Quest® On Demand Recovery
October 20, 2022
On Demand Recovery allows you to backup and restore Microsoft Azure Active Directory and Office® 365 objects with their properties. These objects can be selected in a backup and then restored to Azure Active Directory or Office 365 without affecting other objects or attributes. Using the granular restore, objects that were inadvertently deleted or modified can be recovered in a few minutes.
Key features of On Demand Recovery
- Back up Azure Active Directory and Office 365 users, groups, contacts, service principals, conditional access policies, and device information
On Demand Recovery automatically backs up your directory on a regular basis.
- Granular, selective restore of Azure Active Directory and Office 365 users, groups, service principals, conditional access policies, devices, inactive mailboxes for permanently deleted users
Users, groups, service principals, and devices can be selected in a backup and then restored to Azure Active Directory or Office 365 without affecting other objects or attributes.
- Backup and restore Azure Active Directory B2C users and groups
On Demand Recovery supports Azure Active Directory B2C tenants.
- Restore users or Office 365 groups from the Recycle Bin
Restore users and Office 365 groups that were inadvertently moved to the Recycle Bin.
- Cloud solution: backup snapshots are stored in the cloud
On Demand Recovery does not require to install or maintain any additional software.
- Comparison reporting
This feature lets you view differences between the selected backup and live Azure Active Directory or Office 365 and revert unwanted changes.
- Integration with Recovery Manager for Active Directory
On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore on-premises objects that were synchronized with cloud by Azure AD Connect.
These release notes provide information about the On Demand Recovery release.
The following is a list of issues, including those attributed to third-party products, known to exist at the time of this deployment.
General known issues
|If you restore two groups which are members of the third group which was deleted, the third group can be duplicated after the restore operation. This issue is applied only to non-Office Groups which support nesting. Workaround:To avoid this issue, the user needs either to restore groups one by one (order is not important) or restore all of them at once.
|On Demand Recovery displays contacts in the backup statistics but does not support the restore of Contact objects.
|Restore of changed user mail attributes such as mail, proxyAddress, targetAddress is not restored correctly if the object was hard deleted and not available in the Recycle Bin.
|On Demand Recovery does not restore an Office 365 mailbox (either for user or for Office group) if it was permanently deleted.
|On Demand Recovery does not restore Distribution List members and will display the error "Status: 400, Code: Request_BadRequest. Details: Unable to update the specified properties for objects that have originated within an external service."
|If two users perform the unpack operation simultaneously with the selected "Clear objects" option in the same On Demand organization, one of the processed backups will not be unpacked (or will be partly unpacked). Workaround: Do not select the "Clear objects" option. Also, the restore operation may fail if the user is trying to unpack the backup that is currently processed by another user.
|Old backups (backups that were created before you remove the tenant) are not shown in the On Demand Recovery user interface if the same tenant was removed and then added again. If you need to unpack, restore or delete old backups, please contact Quest Support.
|Backup task does not check the Admin consent status, but if the Admin consent is not granted for the tenant, the following error occurs: "The identity of the calling application could not be established."
|On Demand Recovery does not show the proxyAddresses attribute in the Differences view.
|The restore operation from the Differences view may fail if you run Refresh before the restore operation is completed.
|An incorrect (empty) object count may be displayed in the "details pane" of the Restore from Diff task.
|If you enable Azure Multi-Factor Authentication (MFA), you should regrant Admin Consent for the On Demand Recovery module. Otherwise, you will get the following error during the restore operation: "Failed to refresh access token. StatusCode: 400. ErrorCode: interaction_required. Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access".
|On Demand Recovery does not support backup and restore of Azure Active Directory tenants created in Azure Germany, or U.S. Government.
|Restore of more than 10000 objects using one task may result in poor performance.
|On Demand Recovery does not restore MFA authentication methods for a hard deleted user if the mobile application was assigned to this user. NOTE: If any of the following Voice Call/SMS/Office Phone was set up as an authentication method for a user, On Demand Recovery will restore all MFA data for this user.
|On Demand Recovery does not support MFA enabled accounts for backup creation. To set the account password to never expire, use the following PowerShell command: Set-MsolUser -UserPrincipalName <name of the account> -PasswordNeverExpires $true For more details, refer this article https://support.office.com/en-us/article/set-an-individual-user-s-password-to-never-expire-f493e3af-e1d8-4668-9211-230c245a0466
|If you restore a permanently deleted user with the enabled Self-Service Password Reset option, Multi-Factor Authentication methods will be displayed as not verified after restore.
|On Demand Recovery does not restore the conditional access policy "Baseline policy: Require MFA for admins".
|A tenant verification failed message appears when user adds tenant to On Demand Recovery (Core only).
