Azure Active Directory Connect synchronizes many attributes for users and groups from on-premises Active Directory but there are also cloud objects, properties, and links to Office 365 resources which are not protected by Azure AD Connect and restored only with On Demand Recovery.
Table 10: Types of cloud-only objects restored by On Demand Recovery
|Azure Recycle Bin
|An Azure AD business-to-business (B2B) collaboration user that typically resides in a partner organization and has limited privileges in the inviting directory.
|Office 365 Groups
|Groups that are used for collaboration between users, both inside and outside the company.
|Cloud only Security Groups
|Groups that are used for granting access to Office and Azure resources.
|Dynamic Security Groups
|Groups with dynamic rule-based membership.
|Dynamic Office 365 Groups
|Office 365 Groups with dynamic rule-based membership.
|Device registration records in Azure Active Directory.
|Stores application manifest (non-Gallery application manifests are not supported), logo, sign in, up URLS and other information.
|Conditional Access Policies
|Azure Active Directory policies that are used to control user access to cloud applications and resources.
|Named lists of IP prefixes that are used in Conditional Access Policies.