Chat now with support
Chat with Support

On Demand Recovery Current - Release Notes

Release Notes

Quest® On Demand Recovery

Release Notes

February 2021

These release notes provide information about the On Demand Recovery release.

Topics:

About On Demand Recovery

On Demand Recovery allows you to backup and restore Microsoft Azure Active Directory and Office® 365 objects with their properties. These objects can be selected in a backup and then restored to Azure Active Directory or Office 365 without affecting other objects or attributes. Using the granular restore, objects that were inadvertently deleted or modified can be recovered in a few minutes.

Key features of On Demand Recovery

  • Back up Azure Active Directory and Office 365 users, groups, contacts, service principals, conditional access policies, and device information
    On Demand Recovery automatically backs up your directory on a regular basis.
  • Granular, selective restore of Azure Active Directory and Office 365 users, groups, service principals, conditional access policies, devices, inactive mailboxes for permanently deleted users
    Users, groups, service principals, and devices can be selected in a backup and then restored to Azure Active Directory or Office 365 without affecting other objects or attributes.
  • Backup and restore Azure Active Directory B2C users and groups
    On Demand Recovery supports Azure Active Directory B2C tenants.
  • Restore users or Office 365 groups from the Recycle Bin
    Restore users and Office 365 groups that were inadvertently moved to the Recycle Bin.
  • Cloud solution: backup snapshots are stored in the cloud
    On Demand Recovery does not require to install or maintain any additional software.
  • Comparison reporting
    This feature lets you view differences between the selected backup and live Azure Active Directory or Office 365 and revert unwanted changes.
  • Integration with Recovery Manager for Active Directory
    On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore on-premises objects that were synchronized with cloud by Azure AD Connect.

New Features

Release 1.5.35 (2020/11/03)

New features in On Demand Recovery1.5.35:

  • On the Unpacked Objects tab, there is now a Mail Enabled filter. This allows you to filter by users and groups who do or do not have a mailbox.

See also:

Resolved Issues

The following is a list of issues resolved in this hotfix.

Table 1: Resolved issues

Resolved issue Issue ID
RMAZ-1084

Changes made to appRoles attributes were not displayed in the Differences report.

Known Issues

Known issues and limitations

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 2: General known issues

Issue ID Known Issue
RMAZ-634 On Demand Recovery does not support restoring custom Azure Active Directory roles or custom Office 365 roles.
RMAZ-18 If you restore two groups which are members of the third group which was deleted, the third group can be duplicated after the restore operation. This issue is applied only to non-Office Groups which support nesting. For possible workarounds, see the Workarounds section below.
RMAZ-128 On Demand Recovery converts distribution lists and Mail-enabled security groups to Office 365 groups during recovery. If you have nested distribution lists, they will not be restored.
RMAZ-129 On Demand Recovery does not back up and does not store user passwords.
RMAZ-130 On Demand Recovery does not support restore of Contact objects.
RMAZ-120 On Demand Recovery does not support restore of dynamic groups (the feature of Azure AD Premium). If a user tries to restore dynamic group, the application will restore it as non-dynamic with all explicitly applied members.
RMAZ-127 Explicit (granted directly to a user, not inherited via group membership) permissions are lost after restore of permanently deleted users or groups.
RMAZ-464 On Demand Recovery does not restore Applications for users and groups.
RMAZ-136 Restore of changed user mail attributes such as mail, proxyAddress, targetAddress is not supported. These attributes are restored correctly if you restore the deleted object from Recycle Bin.
RMAZ-137 On Demand Recovery does not restore an Office 365 mailbox (either for user or for Office group) if it was permanently deleted.
RMAZ-138 On Demand Recovery does not restore user's Photo (thumbnailPhoto attribute).
RMAZ-139 On Demand Recovery does not restore Contact Authentication attributes: Authentication Email, Alternate Authentication Email, Authentication Phone, Alternate Authentication Phone.
RMAZ-141 On Demand Recovery does not restore multi-factor authentication settings for users.
RMAZ-174 On Demand Recovery does not restore Distribution List members with the error "Status: 400, Code: Request_BadRequest. Details: Unable to update the specified properties for objects that have originated within an external service".
RMAZ-252 Only for Hybrid restore: Granular restore of object membership from the Differences view is not supported. For possible workarounds, see the Workarounds section below.
RMAZ-262 On Demand Recovery supports one hybrid connection per the On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Azure AD tenant.
RMAZ-270 If two users perform the unpack operation simultaneously with the selected "Clear objects" option in the same On Demand organization, one of the processed backups will not be unpacked (or will be partly unpacked). For possible workarounds, see the Workarounds section below.
RMAZ-273 Old backups (backups that were created before you remove the tenant) are not shown in the On Demand Recovery user interface if the same tenant was removed and then added again. If you need to unpack, restore or delete old backups, please contact Quest Support.
RMAZ-279 InTune policies are not supported by On Demand Recovery.
RMAZ-308 Some attributes of on-premises objects (e.g. "ipPhone","pager","info","homePhone") are mapped by Azure AD connect but are not shown in the Differences view and cannot be applied to the cloud users. On Demand Recovery restores these attributes for on-premises objects.
RMAZ-309 On Demand Recovery shows expired backups that were deleted. If you select the expired backup to perform the restore operation, you will get the "Internal error in lambda restoreAttributes" error.
RMAZ-311 Cannot download hybrid credentials with the Error 404 "Not found". This issue may occur if you try to get credentials right after the registration - it takes about one minute to create the Relay credentials.
RMAZ-315 Backup task does not check the Admin consent status, but if the Admin consent is not granted for the tenant, the following error occurs: "The identity of the calling application could not be established."
RMAZ-335 The usageLocation attribute may not be restored if license attributes were not selected together with usageLocation for restore.
RMAZ-338 On Demand Recovery does not show the proxyAddresses attribute in the Differences view.
RMAZ-352 The restore operation from the Differences view may fail if you run Refresh before the restore operation is completed.
RMAZ-354 Incorrect (empty) object count in the "details panel" of the Restore from Diff task.
RMAZ-355 If the same on-premises object is selected in different unpacked backups on the Objects view, On Demand Recovery will perform the hybrid restore of the object on the first selected backup date.
RMAZ-358 If multiple objects are selected for restore and there is Directory Synchronization Service Account among them, the restore operation will fail for all objects with the error "Failed on-premise restore. Error: Value cannot be null".
RMAZ-359 On Demand Recovery does not backup and restore openTypeExtension attributes. For more details about openTypeExtension, see https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/opentypeextension.
RMAZ-360 On Demand Recovery does not backup and restore schemaExtension attributes.
RMAZ-373 Hybrid restore (from Objects or Differences view) uses attribute values from the on-premises backup. So, these values may be different from the corresponding values shown in the Differences or Objects view.
RMAZ-374 One instance of Recovery Manager Portal can be used with one Azure AD tenant and one Azure AD Connect server. Install multiple RMAD web portals if you need to work with multiple Azure AD tenants and Azure AD connect servers.
RMAZ-405 If you enable Azure Multi-Factor Authentication (MFA), you should regrant Admin Consent for the On Demand Recovery module. Otherwise, you will get the following error during the restore operation: "Failed to refresh access token. StatusCode: 400. ErrorCode: interaction_required. Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access".
RMAZ-457 Restore of the usageLocation cloud attribute does not work for the "Exchange Hybrid" scenario.
RMAZ-471 A password is not restored for hard deleted users (work, school, local, guest accounts). In this case, the user needs to reset the password.
RMAZ-472 Object IDs are not preserved when you restore hard deleted users (work, school accounts, B2C local accounts, guest or B2B, B2C social accounts) or groups.
RMAZ-485 Failed to restore the hybrid cloud user that was permanently deleted if Azure AD Connect cannot synchronize the newly created user from the on-premises Active Directory to the cloud. For possible workarounds, see the Workarounds section below.
RMAZ-542 Actual for hybrid configuration only: After restore of permanently deleted objects, these objects are still shown as permanently deleted in the Differences report along with the recreated objects.
RMAZ-566 On Demand Recovery does not support backup and restore of Azure Active Directory tenants created in Azure Germany, China or U.S. Government.
RMAZ-576 Restore of more than 10000 objects using one task is not supported.
RMAZ-595 On Demand Recovery does not support backup of application certificate settings.
RMAZ-690 If a user does not have the service account for the tenant, On Demand Recovery cannot restore permanently deleted service principals provisioned from Azure Gallery. For possible workarounds, see the Workarounds section below.
RMAZ-720 Cannot restore cloud attributes for a permanently deleted user in hybrid scenario after the user was recreated by Azure AD Connect. The following error will arise: "Another object with the same value for property userPrincipalName already exists "
RMAZ-721 On Demand Recovery cannot restore the onPremisesDistinguishedNam property for permanently deleted users in hybrid scenario. In this case you will get the following error message: "Property 'onPremisesDistinguishedName' is read-only and cannot be set" error.
RMAZ-777 On Demand Recovery does not restore MFA authentication methods for a hard deleted user if the mobile application was assigned to this user. NOTE: If any of the following Voice Call/SMS/Office Phone was set up as an authentication method for a user, On Demand Recovery will restore all MFA data for this user.
RMAZ-779 On Demand Recovery does not support MFA enabled accounts for backup creation. To set the account password to never expire, use the following PowerShell command: Set-MsolUser -UserPrincipalName <name of the account> -PasswordNeverExpires $true For more details, refer this article https://support.office.com/en-us/article/set-an-individual-user-s-password-to-never-expire-f493e3af-e1d8-4668-9211-230c245a0466
RMAZ-798 If you restore a permanently deleted user with the enabled Self-Service Password Reset option, Multi-Factor Authentication methods will be displayed as not verified after restore.
RMAZ-819 On Demand Recovery cannot restore otherMail, mobile, telephoneNumber attributes with the following error: "Cannot restore attributes. Details: Insufficient permissions to complete the operation". For possible workarounds, see the Workarounds section below.
RMAZ-827 If you get the error "DeltaLink older than 30 days is not supported" during the unpack operation, create a new backup before you unpack the backup that is older then 30 days.
RMAZ-907 Hubryd restore may fail with the following error in Recovery Manager Portal: "The ChannelDispatcher at 'sb://backupaad-rmaz-hybrid-us.servicebus.windows.net/org-f555beae-38fa-4d0a-b502-08c4b93b01da' with contract(s) 'HybridRestoreServiceContract' is unable to open its IChannelListener". For possible workarounds, see the Workarounds section below.
RMAZ-931 If you get the error "[Hybrid Module] Failed on-premise restore. Error: Remote connection to AAD Connect: The specified module 'ADSync' was not loaded because no valid module file was found in any module directory.", the Import-Module ADSync command may not work correctly on the Azure AD Connect host. For possible workarounds, see the Workarounds section below.
RMAZ-998 On Demand Recovery does not restore the conditional access policy "Baseline policy: Require MFA for admins".
Workarounds
RMAZ-18

To avoid this issue, the user needs either to restore groups one by one (order is not important) or restore all of them at once.

RMAZ-252

Go to the Objects view, find the group that you want to restore and select the member attribute in the attribute list to restore links.

RMAZ-270

Do not select the "Clear objects" option. Also, the restore operation may fail if the user is trying to unpack the backup that is currently processed by another user.

RMAZ-485

Force Azure AD Connect initial synchronization to fix this issue, then restart the restore operation.

RMAZ-690
  1. Install the corresponding application from Azure Gallery once again to re-create the service principal object.
  2. Install SSL certificates for the application.
  3. Configure single sign-on (SSO) options for the service principal (if any).
  4. After that, On Demand Recovery will be able to apply properties from the backup.
RMAZ-819

You should explicitly grant one of the following role to the service principal object: Helpdesk Administrator, User Administrator or Global Administrator. For that, use the following PowerShell commands:

Get the service principal for which Admin Consent was granted in On Demand Core
$principal = Get-AzureADServicePrincipal -SearchString "Quest On Demand - Recovery"

Get the required role from Azure AD
$role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq 'Helpdesk Administrator'}
$role

Assign the role to the service principal
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $principal.objectId

Ensure that the role is assigned
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId

For more details, refer https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/.

RMAZ-907

Restart the Recovery Manager Portal service.

RMAZ-931
  • Make sure that Import-Module is available globally on the Azure AD Connect host.
    -OR-
  • Сopy the AADSync.psm1 file manually from the Recovery Manager Portal machine to the PowerShell default folder on the Azure AD Connect host.

Table 3: Quest Migration and Management Platform known issues

Issue ID Known Issue
QMMP-74 You may see a "white screen" instead of spinning preloader when starting On Demand Recovery.
QMMP-130 The "Select all" option does not work properly in the "Select attributes" dialog that opens when you click Browse in the Restore Objects dialog. If you select the "Select all" check box, all attributes will be selected, but will not be restored.
QMMP-142 Invalid sorting of data by 'Task Name' and 'Object Name' fields in the Events view.
QMMP-159 Resizing issue: Shows gray overlay on small displays when the side bar was initially in the expanded state.
QMMP-177, QMMP-182 Scrolling hangs if there are more than 10000 objects in a list. Workaround: Use sorting or filtering option to narrow your search scope.
QMMP-184 The timelines on the Events and Backups show incorrect results if you select an interval in the timeline and then click any date range link on the left side of the screen.
QMMP-201 If you work with Internet Explorer 11, dialogs launched from the Differences and Dashboard screens may show controls from the lower layer. Workaround: Resize the browser window.
QMMP-221 Details panel on the Objects view shows tasks in a random order.
QMMP-228 On the Dashboard view, if you click on any specific status in the objects widget, you will be redirected to the Objects view with this status as a filter. Then, if you go back to Dashboard and click on the widget title (total number of objects), you will be redirected to Objects with the previous status filter.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating