In the Backup Unpacking dialog, you have the option to Unpack service principals, devices, and conditional access policies. If this option is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. Otherwise, you will see changes related to users, groups, service principals, devices, and Conditional Access policies. The table below provides the full list of objects and changes that will be shown on the corresponding screens.
If the Unpack service principals, devices, and conditional access policies option is NOT selected, the following items will be shown:
Unpacked Objects view
If the Unpack service principals, devices, and conditional access policies option is selected, the following items will be shown:
Unpacked Objects view
- Service Principal
- Service Principal
Perform differences during the unpack is selected by default. The differences operation will automatically begin during unpack operation. If this is not selected, then only the unpack operation will be performed.
After you complete an Unpack backup task, go to the Unpacked Objects tab to select the objects that you want to restore.
Note: If you do not unpack a backup, the Unpacked Objects tab does not display any objects or shows a list of objects that were extracted from the previously unpacked backup.
You can choose one of the following views to see the unpacked objects:
- List View - This view lists the unpacked objects from your backup. You can select objects to export to a CSV file or select objects to restore.
- Objects - This view displays the number of unpacked objects by category in graph form. You can use the filters to display specific types of objects.
To restore objects
- On the Unpacked Objects tab, in List View, click the check boxes next to the objects that you want to restore.
- You can use the Search field to search for specific objects to restore.
- You can use the filters to display specific objects that you want to restore. The following filters are available:
- Tenant - allows you to filter objects by a specified tenant.
- Backup - allows you to filter objects by a specified backup.
- Type - allows you to filter objects by type.
- User Type - allows you to filter objects by type of user.
- AAD Connect - allows you to filter by objects synced from a hybrid environment.
- MFA - allows you to filter objects by multifactor authentication setting.
- Mail Enabled - allows you to filter by objects that have a mailbox (enabled) or do not have a mailbox (disabled).
Caution:The Restore button will be disabled when objects from multiple tenants are selected. To display the Restore button, please select a single tenant.
- Click Restore.
- In the Restore Objects dialog, you can select the following options:
- Restore deleted objects from Recycle Bin - This restores accidentally deleted objects from the Recycle Bin. On Demand Recovery preserves original object identifiers (GUID).
- If a user or group is not found in Recycle Bin, create a new one - This recreates permanently deleted users, groups, and subgroups. This option recreates users and groups with attributes that are required for object identification. If you need to restore all attributes for the object including membership information (links), use this option together with the Restore all attributes option.
- If a hybrid user already exists in Azure Active Directory, delete it before the restore operation - This action lets you preserve the original cloud mailbox of a hybrid user after restore in the following scenario:
- There is a hybrid user. This user is deactivated by the administrator for some reason.
- Then the user returns, and the account is enabled again by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.
- We want to use the original cloud mailbox for the user. The only one way to do this is to restore the user from a backup. But before the restore, the newly created cloud user must be removed from Azure AD using this option.
- Restore all attributes - This restores all object attributes including membership information (links). If this option is not selected, you can specify specific attributes that you want to restore by clicking Browse. .
- Restore specific attributes - see below
- Specify password for the encrypted backup - This allows you to type a password that is used to decrypt the encrypted backup. This is strongly recommended only for hybrid users.
- You may also need to grant/regrant Restore Admin Consent for the On Demand Recovery module. Ensure this has been completed before progressing.
- Click OK.
To restore selected attributes
On Demand Recovery allows you to restore specific attributes for each object, with each object type displaying its own list of attributes to restore. To do this:
- Uncheck the Restore all attributes option, and click Select Attributes.
Note: Only the attributes for the selected object type will be displayed.
Note: Any application extension attributes found for an object will also be displayed and can be selected for restore.
- Select the required attributes to restore for the object by checking the box(es). and click Save. Your selected attributes will appear in the Restore specific attributes box.
- Click OK when all required options have been selected.
On Demand Recovery can restore the following objects from the Recycle Bin:
- Users (all types of users including B2B, B2C, guests, hybrid)
- Office 365 Groups
Note: Links, permissions, and roles cannot be restored from the Recycle Bin. But if an object from the above list is soft deleted and then recovered from the Recycle Bin, all attributes and links including group membership and app role assignments are preserved by Microsoft.
Objects that cannot be restored from the Recycle Bin:
- Distribution groups
- Security groups
- Mail-enabled security groups
- All groups synchronized by Azure AD Connect from on-premises Exchange server (hybrid configuration)
- Service principals
On Demand Recovery does not backup passwords. During the restore of permanently deleted users, the application sets a random password that can be changed by the administrator at the next login.