On Demand Recovery does not back up passwords. During the restore of permanently deleted users, the application sets a random password that can be changed by the administrator at the next login.
On Demand Recovery does not back up passwords. During the restore of permanently deleted users, the application sets a random password that can be changed by the administrator at the next login.
These attributes are backed up but are not restored by On Demand Recovery.
Table 17: Attributes backed up but not restored by On Demand Recovery
| Attribute Name | Description |
|---|---|
| createdDateTime | The time at which the directory object was created. |
| deletionTimestamp | The time at which the directory object was deleted. |
| dirSyncEnabled | True if this object is synced from an on-premises directory; False if this object was originally synced from an on-premises directory but is no longer synced. |
| immutableId | This attribute is used to associate an on-premises Active Directory user account to their Azure AD user object. This attribute is applied when creating a user object and cannot be changed after the restore of permanently deleted user. |
| lastDirSyncTime | Indicates the last time at which the object was synced with the on-premises directory. |
| legalAgeGroupClassification | Age group classification based on user's interest. |
| The SMTP address for the user. | |
| objectId | The unique identifier for the object. |
| onPremisesSecurityIdentifier | Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud. |
| onPremisesDomainName | Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. |
| onPremisesNetBiosName | Contains the on-premises NetBiosName synchronized from the on-premises directory. |
| onPremisesSamAccountName | Contains the on-premises sAMAccountName synchronized from the on-premises directory. |
| onPremisesDistinguishedName | Contains the on-premises DistinguishedName synchronized from the on-premises directory. |
| passwordProfile | Specifies the password for the user. |
| provisionedPlans | The plans that are provisioned for the user. |
| provisioningErrors | A collection of error details that are preventing this group from being provisioned successfully. |
| proxyAddresses | Contains various known address entries. |
| refreshTokensValidFromDateTime | Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid. |
| sipProxyAddress | Specifies the voice over IP (VOIP) session initiation protocol (SIP) address for the object. |
| thumbnailPhoto | A thumbnail photo to be displayed for the user. |
| UserState | Indicates whether the invitation is PendingAcceptance or Accepted. |
| UserStateChangedOn | Shows the timestamp for the latest change to the UserState property. |
Table 18: Skipped attributes for service principal objects
| Attribute Name | Description |
|---|---|
| addIns | Defines custom behavior that a consuming service can use to call an app in specific contexts. |
| appDisplayName | The display name exposed by the associated application. |
| appId | The unique identifier for the application. This attribute is skipped only when the service principal object already exists. |
| appOwnerTenantId | The tenantId of the tenant where the application object resides. This application object was used as a blueprint for creating the service principal. |
| authenticationPolicy | Defines the authentication policy of a service principal. |
| applicationTemplateId | Application ID from which this application was inherited. |
| displayName | The display name for the service principal. This attribute is skipped only when the service principal object already exists. |
| deletionTimestamp | The time at which the application was deleted from the tenant. |
| errorUrl | The error URL. |
| informationalUrls | Basic profile information of the application. |
| homepage | The URL to the application's homepage. |
| keyCredentials | The collection of key credentials associated with the service principal. |
| logoutUrl | The URL to logout of the application. This attribute is skipped only for applications that are not added from the Gallery. |
| oauth2Permissions | The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications. |
| objectId | The unique identifier for the application role assignment. |
| passwordCredentials | The collection of password credentials associated with the application. |
| preferredTokenSigningKeyThumbprint | This property is reserved for internal use only. |
| publisherName | The display name of the tenant in which the associated application is specified. |
| preferredTokenSigningKeyEndDateTime | The end date/time of the signing token. |
| replyUrls | Specifies the URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to. |
| samlMetadataUrl | The URL to the SAML metadata for the application. |
| servicePrincipalNames | Based on the collection of identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal. This attribute is skipped if the service principal object already exists or there is already a service principal object with the same value of this attribute in the directory. |
| servicePrincipalType | Identifies the service principal type. This attribute is skipped only when the services principal object already exists. |
| signInAudience | Specifies the sign in audience. |
| ssoSettings | This attribute is skipped only for applications which are not added from the Gallery or if a user does not use the service account. |
Azure Active Directory Connect synchronizes many attributes for users and groups from on-premises Active Directory but there are also cloud objects, properties, and links to Office 365 resources which are not protected by Azure AD Connect and restored only with On Demand Recovery.
Table 19: Types of cloud-only objects restored by On Demand Recovery
| Object Type | Description | Azure Recycle Bin |
|---|---|---|
| Guest users | An Azure AD business-to-business (B2B) collaboration user that typically resides in a partner organization and has limited privileges in the inviting directory. | 30 days |
| Office 365 Groups | Groups that are used for collaboration between users, both inside and outside the company. | 30 days |
| Cloud only Security Groups | Groups that are used for granting access to SharePoint and other Office and Azure resources. | No |
| Dynamic Security Groups | Groups with dynamic rule-based membership. | No |
| Dynamic Office 365 Groups | Office 365 Groups with dynamic rule-based membership. | 30 days |
| Service Principals | Gallery and non-gallery enterprise applications or accounts created for the role-based access control. | No |
| Devices | Device registration records in Azure Active Directory. | No |
| Application Registration | Stores application manifest (non-Gallery application manifests are not supported), logo, sign in, up URLS and other information. | 30 days |
| Conditional Access Policies | Azure Active Directory policies that are used to control user access to cloud applications and resources. | No |
| Named Locations | Named lists of IP addresses that are used in Conditional Access Policies. | No |
Table 20: User attributes
| Attribute | Description |
|---|---|
| Office 365 Mailbox Link | Contains a link to the inactive mailbox that is protected by Office 365 retention policies. |
| assignedLicenses | Contains Azure and Office 365 licenses that are assigned to the user (examples: Azure Active Directory Premium P2 or Office 365 E3) and license options (examples: Exchange Online (Plan 2), Microsoft Teams, Microsoft Planner, Power BI). |
| memberOf | Specifies membership in cloud groups such as Office 365 Groups, Teams, Security Groups. |
| Roles | Specifies Azure roles that are assigned to a user. |
| appRoleAssignments | Application roles assignments; control access to applications like Salesforce, zScaler, Box, and other gallery or non-gallery applications. |
| usageLocation | A two letter country code (ISO standard 3166) which can be either cloud-only or synchronized from on-premises. |
| StrongAuthenticationUserDetails | Stores phone, email, and alternate phone for multi-factor authentication. |
| StronAuthenticationMethods | Specifies the authentication method that was configued for multi-factor authentication. |
| conditionalAccessPolicyMemberOf | Membership in conditional policies: include and exclude lists. |
| Custom | Custom properties that are created by Azure AD applications. |
Table 21: Group attributes
| Attribute | Description |
|---|---|
| memberOf | Membership in cloud-only Security Groups. |
| appRoleAssignments | Application role assignments: control access to applications like Salesforce, zScaler, Box, and other gallery or non-gallery applications. |
| conditionalAccessPolicyMemberOf | Membership in conditional policies: include and exclude lists. |
© 2021 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy