지금 지원 담당자와 채팅
지원 담당자와 채팅

On Demand Recovery Current - User Guide

About On Demand Recovery On Demand Recovery Module Overview Before You Start Sign up for Quest On Demand Adding a Microsoft Entra Tenant Required Permissions Microsoft 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring Objects Restoring Directory Roles and Application Roles Restoring Users Restoring Groups Restoring Service Principal Objects Restoring Applications Restoring Application Proxy Settings Restoring Multifactor Authentication Settings Restoring Group Licenses Restoring Devices Restoring Conditional Access Policies Backup and Restore of Tenant Level Settings Backup and Restore Administrative Units Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restoring Email Address or Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?

Reporting

On Demand Recovery includes the comparison report feature that is used to monitor and roll back changes occurred in live Microsoft Entra ID or Microsoft 365 since the backup was created. The report assists you with troubleshooting and resolving problems that may result from the deletion of critical objects or parameter changes.

The report shows the following changes:

  • Creation of new users or groups
  • Changes to Microsoft Entra B2C "local accounts", "guest accounts", and "social accounts"
  • Changes to object attributes, including licenses
  • Group membership and manager property changes (DirectoryLinkChange object type)
  • Changes to service principal objects: deletion of a service principal, add/remove roles (custom roles are not monitored), changes to the accountEnabled property
  • Objects moved to the Recycle Bin
  • Permanently deleted objects
  • When deleting a group, all links that were affected by this action are shown in the Differences report, such as Microsoft Entra group membership, Conditional Access policies, group owners, and application assignments.

Note: To restore 'member' or 'memberOf' attributes for an object, restore the group from the Unpacked Objects view. Restoring of group memberships from the Differences report is not supported in hybrid environments.

To view and roll back changes in Microsoft Entra ID or Microsoft 365

Note: Objects added to the directory after the backup was created cannot be deleted using the Restore option in the comparison report. This option removes only membership information for the selected object and logs an event.

  1. Create a backup of your directory.
  2. Change any object attributes in your live Microsoft Entra ID or Microsoft 365.
  3. Unpack the backup to compare with the current version of your directory. For that, click Unpack backup on the Dashboard view. In the Backup Unpacking dialog, click Browse and select the backup.
  4. After the backup is unpacked, go to the Differences view.
  5. To refine the data, use the Search field or facets on the left side of the screen.
    For more information about the search syntax, see Advanced Search.
  6. Select the changes you want to roll back and click Restore.
  7. To update the report data, use the Refresh option.
  8. The Export feature allows you to export the selected report data to the CSV format. Note that the CSV file contains internal column names, for example: the Attribute column in the Difference report has the "changedAttribute" internal name. You can use internal column names to create search queries. For more information, refer to Advanced Search.

Advanced Search

You can use words, symbols, and query strings in your search to make your search results more precise.

Consider the following:

  • It is recommended to add an asterisk to the end of your search term. The asterisk will replace a character in your search string to indicate that any number of characters can be substituted in place of the asterisk.
  • Do not put spaces between the symbol or word. For example, a search for changedAttribute:link* will work, but will not work for changedAttribute: link*
  • Press Enter to get the search results.
  • Keywords are not case-sensitive.
  • You can export selected search results to the CSV file.

Using Operators in Keyword Queries

You can use special punctuation marks to refine your search.

Table 5: Operators that can be used in keyword queries

To search for Operator Example Result
Specify part of a word * serv* Include terms beginning with "serv".
Exclude specified content - -mail* Excludes content with values that match the exclusion.
Exclude specified content NOT
(case-sensitive)
NOT mail* Excludes content with values that match the exclusion
Include specified content + +mail* Includes content with values that match the inclusion.
Multiple keywords space mail user Returns content that includes either 'mail' or 'user'.
Multiple keywords OR
(case-sensitive)
mail OR user Returns content that includes either 'mail' or 'user'.
Multiple keywords AND
(case-sensitive)
mail AND user Returns content that includes both these keywords.
Exact phrase Quotation marks "Object hard deleted" Finds items that contain the exact phrase "Object hard deleted".

Note: Asterisk matches zero or more non-space characters.

Search by Date Range

Table 6: Query examples to search by date range

Time stamp Query example

Search for the backup created on September 18, 2017 Eastern Time (UTC-5) in the Select backups to unpack dialog

when:[2017-09-18T00:00:00-05 TO 2017-09-19T00:00:00-05]
All events after June 27 timestamp:[2017-06-27 TO *]
All events up to June 27 9:03:27 timestamp:[* TO 2017-06-28T09:03:27]
January 27-28 interval timestamp:[2017-01-27 TO 2017-01-28]
53 second interval on January 27 9:13 UTC timestamp:[2017-01-27T09:13:00Z TO 2017-01-27T09:13:53Z]
The same time interval as previous but with time zone specified timestamp:[2017-01-27T12:13:00+03 TO 2017-01-27T12:13:53+03]
1 – 3 weeks of 2017 year timestamp:[2017-W1 TO 2017-W3]

First 50 days of 2017 year

timestamp:[2017-001 TO 2017-050]
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택