Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery On Demand Recovery Module Overview Before You Start Sign up for Quest On Demand Adding a Microsoft Entra Tenant Required Permissions Microsoft 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring Objects Restoring Directory Roles and Application Roles Restoring Users Restoring Groups Restoring Service Principal Objects Restoring Applications Restoring Application Proxy Settings Restoring Multifactor Authentication Settings Restoring Group Licenses Restoring Devices Restoring Conditional Access Policies Backup and Restore of Tenant Level Settings Backup and Restore Administrative Units Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restoring Email Address or Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?

Restoring Group Licenses

On Demand Recovery restores group licenses, which means reassignment of a license to a group after its recreation or restore from the Recycle Bin. Granular restore of the assignedLicenses attribute is supported as well.

Supported scenarios

The following scenarios are supported by On Demand Recovery:

  • If a group is moved to the Recycle Bin, group licenses are restored simultaneously with the group object.
  • Direct and inherited licenses for users are now distinguished.
  • Inherited licenses are reassigned automatically by restoring membership.
  • If the licenseAssignmentStates attribute is not present in old backups, user object assignments in Microsoft Entra ID are used to distinguish inherited and direct licenses.
  • The same logic is applied to the Differences report to show only one change if a group which is giving licenses was changed or deleted. In this case, the report will contain only the "Group change" or "Group deletion" action.
NOTE: If you are restoring a permanently deleted user from an old backup, the user license may be assigned twice; by group and directly.

Restoring Devices

On Demand Recovery can restore Microsoft Entra device objects that were removed from the Azure Portal. For registered or joined devices, single sign-on (SSO) data (if any) is also restored.

Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects.

Limitations

The following limitation exist when restoring devices in On Demand Recovery:

  • Automatically restoring SSO data for a device that was permanently deleted together with the device owner. In this case, the device owner should join the device once again.
  • If a device was unjoined by the device owner, it will be restored in the Azure Portal but SSO will not work.
Not supported

The following scenarios are not supported in On Demand Recovery:

  • Windows Hello for joined devices
  • Microsoft Intune is not supported
  • Restricted access for devices
  • Restoring of devices in hybrid configuration
Restored device attributes

For a list of device attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide.

Restoring Conditional Access Policies

On Demand Recovery supports backing up and restoring Conditional Access policies and Named Location policies in cloud-only environments.

Note: When policies are created using a predefined template in Azure and then restored after being hard deleted, the "templateId" attribute is not restored as it is read-only.

 
Prerequisites

Backing up Conditional Access Policies and Named Location Policies is not enabled by default. You must select this option when configuring backup options.

To backup Conditional Access policies and Named Location policies

  1. Click Manage backups on the Dashboard screen.
  2. Select the tenant from the list and click Edit.
    The Configure backup dialog opens.

  3. Select the Backup Conditional Access Policies and Service Principal Default Policies option and specify service account credentials for the tenant. The specified account must have the following permissions:
    • The specified account must have at least one of the following roles in the Azure portal for backup operations; Global Reader or Global Administrator.
  4. Click Save.

 

To restore Conditional Access policies

To restore Conditional Access policies, go to the Restoring Objects section for more information. For the directory role required, go to the Service Account Permissions section.

 

Supported Scenarios

If a backup contains Conditional Access policies or Named Location policies, the Objects view will show the type of policy.

The following policy types are supported by On Demand Recovery:

  • Conditional Access Policy
  • Country Named Location
  • IP Named Location

On Demand Recovery restores the whole policy object and what has changed is displayed in the Differences report. On Demand Recovery checks whether objects (users, groups, named locations) assigned to the policy exist in Microsoft Entra ID. If any objects are missing, the policy is restored but a warning is shown.

A user can select attributes to be restored for Conditional Access policies and Named Location policies. For the full list of policy attributes that are restored and not restored by On Demand Recovery, see How does On Demand Recovery Handle Object Attributes?

Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects.

 

Limitations

Other policy types such as claims mapping policy, token issuance policy, token lifetime policy and many others are currently not supported by On Demand Recovery. See the Known issues list in the On Demand Recovery release notes.

  • If the "AuthenticationStrength" attribute in "grantControl" is not present in the tenant while restoring, the restore of the Conditional Access policy will fail. "AuthenticationStrength" is a relational attribute and On Demand Recovery does not backup this attribute, so if it is deleted from the tenant, we will not restore the Conditional Access policy and error will be shown.
  • The "TermsOfUse" attribute in "grantControl" will not be restored. A warning will be shown: "Terms of Use for the policy are not set."
  • The restore of a relational attribute does not have any special attributes that can be selected from the user interface. In each instance that a user, group, application and/or named location is restored, the restore of the relational attribute is also run even if the minimum attributes to restore were selected.
  • If On Demand Recovery has "All", "None" or "AllTrusted" selected in live policies, no relational attribute will be restored and the policy in Microsoft Entra ID will remain as is.
  • If "All", "None" or "AllTrusted" is selected in a backup for On Demand Recovery, and a link is subsequently added to a user in live polices, restoring that user will result in the link being removed. In this case, the policy will be updated with default value ("None" or null or []).
  • Links removed or added are not visible in the Differences report.

Backup and Restore of Tenant Level Settings

On Demand Recovery supports the ability to backup and restore many types of tenant level settings.

Object Types

The backup and restore of the following tenant level settings are supported by On Demand Recovery.The corresponding object type for each tenant level setting will appear in the Unpacked Objects list view:

Tenant Level Setting Object Type
Backup and restore of user settings

User Authorization Settings

User Authentication Settings

External Identities Settings

Backup and restore of group settings (Naming policy) Directory Settings
Backup and restore of group settings (Expiration policy) Group Lifecycle Policy
Limitations

The following tenant level settings cannot be currently restored by On Demand Recovery:

  • Security Defaults
  • Password reset
  • Organization Settings
  • Domains

 

Tenant level settings attributes

For a list of attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide. Each attribute can be restored individually. See the To restore selected attributes in the Restoring Objects section to find out more.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating