Restoring Devices
On Demand Recovery can restore Microsoft Entra device objects that were removed from the Azure Portal. For registered or joined devices, single sign-on (SSO) data (if any) is also restored.
|
|
Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects. |
Limitations
The following limitation exist when restoring devices in On Demand Recovery:
- Automatically restoring SSO data for a device that was permanently deleted together with the device owner. In this case, the device owner should join the device once again.
- If a device was unjoined by the device owner, it will be restored in the Azure Portal but SSO will not work.
Not supported
The following scenarios are not supported in On Demand Recovery:
- Windows Hello for joined devices
- Microsoft Intune is not supported
- Restricted access for devices
- Restoring of devices in hybrid configuration
Restored device attributes
For a list of device attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide.
Restoring Conditional Access Policies
Restoring Conditional Access Policies
On Demand Recovery supports backing up and restoring Conditional Access policies and Named Location policies in cloud-only environments.
|
|
Note: When policies are created using a predefined template in Azure and then restored after being hard deleted, the "templateId" attribute is not restored as it is read-only. |
To backup Conditional Access policies
Backing up Conditional Access policies and Named Location policies is enabled by default.
Supported Scenarios
If a backup contains Conditional Access policies or Named Location policies, the Objects view will show the type of policy.
The following policy types are supported by On Demand Recovery:
- Conditional Access Policy
- Country Named Location
- IP Named Location
On Demand Recovery restores the whole policy object and what has changed is displayed in the Differences report. On Demand Recovery checks whether objects (users, groups, named locations) assigned to the policy exist in Microsoft Entra ID. If any objects are missing, the policy is restored but a warning is shown.
A user can select attributes to be restored for Conditional Access policies and Named Location policies. For the full list of policy attributes that are restored and not restored by On Demand Recovery, see How does On Demand Recovery Handle Object Attributes?
|
|
Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects. |
Limitations
Other policy types such as claims mapping policy, token issuance policy, token lifetime policy and many others are currently not supported by On Demand Recovery. See the Known issues list in the On Demand Recovery release notes.
- If the "AuthenticationStrength" attribute in "grantControl" is not present in the tenant while restoring, the restore of the Conditional Access policy will fail. "AuthenticationStrength" is a relational attribute and On Demand Recovery does not backup this attribute, so if it is deleted from the tenant, we will not restore the Conditional Access policy and error will be shown.
- The "TermsOfUse" attribute in "grantControl" will not be restored. A warning will be shown: "Terms of Use for the policy are not set."
- The restore of a relational attribute does not have any special attributes that can be selected from the user interface. In each instance that a user, group, application and/or named location is restored, the restore of the relational attribute is also run even if the minimum attributes to restore were selected.
- If On Demand Recovery has "All", "None" or "AllTrusted" selected in live policies, no relational attribute will be restored and the policy in Microsoft Entra ID will remain as is.
- If "All", "None" or "AllTrusted" is selected in a backup for On Demand Recovery, and a link is subsequently added to a user in live polices, restoring that user will result in the link being removed. In this case, the policy will be updated with default value ("None" or null or []).
- Links removed or added are not visible in the Differences report.
Backup and Restore of Tenant Level Settings
Backup and Restore of Tenant Level Settings
On Demand Recovery supports the ability to backup and restore many types of tenant level settings.
Object Types
The backup and restore of the following tenant level settings are supported by On Demand Recovery.The corresponding object type for each tenant level setting will appear in the Unpacked Objects list view:
|
| Backup and restore of user settings |
User Authorization Settings
User Authentication Settings
External Identities Settings |
| Backup and restore of group settings (Naming policy) |
Directory Settings |
| Backup and restore of group settings (Expiration policy) |
Group Lifecycle Policy |
Limitations
The following tenant level settings cannot be currently restored by On Demand Recovery:
- Security Defaults
- Password reset
- Organization Settings
- Domains
Tenant level settings attributes
For a list of attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide. Each attribute can be restored individually. See the To restore selected attributes in the Restoring Objects section to find out more.
Backup and Restore Administrative Units
Backup and Restore Administrative Units
On Demand Recovery can backup and restore Microsoft Entra administrative units from the Recycle Bin.
|
|
Note: An additional permission AdministrativeUnit.ReadWrite.All is required to restore administrative units. For more information, go to the Restore Consent Permissions section. |
Object Types
The corresponding object type for administrative units will appear in the Unpacked Objects list view:
|
| Backup and restore of administrative units |
Administrative Unit
Link to scopedRoleMember will be displayed in Differences report with type “ScopedRoleMembership“. |
Administrative units attributes
For a list of attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide. Each attribute can be restored individually. See the To restore selected attributes in the Restoring Objects section to find out more.
