Hybrid Connection Security
FIPS 140-2 compliant TLS protocol is used for traffic encryption. HTTPS certificate is validated on our client side (Recovery Manager Portal).
Server side is Azure WCF Relay that is created and configured in Quest Azure Subscription.
Shared Access Signature (SAS) is used for authentication. A SAS token is based on an access key generated by On Demand Recovery cloud. This key is downloaded to the on-premises server with Recovery Manager Portal and used in the portal configuration to establish the Hybrid connection (from on-premises to the cloud). The SAS token is sent to the cloud and verified on each connection request. For details about Shared Access Signature algorithm, click the following link: https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-authentication-and-authorization.
Restoring Email Address or Phone for Self-Service Password Reset
Restoring Email Address or Phone for Self-Service Password Reset
On Demand Recovery restores an email address or phone that was specified as an authentication method for the self-service password reset user option in the Azure portal. So users can reset their passwords without help of the tenant administrator.
Supported scenarios
The following scenarios are supported by On Demand Recovery:
- Restoring email, mobile phone number, and office phone number for the self-service password reset option.
|
|
Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects. |
Limitations
The following scenarios are not supported by On Demand Recovery:
- Restoring user passwords and the password reset is the only option to log in to the Azure portal after the restore of a permanently deleted user.
- The following authentication methods are not restored; security questions, mobile app notification, and mobile app code.
For details on how to enable self-service password reset in your Microsoft Entra tenant, click here.
To log in to the Azure portal after the user restore if an email address was specified as authentication method for the password reset option
- Go to the Azure portal and enter the user name.
- On the Enter password screen, click Forgot my password.
- On the Get back into your account screen, type the user name and prove that you are not a robot by entering the characters you see on the screen, and then select Next.
- On the next screen, select Email my alternate email, and then select Email.
- Type the verification code from the email into the box, and then select Next.
- Type and confirm your new password, and then select Finish. Your password has been reset and can be used to log in to the Azure portal.
- Log in with the new password.
- Then you may see the screen where you will be asked to verify your email address if the Converged service is not enabled in your environment. You can click Cancel and verify the email address later.
- If the Converged service is enabled, you will get the screen like below. In this case, no further action is required.
Reporting
On Demand Recovery includes the comparison report feature that is used to monitor and roll back changes occurred in live Microsoft Entra ID or Microsoft 365 since the backup was created. The report assists you with troubleshooting and resolving problems that may result from the deletion of critical objects or parameter changes.
The report shows the following changes:
- Creation of new users or groups
- Changes to Microsoft Entra B2C "local accounts", "guest accounts", and "social accounts"
- Changes to object attributes, including licenses
- Group membership and manager property changes (DirectoryLinkChange object type)
- Changes to service principal objects: deletion of a service principal, add/remove roles (custom roles are not monitored), changes to the accountEnabled property
- Objects moved to the Recycle Bin
- Permanently deleted objects
- When deleting a group, all links that were affected by this action are shown in the Differences report, such as Microsoft Entra group membership, Conditional Access policies, group owners, and application assignments.
|
|
Note: To restore 'member' or 'memberOf' attributes for an object, restore the group from the Unpacked Objects view. Restoring of group memberships from the Differences report is not supported in hybrid environments. |
To view and roll back changes in Microsoft Entra ID or Microsoft 365
|
|
Note: Objects added to the directory after the backup was created cannot be deleted using the Restore option in the comparison report. This option removes only membership information for the selected object and logs an event. |
- Create a backup of your directory.
- Change any object attributes in your live Microsoft Entra ID or Microsoft 365.
- Unpack the backup to compare with the current version of your directory. For that, click Unpack backup on the Dashboard view. In the Backup Unpacking dialog, click Browse and select the backup.
- After the backup is unpacked, go to the Differences view.
- To refine the data, use the Search field or facets on the left side of the screen.
For more information about the search syntax, see Advanced Search.
- Select the changes you want to roll back and click Restore.
- To update the report data, use the Refresh option.
- The Export feature allows you to export the selected report data to the CSV format. Note that the CSV file contains internal column names, for example: the Attribute column in the Difference report has the "changedAttribute" internal name. You can use internal column names to create search queries. For more information, refer to Advanced Search.
Advanced Search
You can use words, symbols, and query strings in your search to make your search results more precise.
Consider the following:
- It is recommended to add an asterisk to the end of your search term. The asterisk will replace a character in your search string to indicate that any number of characters can be substituted in place of the asterisk.
- Do not put spaces between the symbol or word. For example, a search for changedAttribute:link* will work, but will not work for changedAttribute: link*
- Press Enter to get the search results.
- Keywords are not case-sensitive.
- You can export selected search results to the CSV file.
