Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery Before You Start On Demand Recovery Console Overview Sign up for Quest On Demand Required Permissions Adding an Azure Active Directory Tenant Office 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring objects Restoring roles Backup and Restore of Service Principal Objects Restoring Application Proxy settings Backup and Restore of MFA Settings Backup and restore group licenses Backup and restore SharePoint Online resource access Backup and Restore of Devices Backup and Restore of Conditional Access Policies Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restore Email Address/Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is not protected by Auzure AD Connect in a hybrid environment but can be restored by On Demand Recovery?

Skipped attributes

These attributes are backed up but are not restored by On Demand Recovery.

Table 17: Attributes backed up but not restored by On Demand Recovery

Attribute Name Description
createdDateTime The time at which the directory object was created.
deletionTimestamp The time at which the directory object was deleted.
dirSyncEnabled True if this object is synced from an on-premises directory; False if this object was originally synced from an on-premises directory but is no longer synced.
immutableId This attribute is used to associate an on-premises Active Directory user account to their Azure AD user object. This attribute is applied when creating a user object and cannot be changed after the restore of permanently deleted user.
lastDirSyncTime Indicates the last time at which the object was synced with the on-premises directory.
legalAgeGroupClassification Age group classification based on user's interest.
mail The SMTP address for the user.
objectId The unique identifier for the object.
onPremisesSecurityIdentifier Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.
onPremisesDomainName Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory.
onPremisesNetBiosName Contains the on-premises NetBiosName synchronized from the on-premises directory.
onPremisesSamAccountName Contains the on-premises sAMAccountName synchronized from the on-premises directory.
onPremisesDistinguishedName Contains the on-premises DistinguishedName synchronized from the on-premises directory.
passwordProfile Specifies the password for the user.
provisionedPlans The plans that are provisioned for the user.
provisioningErrors A collection of error details that are preventing this group from being provisioned successfully.
proxyAddresses Contains various known address entries.
refreshTokensValidFromDateTime Any refresh tokens or sessions tokens (session cookies) issued before this time are invalid.
sipProxyAddress Specifies the voice over IP (VOIP) session initiation protocol (SIP) address for the object.
thumbnailPhoto A thumbnail photo to be displayed for the user.
UserState Indicates whether the invitation is PendingAcceptance or Accepted.
UserStateChangedOn Shows the timestamp for the latest change to the UserState property.

Table 18: Skipped attributes for service principal objects

Attribute Name Description
addIns Defines custom behavior that a consuming service can use to call an app in specific contexts.
appDisplayName The display name exposed by the associated application.
appId The unique identifier for the application. This attribute is skipped only when the service principal object already exists.
appOwnerTenantId The tenantId of the tenant where the application object resides. This application object was used as a blueprint for creating the service principal.
authenticationPolicy Defines the authentication policy of a service principal.
applicationTemplateId Application ID from which this application was inherited.
displayName The display name for the service principal. This attribute is skipped only when the service principal object already exists.
deletionTimestamp The time at which the application was deleted from the tenant.
errorUrl The error URL.
informationalUrls Basic profile information of the application.
homepage The URL to the application's homepage.
keyCredentials The collection of key credentials associated with the service principal.
logoutUrl The URL to logout of the application. This attribute is skipped only for applications that are not added from the Gallery.
oauth2Permissions The collection of OAuth 2.0 permission scopes that the web API (resource) application exposes to client applications.
objectId The unique identifier for the application role assignment.
passwordCredentials The collection of password credentials associated with the application.
preferredTokenSigningKeyThumbprint This property is reserved for internal use only.
publisherName The display name of the tenant in which the associated application is specified.
preferredTokenSigningKeyEndDateTime The end date/time of the signing token.
replyUrls Specifies the URLs that user tokens are sent to for sign in, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to.
samlMetadataUrl The URL to the SAML metadata for the application.
servicePrincipalNames Based on the collection of identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal. This attribute is skipped if the service principal object already exists or there is already a service principal object with the same value of this attribute in the directory.
servicePrincipalType Identifies the service principal type. This attribute is skipped only when the services principal object already exists.
signInAudience Specifies the sign in audience.
ssoSettings This attribute is skipped only for applications which are not added from the Gallery or if a user does not use the service account.

What is not protected by Auzure AD Connect in a hybrid environment but can be restored by On Demand Recovery?

Azure Active Directory Connect synchronizes many attributes for users and groups from on-premises Active Directory but there are also cloud objects, properties, and links to Office 365 resources which are not protected by Azure AD Connect and restored only with On Demand Recovery.

Table 19: Types of cloud-only objects restored by On Demand Recovery

Object Type Description Azure Recycle Bin
Guest users An Azure AD business-to-business (B2B) collaboration user that typically resides in a partner organization and has limited privileges in the inviting directory. 30 days
Office 365 Groups Groups that are used for collaboration between users, both inside and outside the company. 30 days
Cloud only Security Groups Groups that are used for granting access to Office and Azure resources. No
Dynamic Security Groups Groups with dynamic rule-based membership. No
Dynamic Office 365 Groups Office 365 Groups with dynamic rule-based membership. 30 days
Devices Device registration records in Azure Active Directory. No
Application Registration Stores application manifest (non-Gallery application manifests are not supported), logo, sign in, up URLS and other information. 30 days
Conditional Access Policies Azure Active Directory policies that are used to control user access to cloud applications and resources. No
Named Locations Named lists of IP prefixes that are used in Conditional Access Policies. No

Cloud attributes restored for on-premises users and groups by On Demand Recovery

Table 20: User attributes

Attribute Description
Office 365 Mailbox Link Contains a link to the inactive mailbox that is protected by Office 365 retention policies.
assignedLicenses Contains Azure and Office 365 licenses that are assigned to the user (examples: Azure Active Directory Premium P2 or Office 365 E3) and license options (examples: Exchange Online (Plan 2), Microsoft Teams, Microsoft Planner, Power BI).
memberOf Specifies membership in cloud groups such as Office 365 Groups, Teams, Security Groups.
Roles Specifies Azure roles that are assigned to a user.
appRoleAssignments Application roles assignments; control access to applications like Salesforce, zScaler, Box, and other gallery or non-gallery applications.
usageLocation A two letter country code (ISO standard 3166) which can be either cloud-only or synchronized from on-premises.
StrongAuthenticationUserDetails Stores phone, email, and alternate phone for multi-factor authentication.
StrongAuthenticationMethods Specifies the authentication method that was configued for multi-factor authentication.
conditionalAccessPolicyMemberOf Membership in conditional policies: include and exclude lists.
Custom Custom properties that are created by Azure AD applications.

Table 21: Group attributes

Attribute Description
memberOf Membership in cloud-only Security Groups.
appRoleAssignments Application role assignments: control access to applications like Salesforce, zScaler, Box, and other gallery or non-gallery applications.
conditionalAccessPolicyMemberOf Membership in conditional policies: include and exclude lists.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating