password that is used to decrypt the encrypted backup. This is strongly recommended only for hybrid users.
    • You may also need to grant/regrant Restore Admin Consent for the On Demand Recovery module. Ensure this has been completed before progressing.


  3. Click OK.

Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects.

To restore selected attributes

On Demand Recovery allows you to restore specific attributes for each object, with each object type displaying its own list of attributes to restore. To do this:

  1. Uncheck the Restore all attributes option, and click Select Attributes.

Note: Only the attributes for the selected object type will be displayed.

  1. Select the required attributes to restore for the object by checking the box(es). and click Save. Your selected attributes will appear in the Restore specific attributes box.
  2. Click OK when all required options have been selected.

Which Objects Can Be Restored from the Recycle Bin?

On Demand Recovery can restore the following objects from the Recycle Bin:

  • Users (all types of users including B2B, B2C, guests, hybrid)
  • Microsoft 365 Groups
  • Applications
  • Service principals
  • Administrative Units

Note: Links, permissions, and roles cannot be restored from the Recycle Bin. But if an object from the above list is soft deleted and then recovered from the Recycle Bin, all attributes and links including group membership and app role assignments are preserved by Microsoft.

Note: Soft-deleted service principals can only be restored from the Objects view tab, under Unpacked Objects.

Objects that cannot be restored from the Recycle Bin:

  • Distribution groups
  • Security groups
  • Mail-enabled security groups
  • All groups synchronized by Microsoft Entra Connect from on-premises Exchange server (hybrid configuration)
  • Devices
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating