Chat now with support
Chat mit Support

On Demand Recovery Current - User Guide

About On Demand Recovery On Demand Recovery Module Overview Before You Start Sign up for Quest On Demand Adding a Microsoft Entra Tenant Required Permissions Microsoft 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring Objects Restoring Directory Roles and Application Roles Restoring Users Restoring Groups Restoring Service Principal Objects Restoring Applications Restoring Application Proxy Settings Restoring Multifactor Authentication Settings Restoring Group Licenses Restoring Devices Restoring Conditional Access Policies Backup and Restore of Tenant Level Settings Backup and Restore Administrative Units Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restoring Email Address or Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?

Backup and Restore Administrative Units

On Demand Recovery can backup and restore Microsoft Entra administrative units from the Recycle Bin.

Note: An additional permission AdministrativeUnit.ReadWrite.All is required to restore administrative units. For more information, go to the Restore Consent Permissions section.

Object Types

The corresponding object type for administrative units will appear in the Unpacked Objects list view:

Setting Object Type
Backup and restore of administrative units

Administrative Unit

Link to scopedRoleMember will be displayed in Differences report with type “ScopedRoleMembership“.

 

Administrative units attributes

For a list of attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide. Each attribute can be restored individually. See the To restore selected attributes in the Restoring Objects section to find out more.

Integration with Recovery Manager for Active Directory

On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore and undelete on-premises objects that are synchronized with cloud by Microsoft Entra Connect. The following figure illustrates the hybrid restore process.

Figure 1: Hybrid Restore Operation Flow Diagram

Note:

  • All attributes that can be modified by Microsoft Graph API are considered as cloud attributes and restored on the first step. For example: assignedLicense, usageLocation, membership in cloud groups.
  • On Demand Recovery also restores users from the Recycle Bin or recreates them before the on-premises restore with the Undelete option. Microsoft Entra Connect matches these objects after the cloud restore by the Security Identifier as well as the immutableID attribute which is restored from the On Demand Recovery backup.
  • On-premises restore is always performed for member, memberOf, accountEnabled, manager and directReports attributes.
  • Groups are restored after the on-premises restore, because in case of permanent deletion, On Demand Recovery needs to wait until a group is recreated by Microsoft Entra Connect.

Prerequisites

  • Microsoft Entra tenant that is synchronized with on-premises Active Directory by Microsoft Entra Connect.
  • For Recovery Manager for Active Directory (RMAD) version 10.2.2 or later, the Hybrid Connector service must be enabled and configured in the RMAD console. To get the latest version of Recovery Manager for Active Directory, click here.
    • For Recovery Manager for Active Directory 10.2.1 or earlier, the Recovery Manager Portal is required. If you have Microsoft Entra Connect version 1.4.32.0 or higher, the Recovery Manager Portal 10.1 is required.
      • The portal can be run on any machine in your environment. It is not required to install all Recovery Manager for Active Directory components.

 

To configure Hybrid Connector service with Recovery Manager for Active Directory - v.10.2.2 or later

For Recovery Manager for Active Directory 10.2.2 and later versions, you will need to disable the Recovery Manager Portal (if previously enabled), and enable and configure the Hybrid Connector service in the Recovery Manager for Active Directory (RMAD) console.

  1. In the RMAD console, select the Hybrid Recovery node from the tree and select Enable Integration with On Demand Recovery.
  2. In On Demand Recovery, click CONFIGURE CONNECTION under the Hybrid Connection panel.
  3. Download the credentials.
  4. In the RMAD console, open the hybrid credential file saved from step 3. This will automatically populate all the required fields.
  5. Provide Microsoft Entra Connect host settings.
  6. Enter the domain username, password and primary computer for each domain discovered in the backup.

For more information on this, go to Hybrid Recovery with On Demand Recovery.


To configure Recovery Manager Portal to enable integration with Recovery Manager for Active Directory - v.10.2.1 or earlier

  1. Connect to the Recovery Manager Portal with your Web browser.
  2. In the Recovery Manager Portal, open the Configuration tab.
  3. Expand Portal Settings
  4. Recommended: Select the Automatically unpack backups for restore operations option to automatically unpack the required backup. If the option is not selected, the restore operation may fail because the backup was not unpacked or was removed due to retention policies for the unpack operation. For more details, see the Recovery Manager for Active Directory User Guide.
  5. Click On Demand integration. In the On Demand integration dialog, select the Enable integration check box and specify the Relay URL and credentials. To get these parameters, go to On Demand Recovery and perform the following steps:
    1. On the Dashboard screen, click Configure hybrid connection.

    2. In the Configure hybrid connection dialog, click Download hybrid credentials to download a configuration file with Relay credentials.
    3. When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box.
    4. Save the file to the folder of your choice.
    5. Go back to the On Demand integration dialog, click Choose file and select the configuration file. For security reasons, you should remove this file from your computer after the credentials will be specified in the Recovery Manager Portal.

    Note: Microsoft Entra Connect synchronization occurs automatically after the restore operation. But On Demand Recovery forces synchronization cycles and requires credentials for the machine where Microsoft Entra Connect is installed.

  6. Specify Microsoft Entra Connect host name and credentials. If Microsoft Entra Connect and Recovery Manager Portal are installed on the same machine, leave the fields blank.

Note: You may get an error related to the proxy settings while configuring integration with On Demand Recovery. To resolve this issue, perform the following actions:

  1. Open the Recovery Manager Portal configuration file %Program Files%\Quest\Recovery Manager Portal\EnterprisePortalSettings.xml.
  2. Set the UseDefaultSystemProxy parameter to False and check that ProxyAddress has the correct value.
    • If UseDefaultSystemProxy is set to False and ProxyAddress is specified, the value of ProxyAddress will be used as a proxy server address.
    • If UseDefaultSystemProxy is set to False and ProxyAddress is not specified, the direct connection will be used.
    • If UseDefaultSystemProxy is set to True and ProxyAddress is specified or has no value, the proxy server specified for your browser will be used.
  3. Make sure that URI contains the protocol prefix and the port number, e.g. http:/localhost:8080/.
  4. Restart the Recovery Manager Portal service.

For more information about integration with Recovery Manager for Active Directory, see Integration with On Demand Recovery.

 

What can be restored in hybrid configuration?

  • On-premises groups
  • User licenses (e.g. Microsoft 365 licenses and assignedLicenses property for cloud users) and cloud group membership
  • Deleted on-premises users and groups
  • Service principals' appRoleAssignments to on-premises users
  • appRoleAssignments to non-Microsoft groups (used for SSO and App Roles)
  • Directory roles: Global Administrator, Exchange Administrator, Compliance Administrator
  • Other cloud-only properties: such as Block sign in, Authentication contact information, Minors and Consent
  • Multifactor authentication (MFA) settings if a customer uses cloud multifactor authentication
  • Conditional Access policies
  • Inactive mailboxes of permanently deleted users

Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects.

Important Considerations

  • To restore on-premises objects, On Demand Recovery uses attribute values from the RMAD backup that is closest in time but older than the cloud backup unpacked in the On Demand Recovery user interface. If the closest on-premises backup is 24 hours older than the cloud backup, you will receive the warning message.
    By default, the search of the closest in time on-premises backup is performed among the backups that were unpacked in Recovery Manager Portal. You can use the Automatically unpack backups for restore operations option on Portal Settings of the Configuration tab in the Recovery Manager Portal – in this case, the on-premises backup will be unpacked automatically during the restore operation. (RMAD v10.2.1 or earlier)
  • On Demand Recovery displays only cloud-synchronized on-premises attributes and cloud-only attributes for the selected object when you click Browse in the Restore Objects dialog. This does not include on-premises only attributes. To restore on-premises only attributes, you must select the Restore all attributes option in the Restore Objects dialog.
  • After the hybrid restore operation, On Demand Recovery forces Microsoft Entra Connect synchronization to push on-premises changes to the cloud and wait until it completes the synchronization. Restore events can be used to track steps of Microsoft Entra Connect synchronization, such as export and import.
  • To restore 'member' or 'memberOf' attributes for an object, restore the group from the Unpacked Objects view. Restoring of group memberships from the Differences report is not supported in hybrid environments.
  • On Demand Recovery supports one hybrid connection per On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Microsoft Entra tenant.
  • One instance of Recovery Manager Portal can be used with one Microsoft Entra tenant and one Microsoft Entra Connect server. Install multiple RMAD web portals if you need to work with multiple Microsoft Entra tenants and Microsoft Entra connect servers.
  • On Demand Recovery restores Back Link attributes: 'memberOf' (the back link for the 'member' attribute) and 'directReports' (the back link for the 'manager' attribute). These attributes can be selected along with all other attributes when you click Browse in the Restore Objects dialog.
  • Separate Microsoft Azure Relay service is used for each hybrid connection (one per On Demand organization). On Demand Recovery creates WCF Relay per On Demand organization. No changes to On-Premises Firewall settings are required.

To perform a restore operation in On Demand Recovery

  1. Unpack a backup.
  2. Go to the Objects screen and select on-premises objects to restore.
  3. Click Restore.
  4. In the Restore Objects dialog, if you select the Restore all attributes option, On Demand Recovery will restore all on-premises attributes and cloud-only attributes from the backup.
  5. You can perform the restore of on-premises objects from the Differences report as well.
NOTE: You can restore a hybrid user using only On Demand Recovery without configuring a hybrid connection. In this case, do not forget to clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. If the hybrid connection is not configured, On Demand Recovery restores a cloud user and their cloud attributes without an on-premises user. For more information, see How does On Demand Recovery Handle Object Attributes? This scenario does not work for Federated Domains. For details, see Working with Inactive Mailboxes.

Limitations When a Hybrid Connection is Not Configured

On Demand Recovery can restore cloud-only users and groups without a configured Recovery Manager for Active Directory hybrid connection. If a hybrid connection is not configured intentionally or Recovery Manager for Active Directory is not installed yet, recovery features for hybrid users and groups are limited. As a result, the following errors will occur: "Cloud restore was interrupted due to failed restore of the on-premise object" and "A hybrid connection is required to complete the restore of the on-premises attributes with RMAD".

  • If a hybrid user is permanently deleted, On Demand Recovery will create a cloud object with cloud properties, including on-premises values, but actual values will be taken from the cloud backup, such as user surname, office, etc. If a hybrid user is recreated in the on-premises Active Directory by Recovery Manager for Active Directory or by any other on-premises recovery solution, this user object will be automatically synchronized by Microsoft Entra Connect resulting in the full recovery of the hybrid user. If a hybrid user is not recreated, on-premises attributes will be missing, for example, on-premises groups membership, etc.
  • If On Demand Recovery tries to restore a hybrid user that has not been deleted but has modified on-premises attributes, the task will fail with the following error: "Cannot restore attribute". This error occurs due to the "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing a migration" error. In this case, On Demand Recovery will show changes in the Difference report correctly, but will not be able to restore them.
  • For a non-deleted hybrid group (modified in the cloud), cloud attributes such as licenses or assigned Enterprise applications can be restored. On Demand Recovery cannot restore a permanently deleted hybrid group that was synchronized by Microsoft Entra Connect, so the error that Recovery Manager for Active Directory configuration is needed will be shown in the case of restoring of the permanently deleted group.

Hybrid Connection Widget

The Hybrid connection widget on the Dashboard screen shows issues with the hybrid connection. The widget state is synchronized automatically every time the page is refreshed.

When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. For details, see Integration with Recovery Manager for Active Directory.

The widget has the following states:

  • If the hybrid connection is properly configured and works fine, the widget is green.
  • If the hybrid connection is not configured because you do not need it, the widget is gray and advises you to configure the connection. In this case, the Show hybrid restore errors if hybrid connection is not configured check box is not selected in the Configure hybrid connection dialog.
  • If the hybrid connection is not configured and the Show hybrid restore errors if hybrid connection is not configured check box is selected in the Configure hybrid connection dialog, the widget is yellow and has a warning sign.
  • If one or more console is connected to On Demand Recovery and the Show hybrid restore errors if hybrid connection check box is selected in the Configure hybrid connection dialog, the widget is yellow and has a warning sign. For more information, go to the Configure Hybrid Recovery section in Hybrid Recovery with On Demand Recovery.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen