Azure Active Directory Connect synchronizes many attributes for users and groups from on-premises Active Directory but there are also cloud objects, properties, and links to Office 365 resources which are not protected by Azure AD Connect and restored only with On Demand Recovery.

Table 10: Types of cloud-only objects restored by On Demand Recovery

Object Type Description Azure Recycle Bin
Guest users An Azure AD business-to-business (B2B) collaboration user that typically resides in a partner organization and has limited privileges in the inviting directory. 30 days
Office 365 Groups Groups that are used for collaboration between users, both inside and outside the company. 30 days
Cloud only Security Groups Groups that are used for granting access to Office and Azure resources. No
Dynamic Security Groups Groups with dynamic rule-based membership. No
Dynamic Office 365 Groups Office 365 Groups with dynamic rule-based membership. 30 days
Devices Device registration records in Azure Active Directory. No
Application Registration Stores application manifest (non-Gallery application manifests are not supported), logo, sign in, up URLS and other information. 30 days
Conditional Access Policies Azure Active Directory policies that are used to control user access to cloud applications and resources. No
Named Locations Named lists of IP prefixes that are used in Conditional Access Policies. No