On Demand Recovery can restore Azure AD device objects that were removed from the Azure Portal. For registered or joined devices, single sign-on (SSO) data (if any) is also restored.
The following limitation exist when restoring devices in On Demand Recovery:
- Automatically restoring SSO data for a device that was permanently deleted together with the device owner. In this case, the device owner should join the device once again.
- If a device was unjoined by the device owner, it will be restored in the Azure Portal but SSO will not work.
The following scenarios are not supported in On Demand Recovery:
- Windows Hello for joined devices
- Microsoft Intune is not supported
- Restricted access for devices
- Restoring of devices in hybrid configuration
Restored devices attributes
For a list of group attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide.
Restoring Conditional Access Policies
Restoring Conditional Access Policies
On Demand Recovery supports backing up and restoring Conditional Access policies and Named Location policies in cloud-only environments.
Note: When policies are created using a predefined template in Azure and then restored after being hard deleted, the "templateId" attribute is not restored as it is read-only.
Backing up Conditional Access Policies and Named Location Policies is not enabled by default. You must select this option when configuring backup options.
To backup Conditional Access policies and Named Location policies
- Click Manage backups on the Dashboard screen.
- Select the tenant from the list and click Edit.
The Configure backup dialog opens.
- Select the Backup Conditional Access Policies and Service Principal Default Policies option and specify service account credentials for the tenant. The specified account must have the following permissions:
- The specified account must have at least one of the following roles in the Azure portal for backup operations; Global Reader or Global Administrator.
- Click Save.
If a backup contains Conditional Access policies or Named Location policies, the Objects view will show the type of policy.
The following policy types are supported by On Demand Recovery:
- Conditional Access Policy
- Country Named Location
- IP Named Location
On Demand Recovery restores the whole policy object and what has changed is displayed in the Differences report. On Demand Recovery checks whether objects (users, groups, named locations) assigned to the policy exist in Azure Active Directory. If any objects are missing, the policy is restored but a warning is shown.
A user can select attributes to be restored for Conditional Access policies and Named Location policies. For the full list of policy attributes that are restored and not restored by On Demand Recovery, see How does On Demand Recovery Handle Object Attributes?
Other policy types such as claims mapping policy, token issuance policy, token lifetime policy and many others are currently not supported by On Demand Recovery. See the Known issues list in the On Demand Recovery release notes.
- If the "AuthenticationStrength" attribute in "grantControl" is not present in the tenant while restoring, the restore of the Conditional Access policy will fail. "AuthenticationStrength" is a relational attribute and On Demand Recovery does not backup this attribute, so if it is deleted from the tenant, we will not restore the Conditional Access policy and error will be shown.
Integration with Recovery Manager for Active Directory
Integration with Recovery Manager for Active Directory
On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore and undelete on-premises objects that are synchronized with cloud by Azure AD Connect. The following figure illustrates the hybrid restore process.
Figure 1: Hybrid Restore Operation Flow Diagram
- All attributes that can be modified by Azure AD Graph API are considered as cloud attributes and restored on the first step. For example: assignedLicense, usageLocation, membership in cloud groups.
- On Demand Recovery also restores users from the Recycle Bin or recreates them before the on-premises restore with the Undelete option. Azure AD Connect matches these objects after the cloud restore by the Security Identifier as well as the immutableID attribute which is restored from the On Demand Recovery backup.
- On-premises restore is always performed for member, memberOf, accountEnabled, manager and directReports attributes.
- Groups are restored after the on-premises restore, because in case of permanent deletion, On Demand Recovery needs to wait until a group is recreated by Azure AD Connect.
- Azure AD tenant that is synchronized with on-premises Active Directory by Azure AD Connect
- Recovery Manager Portal 9.0. If you have Azure AD Connect version 220.127.116.11 or higher, the Recovery Manager Portal 10.1 is required. (Recovery Manager for Active Directory version 10.2.1 or earlier)
- Hybrid Recovery node (Recovery Manager for Active Directory version 10.2.2 or later)
The portal can be run in any machine in your environment. It is not required to install all Recovery Manager for Active Directory components. To get the latest version of Recovery Manager Portal, go to https://www.quest.com/products/recovery-manager-for-active-directory-forest-edition/.
To configure Recovery Manager Portal to enable integration with cloud - v.10.2.1 or earlier
Note: The following instructions are for users operating Recovery Manager for Active Directory version 10.2.1 or earlier. For users operating Recovery Manager for Active Directory version 10.2.2 or later, see To configure Hybrid Recovery node to enable integration with cloud - v.10.2.2 or later below.
- Connect to the Recovery Manager Portal with your Web browser.
- In the Recovery Manager Portal, open the Configuration tab.
- Expand Portal Settings
- Recommended: Select the Automatically unpack backups for restore operations option to automatically unpack the required backup. If the option is not selected, the restore operation may fail because the backup was not unpacked or was removed due to retention policies for the unpack operation. For more details, see the Recovery Manager for Active Directory User Guide.
- Click On Demand integration. In the On Demand integration dialog, select the Enable integration check box and specify the Relay URL and credentials. To get these parameters, go to On Demand Recovery and perform the following steps:
- On the Dashboard screen, click Configure hybrid connection.
- In the Configure hybrid connection dialog, click Download hybrid credentials to download a configuration file with Relay credentials.
- When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box.
- Save the file to the folder of your choice.
- Go back to the On Demand integration dialog, click Choose file and select the configuration file. For security reasons, you should remove this file from your computer after the credentials will be specified in the Recovery Manager Portal.
Note: Azure AD Connect synchronization occurs automatically after the restore operation. But On Demand Recovery forces synchronization cycles and requires credentials for the machine where Azure AD Connect is installed.
- Specify Azure AD Connect host name and credentials. If Azure AD Connect and Recovery Manager Portal are installed on the same machine, leave the fields blank.
Note: You may get an error related to the proxy settings while configuring integration with On Demand Recovery. To resolve this issue, perform the following actions:
- Open the Recovery Manager Portal configuration file %Program Files%\Quest\Recovery Manager Portal\EnterprisePortalSettings.xml.
- Set the UseDefaultSystemProxy parameter to False and check that ProxyAddress has the correct value.
- If UseDefaultSystemProxy is set to False and ProxyAddress is specified, the value of ProxyAddress will be used as a proxy server address.
- If UseDefaultSystemProxy is set to False and ProxyAddress is not specified, the direct connection will be used.
- If UseDefaultSystemProxy is set to True and ProxyAddress is specified or has no value, the proxy server specified for your browser will be used.
- Make sure that URI contains the protocol prefix and the port number, e.g. http:/localhost:8080/.
- Restart the Recovery Manager Portal service.
For more information about integration with Recovery Manager for Active Directory, see Integration with On Demand Recovery.
To configure Hybrid Recovery node to enable integration with cloud - v.10.2.2 or later
For Recovery Manager for Azure Directory 10.2.2 and later versions, you will need to disable the Recovery Manager Portal (if previously enabled), and configure and integrate the Hybrid Recovery node from On Demand Recovery into the Recovery Manager for Azure Directory console. For more information on this, go to Hybrid Recovery with On Demand Recovery.
What can be restored in hybrid configuration
- On-premises groups
- User licenses (e.g. Office 365 licenses and assignedLicenses property for cloud users) and cloud group membership
- Deleted on-premises users and groups
- Service principals' appRoleAssignments to on-premises users
- appRoleAssignments to non-Office groups (used for SSO and App Roles)
- Directory roles: Global Administrator, Exchange Administrator, Compliance Administrator
- Other cloud-only properties: such as Block sign in, Authentication contact information, Minors and Consent
- Multifactor authentication (MFA) settings if a customer uses cloud multifactor authentication
- Conditional Access policies
- Inactive mailboxes of permanently deleted users
- To restore on-premises objects, On Demand Recovery uses attribute values from the RMAD backup that is closest in time but older than the cloud backup unpacked in the On Demand Recovery user interface. If the closest on-premises backup is 24 hours older than the cloud backup, you will receive the warning message.
By default, the search of the closest in time on-premises backup is performed among the backups that were unpacked in Recovery Manager Portal. You can use the Automatically unpack backups for restore operations option on Portal Settings of the Configuration tab in the Recovery Manager Portal – in this case, the on-premises backup will be unpacked automatically during the restore operation (RMAD v10.2.1 or earlier).
- On Demand Recovery displays only cloud-synchronized on-premises attributes and cloud-only attributes for the selected object when you click Browse in the Restore Objects dialog. This does not include on-premises only attributes. To restore on-premises only attributes, you must select the Restore all attributes option in the Restore Objects dialog.
- After the hybrid restore operation, On Demand Recovery forces Azure AD Connect synchronization to push on-premises changes to the cloud and wait until it completes the synchronization. Restore events can be used to track steps of Azure AD Connect synchronization, such as export and import.
- To restore 'member' or 'memberOf' attributes for an object, restore the group from the Unpacked Objects view. Restoring of group memberships from the Differences report is not supported in hybrid environments.
- On Demand Recovery supports one hybrid connection per On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Azure AD tenant.
- One instance of Recovery Manager Portal can be used with one Azure AD tenant and one Azure AD Connect server. Install multiple RMAD web portals if you need to work with multiple Azure AD tenants and Azure AD connect servers.
- On Demand Recovery restores Back Link attributes: 'memberOf' (the back link for the 'member' attribute) and 'directReports' (the back link for the 'manager' attribute). These attributes can be selected along with all other attributes when you click Browse in the Restore Objects dialog.
- Separate Microsoft Azure Relay service is used for each hybrid connection (one per On Demand organization). On Demand Recovery creates WCF Relay per On Demand organization. No changes to On-Premises Firewall settings are required.
To perform a restore operation in On Demand Recovery
- Unpack a backup.
- Go to the Objects screen and select on-premises objects to restore.
- Click Restore.
- In the Restore Objects dialog, if you select the Restore all attributes option, On Demand Recovery will restore all on-premises attributes and cloud-only attributes from the backup.
- You can perform the restore of on-premises objects from the Differences report as well.
|NOTE: You can restore a hybrid user using only On Demand Recovery without configuring a hybrid connection. In this case, do not forget to clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. If the hybrid connection is not configured, On Demand Recovery restores a cloud user and their cloud attributes without an on-premises user. For more information, see How does On Demand Recovery Handle Object Attributes? This scenario does not work for Federated Domains. For details, see Working with Inactive Mailboxes.
Limitations When a Hybrid Connection is Not Configured
On Demand Recovery can restore cloud-only users and groups without a configured Recovery Manager for Active Directory hybrid connection. If a hybrid connection is not configured intentionally or Recovery Manager for Active Directory is not installed yet, recovery features for hybrid users and groups are limited. As a result, the following errors will occur: "Cloud restore was interrupted due to failed restore of the on-premise object" and "A hybrid connection is required to complete the restore of the on-premises attributes with RMAD".
- If a hybrid user is permanently deleted, On Demand Recovery will create a cloud object with cloud properties, including on-premises values, but actual values will be taken from the cloud backup, such as user surname, office, etc. If a hybrid user is recreated in the on-premises Active Directory by Recovery Manager for Active Directory or by any other on-premises recovery solution, this user object will be automatically synchronized by Azure AD Connect resulting in the full recovery of the hybrid user. If a hybrid user is not recreated, on-premises attributes will be missing, for example, on-premises groups membership, etc.
- If On Demand Recovery tries to restore a hybrid user that has not been deleted but has modified on-premises attributes, the task will fail with the following error: "Cannot restore attribute". This error occurs due to the "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing a migration" error. In this case, On Demand Recovery will show changes in the Difference report correctly, but will not be able to restore them.
- For a non-deleted hybrid group (modified in the cloud), cloud attributes such as licenses or assigned Enterprise applications can be restored. On Demand Recovery cannot restore a permanently deleted hybrid group that was synchronized by Azure AD Connect, so the error that Recovery Manager for Active Directory configuration is needed will be shown in the case of restoring of the permanently deleted group.