Hybrid only known issues
|Granular restore of object membership from the Differences view is not supported. Workaround: Go to the Objects view, find the group that you want to restore and select the member attribute in the attribute list to restore links.
|Some attributes of on-premises objects (e.g. "ipPhone, "pager", "info", "homePhone") are mapped by Azure AD connect but are not shown in the Differences view and cannot be applied to cloud-only users. On Demand Recovery restores these attributes for on-premises objects only.
|Cannot download hybrid credentials with the Error 404 "Not found" may occur. This issue occurs if you try to get credentials right after the registration - it takes about one minute to create the Relay credentials.
|If the same on-premises object is selected in different unpacked backups on the Objects view, On Demand Recovery will perform the hybrid restore of the object on the first selected backup date.
|If multiple objects are selected for restore and there is Directory Synchronization Service Account among them, the restore operation will fail for all objects with the error "Failed on-premise restore. Error: Value cannot be null".
|Hybrid restore (from Objects or Differences view) uses attribute values from the on-premises backup. So, these values may be different from the corresponding values shown in the Differences or Objects view.
|Restore of the usageLocation cloud attribute does not work for the "Exchange Hybrid" scenario.
|A restore of a hybrid cloud user that was permanently deleted may fail, if Azure AD Connect cannot synchronize the newly created user from the on-premises Active Directory to the cloud. Workaround: Force Azure AD Connect initial synchronization to fix this issue, then restart the restore operation.
If a user does not have the service account for the tenant, On Demand Recovery cannot restore permanently deleted service principals provisioned from Azure Gallery. Workarounds:
- Install the corresponding application from Azure Gallery once again to re-create the service principal object.
- Install SSL certificates for the application.
- Configure single sign-on (SSO) options for the service principal (if any).
- After that, On Demand Recovery will be able to apply properties from the backup.
|Cannot restore cloud attributes for a permanently deleted user in hybrid scenario after the user was recreated by Azure AD Connect. The following error will arise: "Another object with the same value for property userPrincipalName already exists "
|On Demand Recovery cannot restore the onPremisesDistinguishedName property for permanently deleted users in hybrid scenario. In this case you will get the following error message: "Property 'onPremisesDistinguishedName' is read-only and cannot be set" error.
|Hybrid restore may fail with the following error: "The ChannelDispatcher at 'sb://backupaad-rmaz-hybrid-us.servicebus.windows.net/org-f555beae-38fa-4d0a-b502-08c4b93b01da' with contract(s) 'HybridRestoreServiceContract' is unable to open its IChannelListener". Workaround: Restart the Recovery Manager Hybrid Connect service.
Import-Module ADSync command may not work correctly on the Azure AD Connect host. Workarounds:
- Make sure that Import-Module is available globally on the Azure AD Connect host.
- Сopy the AADSync.psm1 file manually from the Recovery Manager Portal machine to the PowerShell default folder on the Azure AD Connect host.
|On Demand Recovery does not support backups dated before October 2019.
Quest Migration and Management Platform known issues
|You may see a "white screen" instead of spinning preloader when starting On Demand Recovery.
|The "Select all" option does not work properly in the "Select attributes" dialog that opens when you click Browse in the Restore Objects dialog. If you select the "Select all" check box, all attributes will be selected, but will not be restored.
|Invalid sorting of data by 'Task Name' and 'Object Name' fields in the Events view.
|Resizing issue: Shows gray overlay on small displays when the side bar was initially in the expanded state.
|Scrolling hangs if there are more than 10000 objects in a list. Workaround: Use sorting or filtering option to narrow your search scope.
|The timelines on the Events and Backups show incorrect results if you select an interval in the timeline and then click any date range link on the left side of the screen.
|If you work with Internet Explorer 11, dialogs launched from the Differences and Dashboard screens may show controls from the lower layer. Workaround: Resize the browser window.
|Details panel on the Objects view shows tasks in a random order.
|On the Dashboard view, if you click on any specific status in the objects widget, you will be redirected to the Objects view with this status as a filter. Then, if you go back to Dashboard and click on the widget title (total number of objects), you will be redirected to Objects with the previous status filter.
The following lists the new features and resolved issues by deployment.
Release 1.5.93 (October 20, 2022)
|Restoration of multiple users (more than 3) with a mailbox fails.
|Unpacking can be started when no backups has been created.
Release 1.5.92 (September 29, 2022)
|Support of Exchange Online modern authentication for difference restore operation.
|Support mailbox restore for Exchange Online and modern authentication - basic authentication deprecated.
|Validate connection hangs in Manage Tenant dialog.
Release 1.5.91 (September 20, 2022)
|Lost backup monitor runs for 20+ hours due to increased retry attempts.
|AU tenant not displaying under Manage Backups and backups fail.
Release 1.5.90 (September 16, 2022)
|SharePoint Online requests require longer timeout.
Release 1.5.89 (September 16, 2022)
|Backup failed with ''NoneType' object is not subscriptable' error.
Release 1.5.88 (September 15, 2022)
|Update from Azure AD Graph API to Microsoft Graph API.
|WhiteSource vulnerability: lxml 4.6.5 - upgrade to version lxml 4.9.1.
|WhiteSource vulnerability: azure.storage.blob 12.10.0 - upgrade required.
|Invalid notification process for expired subscriptions and handling of data.
|If objects from different tenants were selected, the restore button should not be visible. Select only objects from a single tenant to restore.
|Task fails when roles are assigned to a service account via a group.
|Unable to read default policy for service principal and backup fails.
Release 1.5.86 (July 12, 2022)
|Enhancement to hybrid connection settings.
Release 1.5.85 (June 30, 2022)
|Unpacking fails for 8e205ff5-4a4a-e38d-0925-70aecc8b6ffc.
Release 1.5.84 (June 07, 2022)
|Lost backups monitor is not handling exceptions properly.
Release 1.5.82 (May 17, 2022)
|Added option to perform differences operation during unpack.
|Enhanced the existing restore process to only read backup files that contain relevant data.
|Saving customer credentials may fail due to changes in Azure KeyVault behavior.
Release 1.5.80 (March 31, 2022)
|Added fix to unpack and restore group with contacts.
Release 1.5.75 (January 27, 2022)
|Hybrid user restore from Recycle Bin will programmatically set user GivenName into different value.
Release 1.5.72 (December 16, 2021)
|Error during restore of AppRoles due to service principal object. Error was not displayed in the UI.
Release 1.5.71 (November 30, 2021)
|Hybrid restore: Clearing up "ReadOnly" Hybrid Object attributes for soft deleted user.
|Backup failures related to changes in Graph API.
Release 1.5.69 (November 04, 2021)
|Restore on-premises objects source and directory synced displayed incorrect information.
Release 1.5.66 (September 28, 2021)
|An error displays that cannot update the default conditional access policy.
Release 1.5.65 (July 20, 2021)
|Hard deleted group/user did not reflect in Differences tab.
|Differences tab hangs when the user clicks refresh.
Release 1.5.63 (June 23, 2021)
|When deleting a group, all links that were affected by this action are shown in the Differences report, e.g. Azure AD group membership, SharePoint groups membership, conditional access policies, group owners, and application assignments.
Release 1.5.60 (June 01, 2021)
|The backup configuration dialog does not behave properly when incorrect credentials provided.
Release 1.5.59 (May 18, 2021)
|Issue with running backup when no tenant selected.
|Policies not always restored due to caching of objects.
Release 1.5.57 (May 04, 2021)
|A notification was not sent after a missed backup due to timeout of services.
|Hard deleted user failed to add owner to Service Principal due to insufficient privileges.
|Configure backup dialog was unable to open for B2C clients.
Release 1.5.56 (April 29, 2021)
|Restoration of a deleted user had failed.
|Multi-factor authentication status was incorrect when restoring multi-factor authentication settings.
|Service Principal restore did not reference a valid application object.
|Intermittent backup failures occurred for unknown reason.
Release 1.5.55 (March 23, 2021)
|SharePoint user is not created during the restore operation.
|On Demand Recovery displays timeout error.
Release 1.5.53 (March 16, 2021)
|Fixed the discrepancy between data reported from the Backup tab and the Unpacked tab.
Release 1.5.46 (January 25, 2021)
|Failed backup event and email notification.
|Changes in appRoles are not shown in Differences.
|Differences report did not show conditional access policy change.
|Role assignment is not restored for single sign-on applications.
Release 1.5.45 (January 12, 2021)
|Difference report: The deleted conditional access policy may fail to appear.
Object search functionality did not work correctly when partial criteria was entered.
|Linking hard deleted user to service principal owner or application owner gave insufficient permission error.
|Restoration of user failed due to invalid location.
Release 1.5.39 (December 01, 2020)
Backup failing due to the deletion of a tenant
Release 1.5.35 (November 03, 2020)
On the Unpacked Objects tab, there is now a Mail Enabled filter. This allows you to filter by users and groups who do or do not have a mailbox.
Changes made to appRoles attributes were not displayed in the Differences report.
Release 1.5.34 (October 05, 2020)
Made adjustments to the Application Proxy backup and restore feature to compensate for the modification that Microsoft made to an API endpoint.
Release 1.5.33 (October 01, 2020)
Second restore of hard deleted user unable to complete due to more than one user being found when matching.
Release 1.5.32 (September 24, 2020)
From this version, On Demand Recovery restores Azure AD Application Proxy applications.
|Application Proxy settings can be restored from the Differences report.
Release 1.5.31 (August 27, 2020)
|On Demand Recovery can restore/validate application role assignments that have invalid IDs.
Release 1.5.29 (August 13, 2020)
|From this version, On Demand Recovery restores gallery applications using Beta API.
Release 1.5.26 (July 28, 2020)
|On Demand Recovery may display wrong timestamps for hybrid objects on the Events screen.
Release 1.5.25 (July 23, 2020)
|The Hybrid restore operation does not randomly restore some hybrid attributes.
Release 1.5.22 (June 30, 2020)
|Backup creation can fail when getting a password from Azure Key Vault.
|Hybrid recovery from encrypted backups does not work.
Release 1.5.21 (June 18, 2020)
|Hybrid recovery stability has been improved.
Release 1.5.20 (June 16, 2020)
|Improved stability of On Demand Recovery backups.
Release 1.5.18 (June 09, 2020)
|The ssoSettings attribute of a service principal cannot be restored for the corresponding non-gallery Application.
Release 1.5.17 (June 02, 2020)
|Backup settings did not display correctly in the "Create backup" dialog due to a problem with the empty 'created' field.