Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery On Demand Recovery Module Overview Before You Start Sign up for Quest On Demand Adding a Microsoft Entra Tenant Required Permissions Access Control Working with On Demand Recovery Backup Unpacking Restoring Objects Restoring Directory Roles and Application Roles Restoring Users Restoring Groups Restoring Service Principal Objects Restoring Applications Restoring Application Proxy Settings Restoring Group Licenses Restoring Devices Restoring Conditional Access Policies Restoring Claims Mapping Policy Backup and Restore of Tenant Level Settings Backup and Restore Administrative Units Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restoring Email Address or Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?

Restoring Group Licenses

On Demand Recovery restores group licenses, which means reassignment of a license to a group after its recreation or restore from the Recycle Bin. Granular restore of the assignedLicenses attribute is supported as well.

Supported scenarios

The following scenarios are supported by On Demand Recovery:

  • If a group is moved to the Recycle Bin, group licenses are restored simultaneously with the group object.
  • Direct and inherited licenses for users are now distinguished.
  • Inherited licenses are reassigned automatically by restoring membership.
  • If the licenseAssignmentStates attribute is not present in old backups, user object assignments in Microsoft Entra ID are used to distinguish inherited and direct licenses.
  • The same logic is applied to the Differences report to show only one change if a group which is giving licenses was changed or deleted. In this case, the report will contain only the "Group change" or "Group deletion" action.
NOTE: If you are restoring a permanently deleted user from an old backup, the user license may be assigned twice; by group and directly.

Restoring Devices

On Demand Recovery can restore Microsoft Entra device objects that were removed from the Azure Portal. For registered or joined devices, single sign-on (SSO) data (if any) is also restored.

Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects.

Limitations

The following limitation exist when restoring devices in On Demand Recovery:

  • Automatically restoring SSO data for a device that was permanently deleted together with the device owner. In this case, the device owner should join the device once again.
  • If a device was unjoined by the device owner, it will be restored in the Azure Portal but SSO will not work.
Not supported

The following scenarios are not supported in On Demand Recovery:

  • Windows Hello for joined devices
  • Microsoft Intune is not supported
  • Restricted access for devices
  • Restoring of devices in hybrid configuration
Restored device attributes

For a list of device attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide.

Restoring Conditional Access Policies

On Demand Recovery supports backing up and restoring Conditional Access policies and Named Location policies in cloud-only environments.

Note: When policies are created using a predefined template in Azure and then restored after being hard deleted, the "templateId" attribute is not restored as it is read-only.

 
To backup Conditional Access policies

Backing up Conditional Access policies and Named Location policies is enabled by default.

 

Supported Scenarios

If a backup contains Conditional Access policies or Named Location policies, the Objects view will show the type of policy.

The following policy types are supported by On Demand Recovery:

  • Conditional Access Policy
  • Country Named Location
  • IP Named Location

On Demand Recovery restores the whole policy object and what has changed is displayed in the Differences report. On Demand Recovery checks whether objects (users, groups, named locations) assigned to the policy exist in Microsoft Entra ID. If any objects are missing, the policy is restored but a warning is shown.

A user can select attributes to be restored for Conditional Access policies and Named Location policies. For the full list of policy attributes that are restored and not restored by On Demand Recovery, see How does On Demand Recovery Handle Object Attributes?

Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects.

 

Limitations

Other policy types such as token issuance policy, token lifetime policy, and many others are currently not supported by On Demand Recovery. See the Known issues list in the On Demand Recovery release notes.

  • If the "AuthenticationStrength" attribute in "grantControl" is not present in the tenant while restoring, the restore of the Conditional Access policy will fail. "AuthenticationStrength" is a relational attribute and On Demand Recovery does not backup this attribute, so if it is deleted from the tenant, we will not restore the Conditional Access policy and error will be shown.
  • The "TermsOfUse" attribute in "grantControl" will not be restored. A warning will be shown: "Terms of Use for the policy are not set."
  • The restore of a relational attribute does not have any special attributes that can be selected from the user interface. In each instance that a user, group, application and/or named location is restored, the restore of the relational attribute is also run even if the minimum attributes to restore were selected.
  • If On Demand Recovery has "All", "None" or "AllTrusted" selected in live policies, no relational attribute will be restored and the policy in Microsoft Entra ID will remain as is.
  • If "All", "None" or "AllTrusted" is selected in a backup for On Demand Recovery, and a link is subsequently added to a user in live polices, restoring that user will result in the link being removed. In this case, the policy will be updated with default value ("None" or null or []).
  • Links removed or added are not visible in the Differences report.

Restoring Claims Mapping Policy

On Demand Recovery supports backing up and restoring Claims Mapping Policy.

Claims Mapping Policy is used to customize the claims emitted in tokens for specific applications within a tenant. With claims-mapping policies, you can select which claims are included in tokens, create new claim types, and change the source of data emitted in specific claims.

 

Supported Scenarios

On Demand Recovery restores the entire Claims Mapping Policy object and displays any changes in the Differences report. The product checks whether the service principals to which the policy is applied exist in Microsoft Entra ID. If any service principals are missing, the policy is restored but a warning is displayed.

 

Restored Claims Mapping Policy attributes

For a list of Claims Mapping Policy attributes restored by On Demand Recovery, see the On Demand Recovery Supported Attributes guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating