Chat now with support
Chat with Support

On Demand Recovery Current - Release Notes

Release Notes

Quest® On Demand Recovery

Release Notes

November 2020

These release notes provide information about the On Demand Recovery release.


About On Demand Recovery

On Demand Recovery allows you to backup and restore Microsoft Azure Active Directory and Office® 365 objects with their properties. These objects can be selected in a backup and then restored to Azure Active Directory or Office 365 without affecting other objects or attributes. Using the granular restore, objects that were inadvertently deleted or modified can be recovered in a few minutes.

Key features of On Demand Recovery

  • Back up Azure Active Directory and Office 365 users, groups, contacts, service principals, conditional access policies, and device information
    On Demand Recovery automatically backs up your directory on a regular basis.
  • Granular, selective restore of Azure Active Directory and Office 365 users, groups, service principals, conditional access policies, devices, inactive mailboxes for permanently deleted users
    Users, groups, service principals, and devices can be selected in a backup and then restored to Azure Active Directory or Office 365 without affecting other objects or attributes.
  • Backup and restore Azure Active Directory B2C users and groups
    On Demand Recovery supports Azure Active Directory B2C tenants.
  • Restore users or Office 365 groups from the Recycle Bin
    Restore users and Office 365 groups that were inadvertently moved to the Recycle Bin.
  • Cloud solution: backup snapshots are stored in the cloud
    On Demand Recovery does not require to install or maintain any additional software.
  • Comparison reporting
    This feature lets you view differences between the selected backup and live Azure Active Directory or Office 365 and revert unwanted changes.
  • Integration with Recovery Manager for Active Directory
    On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore on-premises objects that were synchronized with cloud by Azure AD Connect.

New Features

Release 1.5.35 (2020/11/03)

Enhancement ID Description

On the Unpacked Objects tab, there is now a Mail Enabled filter. This allows you to filter by users and groups who do or do not have a mailbox.


Fix ID Description

Changes made to appRoles attributes were not displayed in the Differences report.

Previous releases

Release 1.5.34 (2020/10/05)


Fix ID Description

Made adjustments to the Application Proxy backup and restore feature to compensate for the modification that Microsoft made to an API endpoint.

Release 1.5.33 (2020/10/01)


Fix ID Description

Second restore of hard deleted user unable to complete due to more than one user being found when matching.

Release 1.5.32 (2020/09/24)

New Features

Enchantment ID Description

From this version, On Demand Recovery restores Azure AD Application Proxy applications.

RMAZ-1435 Application Proxy settings can be restored from the Differences report.

Release 1.5.31 (2020/08/27)


Issue ID Description
RMAZ-1436 On Demand Recovery can restore/validate application role assignments that have invalid IDs.

Release 1.5.29 (2020/08/13)

New Features

Enhancement ID Description
RMAZ-1559 From this version, On Demand Recovery restores gallery applications using Beta API.

Release 1.5.26 (2020/07/28)


Issue ID Description
RMAZ-1482 On Demand Recovery may display wrong timestamps for hybrid objects on the Events screen.

Release 1.5.25 (2020/07/23)


Issue ID Description
RMAZ-1443 The Hybrid restore operation does not randomly restore some hybrid attributes.

Release 1.5.23 (2020/07/16)

New Features

Enhancement ID Description
RMAZ-1457 When deleting a group, all links that were affected by this action are shown in the Differences report, e.g. Azure AD group membership, SharePoint groups membership, conditional access policies, group owners, and application assignments.

Release 1.5.22 (2020/06/30)


Issue ID Description
RMAZ-1452 Backup creation can fail when getting a password from Azure Key Vault.
RMAZ-1448 Hybrid recovery from encrypted backups does not work.

Release 1.5.21 (2020/06/18)


Issue ID Description
RMAZ-1317 Hybrid recovery stability has been improved.

Release 1.5.20 (2020/06/16)


Issue ID Description
RMAZ-1442 Improved stability of On Demand Recovery backups.

Release 1.5.18 (2020/06/09)


Issue ID Description
RMAZ-1432 The ssoSettings attribute of a service principal cannot be restored for the corresponding non-gallery Application.

Release 1.5.17 (2020/06/02)


Issue ID Description
RMAZ-1428 Backup settings did not display correctly in the "Create backup" dialog due to a problem with the empty 'created' field.

Release 1.5.16 (2020/05/28)


Issue ID Description
RMAZ-1410 Unpacking may fail if the error report description is too long.
RMAZ-1425 The backup task can stop responding if no tenant is selected.

Release 1.5.15 (2020/05/21)


Issue ID Description
RMAZ-1394 Membership in SharePoint cannot be restored due to not enough tries after recreating the group.

Release 1.5.14 (2020/05/19)


Issue ID Description
RMAZ-1267 Improving stability when reattaching an inactive mailbox.

Release 1.5.13 (2020/05/07)


Issue ID Description
RMAZ-1402 Fixed problems with recovery of inactive mailboxes.

Release 1.5.12 (2020/04/30)


Issue ID Description
RMAZ-1370 The backup operation is faster due to reducing of backup memory usage for the SharePoint target.

Release 1.5.11 (2020/04/23)


Issue ID Description
RMAZ-1156 On Demand Recovery shows an error when trying to restore the application assignment twice or restore the user from the Recycle Bin.

Release 1.5.9 (2020/04/07)


Issue ID Description
RMAZ-1343 Backup creation could fail due to exceeding the memory size limit. Now memory resources are consumed more efficiently.

Release 1.5.8 (2020/03/26)


Issue ID Description
RMAZ-1164 More reliable backups: On Demand Recovery uses retry strategy for data required to restore SSO and Azure Gallery applications.

Release 1.5.7 (2020/03/24)


Issue ID Description
RMAZ-1210 From October 13, 2020, Microsoft will stop supporting Basic Authentication access to Exchange Online for Office 365 customers. Now On Demand Recovery is prepared for this change.

Release 1.5.6 (2020/03/12)


Issue ID Description
RMAZ-1320 Now On Demand Recovery does not restore attribute annotations without values.

Release 1.5.5 (2020/03/05)


Issue ID Description
RMAZ-1249 On Demand Recovery does not restore the membership of a user in a Distribution List group.
RMAZ-1307 Now On Demand Recovery uses the retry strategy if an error occurred while creating a group.
RMAZ-1321 The Object unpack operation could fall when processing large backups.

Release 1.5.4 (2020/02/27)

New Features

Enhancement ID Description
RMAZ-1285 On Demand Recovery supports restore of SharePoint links for guest users.
RMAZ-1295 Now hybrid groups are matched by SID to make restore more reliable.

Release 1.5.2 (2020/02/20)


Issue ID Description
RMAZ-1303 There is no backup statistics if the backup credentials are incorrect.

Release 1.5.1 (2020/02/18)

New Features

Enhancement ID Description
RMAZ-1208 Now the SharePoint consent is detected automatically for SharePoint backups.
RMAZ-1265 On Demand Recovery has made the switch to a brand new UI style.
RMAZ-1286 On Demand Recovery shows a number of non-empty SharePoint groups and a number of SharePoint links in the backup statistics.

Release 1.4.30 (2020/02/11)


Issue ID Description
RMAZ-1291 Now On Demand Recovery does not restore SharePoint data for Guest users to avoid any potential corruption of sharing features for such users.
RMAZ-1293 Tenant name data was missing in backups.

Release 1.4.29 (2020/01/28)

New Features

Enhancement ID Description
RMAZ-1268 Now the Type facet on the Unpacked objects view and the Difference view shows groups by types (Security Groups, Office 365 Group, Distribution Group, Mail-enabled Security Group).

Release 1.4.27 (2020/01/23)


Issue ID Description
RMAZ-1245 Recovery of service principal could fail when restoring the application from the Recycle Bin.

Release 1.4.26 (2020/01/16)

New Features

Enhancement ID Description
RMAZ-1243 On Demand Recovery supports restore of SharePoint Online resource access for Azure AD users and groups. For details, see the "Restoring SharePoint Online Resource Access" section in the User Guide.

Release 1.4.25 (2020/01/14)


Issue ID Description
RMAZ-1257 Error handling is improved.

Known Issues

Known issues and limitations

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 1: General known issues

Issue ID Known Issue
RMAZ-1614 On Demand Recovery does not support restoring devices to another tenant.
RMAZ-634 On Demand Recovery does not support restoring custom Azure Active Directory roles or custom Office 365 roles.
RMAZ-18 If you restore two groups which are members of the third group which was deleted, the third group can be duplicated after the restore operation. This issue is applied only to non-Office Groups which support nesting. For possible workarounds, see the Workarounds section below.
RMAZ-128 On Demand Recovery converts distribution lists and Mail-enabled security groups to Office 365 groups during recovery. If you have nested distribution lists, they will not be restored.
RMAZ-129 On Demand Recovery does not back up and does not store user passwords.
RMAZ-130 On Demand Recovery does not support restore of Contact objects.
RMAZ-120 On Demand Recovery does not support restore of dynamic groups (the feature of Azure AD Premium). If a user tries to restore dynamic group, the application will restore it as non-dynamic with all explicitly applied members.
RMAZ-127 Explicit (granted directly to a user, not inherited via group membership) permissions are lost after restore of permanently deleted users or groups.
RMAZ-464 On Demand Recovery does not restore Applications for users and groups.
RMAZ-136 Restore of changed user mail attributes such as mail, proxyAddress, targetAddress is not supported. These attributes are restored correctly if you restore the deleted object from Recycle Bin.
RMAZ-137 On Demand Recovery does not restore an Office 365 mailbox (either for user or for Office group) if it was permanently deleted.
RMAZ-138 On Demand Recovery does not restore user's Photo (thumbnailPhoto attribute).
RMAZ-139 On Demand Recovery does not restore Contact Authentication attributes: Authentication Email, Alternate Authentication Email, Authentication Phone, Alternate Authentication Phone.
RMAZ-141 On Demand Recovery does not restore multi-factor authentication settings for users.
RMAZ-174 On Demand Recovery does not restore Distribution List members with the error "Status: 400, Code: Request_BadRequest. Details: Unable to update the specified properties for objects that have originated within an external service".
RMAZ-252 Only for Hybrid restore: Granular restore of object membership from the Differences view is not supported. For possible workarounds, see the Workarounds section below.
RMAZ-262 On Demand Recovery supports one hybrid connection per the On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Azure AD tenant.
RMAZ-270 If two users perform the unpack operation simultaneously with the selected "Clear objects" option in the same On Demand organization, one of the processed backups will not be unpacked (or will be partly unpacked). For possible workarounds, see the Workarounds section below.
RMAZ-273 Old backups (backups that were created before you remove the tenant) are not shown in the On Demand Recovery user interface if the same tenant was removed and then added again. If you need to unpack, restore or delete old backups, please contact Quest Support.
RMAZ-279 InTune policies are not supported by On Demand Recovery.
RMAZ-308 Some attributes of on-premises objects (e.g. "ipPhone","pager","info","homePhone") are mapped by Azure AD connect but are not shown in the Differences view and cannot be applied to the cloud users. On Demand Recovery restores these attributes for on-premises objects.
RMAZ-309 On Demand Recovery shows expired backups that were deleted. If you select the expired backup to perform the restore operation, you will get the "Internal error in lambda restoreAttributes" error.
RMAZ-311 Cannot download hybrid credentials with the Error 404 "Not found". This issue may occur if you try to get credentials right after the registration - it takes about one minute to create the Relay credentials.
RMAZ-315 Backup task does not check the Admin consent status, but if the Admin consent is not granted for the tenant, the following error occurs: "The identity of the calling application could not be established."
RMAZ-335 The usageLocation attribute may not be restored if license attributes were not selected together with usageLocation for restore.
RMAZ-338 On Demand Recovery does not show the proxyAddresses attribute in the Differences view.
RMAZ-352 The restore operation from the Differences view may fail if you run Refresh before the restore operation is completed.
RMAZ-354 Incorrect (empty) object count in the "details panel" of the Restore from Diff task.
RMAZ-355 If the same on-premises object is selected in different unpacked backups on the Objects view, On Demand Recovery will perform the hybrid restore of the object on the first selected backup date.
RMAZ-358 If multiple objects are selected for restore and there is Directory Synchronization Service Account among them, the restore operation will fail for all objects with the error "Failed on-premise restore. Error: Value cannot be null".
RMAZ-359 On Demand Recovery does not backup and restore openTypeExtension attributes. For more details about openTypeExtension, see
RMAZ-360 On Demand Recovery does not backup and restore schemaExtension attributes.
RMAZ-373 Hybrid restore (from Objects or Differences view) uses attribute values from the on-premises backup. So, these values may be different from the corresponding values shown in the Differences or Objects view.
RMAZ-374 One instance of Recovery Manager Portal can be used with one Azure AD tenant and one Azure AD Connect server. Install multiple RMAD web portals if you need to work with multiple Azure AD tenants and Azure AD connect servers.
RMAZ-405 If you enable Azure Multi-Factor Authentication (MFA), you should regrant Admin Consent for the On Demand Recovery module. Otherwise, you will get the following error during the restore operation: "Failed to refresh access token. StatusCode: 400. ErrorCode: interaction_required. Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access".
RMAZ-457 Restore of the usageLocation cloud attribute does not work for the "Exchange Hybrid" scenario.
RMAZ-471 A password is not restored for hard deleted users (work, school, local, guest accounts). In this case, the user needs to reset the password.
RMAZ-472 Object IDs are not preserved when you restore hard deleted users (work, school accounts, B2C local accounts, guest or B2B, B2C social accounts) or groups.
RMAZ-485 Failed to restore the hybrid cloud user that was permanently deleted if Azure AD Connect cannot synchronize the newly created user from the on-premises Active Directory to the cloud. For possible workarounds, see the Workarounds section below.
RMAZ-542 Actual for hybrid configuration only: After restore of permanently deleted objects, these objects are still shown as permanently deleted in the Differences report along with the recreated objects.
RMAZ-566 On Demand Recovery does not support backup and restore of Azure Active Directory tenants created in Azure Germany, China or U.S. Government.
RMAZ-576 Restore of more than 10000 objects using one task is not supported.
RMAZ-595 On Demand Recovery does not support backup of application certificate settings.
RMAZ-690 If a user does not have the service account for the tenant, On Demand Recovery cannot restore permanently deleted service principals provisioned from Azure Gallery. For possible workarounds, see the Workarounds section below.
RMAZ-720 Cannot restore cloud attributes for a permanently deleted user in hybrid scenario after the user was recreated by Azure AD Connect. The following error will arise: "Another object with the same value for property userPrincipalName already exists "
RMAZ-721 On Demand Recovery cannot restore the onPremisesDistinguishedNam property for permanently deleted users in hybrid scenario. In this case you will get the following error message: "Property 'onPremisesDistinguishedName' is read-only and cannot be set" error.
RMAZ-726 On Demand Recovery does not restore owners for service principals.
RMAZ-777 On Demand Recovery does not restore MFA authentication methods for a hard deleted user if the mobile application was assigned to this user. NOTE: If any of the following Voice Call/SMS/Office Phone was set up as an authentication method for a user, On Demand Recovery will restore all MFA data for this user.
RMAZ-779 On Demand Recovery does not support MFA enabled accounts for backup creation. To set the account password to never expire, use the following PowerShell command: Set-MsolUser -UserPrincipalName <name of the account> -PasswordNeverExpires $true For more details, refer this article
RMAZ-798 If you restore a permanently deleted user with the enabled Self-Service Password Reset option, Multi-Factor Authentication methods will be displayed as not verified after restore.
RMAZ-819 On Demand Recovery cannot restore otherMail, mobile, telephoneNumber attributes with the following error: "Cannot restore attributes. Details: Insufficient permissions to complete the operation". For possible workarounds, see the Workarounds section below.
RMAZ-827 If you get the error "DeltaLink older than 30 days is not supported" during the unpack operation, create a new backup before you unpack the backup that is older then 30 days.
RMAZ-907 Hubryd restore may fail with the following error in Recovery Manager Portal: "The ChannelDispatcher at 'sb://' with contract(s) 'HybridRestoreServiceContract' is unable to open its IChannelListener". For possible workarounds, see the Workarounds section below.
RMAZ-931 If you get the error "[Hybrid Module] Failed on-premise restore. Error: Remote connection to AAD Connect: The specified module 'ADSync' was not loaded because no valid module file was found in any module directory.", the Import-Module ADSync command may not work correctly on the Azure AD Connect host. For possible workarounds, see the Workarounds section below.
RMAZ-998 On Demand Recovery does not restore the conditional access policy "Baseline policy: Require MFA for admins".

To avoid this issue, the user needs either to restore groups one by one (order is not important) or restore all of them at once.


Go to the Objects view, find the group that you want to restore and select the member attribute in the attribute list to restore links.


Do not select the "Clear objects" option. Also, the restore operation may fail if the user is trying to unpack the backup that is currently processed by another user.


Force Azure AD Connect initial synchronization to fix this issue, then restart the restore operation.

  1. Install the corresponding application from Azure Gallery once again to re-create the service principal object.
  2. Install SSL certificates for the application.
  3. Configure single sign-on (SSO) options for the service principal (if any).
  4. After that, On Demand Recovery will be able to apply properties from the backup.

You should explicitly grant one of the following role to the service principal object: Helpdesk Administrator, User Administrator or Global Administrator. For that, use the following PowerShell commands:

Get the service principal for which Admin Consent was granted in On Demand Core
$principal = Get-AzureADServicePrincipal -SearchString "Quest On Demand - Recovery"

Get the required role from Azure AD
$role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq 'Helpdesk Administrator'}

Assign the role to the service principal
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $principal.objectId

Ensure that the role is assigned
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

For more details, refer


Restart the Recovery Manager Portal service.

  • Make sure that Import-Module is available globally on the Azure AD Connect host.
  • Сopy the AADSync.psm1 file manually from the Recovery Manager Portal machine to the PowerShell default folder on the Azure AD Connect host.

Table 2: Quest Migration and Management Platform known issues

Issue ID Known Issue
QMMP-74 You may see a "white screen" instead of spinning preloader when starting On Demand Recovery.
QMMP-130 The "Select all" option does not work properly in the "Select attributes" dialog that opens when you click Browse in the Restore Objects dialog. If you select the "Select all" check box, all attributes will be selected, but will not be restored.
QMMP-142 Invalid sorting of data by 'Task Name' and 'Object Name' fields in the Events view.
QMMP-159 Resizing issue: Shows gray overlay on small displays when the side bar was initially in the expanded state.
QMMP-177, QMMP-182 Scrolling hangs if there are more than 10000 objects in a list. Workaround: Use sorting or filtering option to narrow your search scope.
QMMP-184 The timelines on the Events and Backups show incorrect results if you select an interval in the timeline and then click any date range link on the left side of the screen.
QMMP-201 If you work with Internet Explorer 11, dialogs launched from the Differences and Dashboard screens may show controls from the lower layer. Workaround: Resize the browser window.
QMMP-221 Details panel on the Objects view shows tasks in a random order.
QMMP-228 On the Dashboard view, if you click on any specific status in the objects widget, you will be redirected to the Objects view with this status as a filter. Then, if you go back to Dashboard and click on the widget title (total number of objects), you will be redirected to Objects with the previous status filter.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating