Country Named Location
The list below includes all supported Country Named Location attributes that can be restored by On Demand Recovery.
| countriesAndRegions |
List of countries and/or regions in two-letter format specified by ISO 3166-2. |
| countryLookupMethod |
Determines what method is used to decide which country the user is located in. |
| displayName |
Human-readable name of the location. |
| includeUnknownCountriesAndRegions |
true if IP addresses that do not map to a country or region should be included in the named location. |
IP Named Location
The list below includes all supported IP Named Location attributes that can be restored by On Demand Recovery.
| displayName |
Human-readable name of the location. |
| ipRanges |
List of IP address ranges in IPv4 CIDR format (for example, 1.2.3.4/32) or any allowable IPv6 format from IETF RFC5969. |
| isTrusted |
true if this location is explicitly trusted. |
Tenant Level Settings
The list below includes all supported tenant level setting attributes that can be restored by On Demand Recovery.]
Directory Settings
| values |
Collection of name-value pairs corresponding to the name and defaultValue properties in the referenced directorySettingTemplates object. |
External Identities Settings
| allowExternalIdentitiesToLeave |
Defines whether external users can leave the guest tenant. If set to false, self-service controls are disabled, and the admin of the guest tenant must manually remove the external user from the guest tenant. When the external user leaves the tenant, their data in the guest tenant is first soft-deleted then permanently deleted in 30 days. |
| allowDeletedIdentitiesDataRemoval |
|
Group Lifecycle Policy
| alternateNotificationEmails |
List of email address to send notifications for groups without owners. Multiple email address can be defined by separating email address with a semicolon. |
| groupLifetimeInDays |
Number of days before a group expires and needs to be renewed. Once renewed, the group expiration is extended by the number of days defined. |
| managedGroupTypes |
The group type for which the expiration policy applies. Possible values are All, Selected or None. |
Group Lifecycle Policy Links
| GroupLifecyclePolicyLinkChange |
User Authentication Settings
| selfServiceSignUp |
Contains selfServiceSignUpAuthenticationFlowConfiguration settings that convey whether self-service sign-up is enabled or disabled. |
User Authorization Settings
| allowedToSignUpEmailBasedSubscriptions |
Indicates whether users can sign up for email based subscriptions. |
| allowedToUseSSPR |
Indicates whether administrators of the tenant can use the Self-Service Password Reset (SSPR). |
| allowEmailVerifiedUsersToJoinOrganization |
Indicates whether a user can join the tenant by email validation. |
| allowInvitesFrom |
Indicates who can invite guests to the organization. |
| allowUserConsentForRiskyApps |
Indicates whether user consent for risky apps is allowed. Default value is false. |
| blockMsolPowerShell |
To disable the use of the MSOnline PowerShell module set this property to true. This also disables user-based access to the legacy service endpoint used by the MSOnline PowerShell module. This doesn't affect Microsoft Entra Connect or Microsoft Graph. |
|
defaultUserRolePermissions.
allowedToCreateApps |
Indicates whether the default user role can create applications. This setting corresponds to the Users can register applications setting in the User settings menu in the Microsoft Entra admin center. |
|
defaultUserRolePermissions.
allowedToCreateSecurityGroups |
Indicates whether the default user role can create security groups. |
|
defaultUserRolePermissions.
allowedToCreateTenants |
Indicates whether the default user role can create tenants. This setting corresponds to the Restrict non-admin users from creating tenants setting in the User settings menu in the Microsoft Entra admin center. |
|
defaultUserRolePermissions.
allowedToReadBitlockerKeysForOwnedDevice |
Indicates whether the registered owners of a device can read their own BitLocker recovery keys with default user role. |
|
defaultUserRolePermissions.
allowedToReadOtherUsers |
Indicates whether the default user role can read other users. |
| description |
Description of this policy. |
| displayName |
Display name for this policy. |
| enabledPreviewFeatures |
List of features enabled for private preview on the tenant. |
| guestUserRoleId |
Represents role templateId for the role that should be granted to guests. |
| permissionGrantPolicyIdsAssignedToDefaultUserRole |
Indicates if user consent to apps is allowed, and if it is, the app consent policy that governs the permission for users to grant consent. |
Administrative Units
The list below includes all supported Administrative units attributes that can be restored by On Demand Recovery.
| description |
An optional description for the administrative unit. |
| displayName |
Display name for the administrative unit. |
| membershipRule |
Dynamic membership rule for the administrative unit. |
| membershipRuleProcessingState |
Used to control whether the dynamic membership rule is actively processed. Set to On when you want the dynamic membership rule to be active and Paused if you want to stop updating membership dynamically. If not set, the default behavior is Paused. |
| membershipType |
Membership type for the administrative unit. Can be dynamic or assigned. If not set, the default behavior is assigned. |
| visibility |
Controls whether the administrative unit and its members are hidden or public. Can be set to HiddenMembership or Public. If not set, the default behavior is Public. When set to HiddenMembership, only members of the administrative unit can list other members of the administrative unit. |
