Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery Before You Start On Demand Recovery Console Overview Sign up for Quest On Demand Required Permissions Adding an Azure Active Directory Tenant Office 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring objects Restoring roles Backup and Restore of Service Principal Objects Restoring Application Proxy settings Backup and Restore of MFA Settings Backup and restore group licenses Backup and restore SharePoint Online resource access Backup and Restore of Devices Backup and Restore of Conditional Access Policies Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restore Email Address/Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is not protected by Auzure AD Connect in a hybrid environment but can be restored by On Demand Recovery?

Required Permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure account used for adding tenants to On Demand

  • To add a tenant and grant admin consent for the On Demand Recovery module, the Azure Global administrator directory role is required. For more details, see Add an Azure AD tenant.
    On Demand Recovery requires Basic consent in the Recovery section.
  • After the tenant is added, you can change the permissions to the User administrator role. Basic backup and restore operations will work.
    To use the whole product functionality, you must specify a service account in backup settings.

Service account permissions

The service account that is used to backup and restore Multi-Factor Authentication (MFA) settings, inactive mailboxes, conditional access polices, and Application Proxy settings must have the following permissions:

  • For backup operations, this account must be a member of Exchange administrator or User administrator Azure AD role.
  • To back up Application Proxy, the account must be a member of Application administrator role.

The service account is used to backup and restore the following data:

  • Conditional access policies
  • Multi-Factor Authentication (MFA) settings
  • Identifiers of inactive mailboxes
  • Gallery applications and SSO settings data
  • Application Proxy settings and connector groups

Table 1: Required permissions for the service account by feature

On Demand Recovery feature Required Directory role
Restoring conditional access policies Conditional access administrator
Restoring MFA settings User administrator
Restoring inactive mailboxes and backup required data Exchange administrator
Restoring Gallery applications and SSO settings Application administrator or Cloud application administrator
Restoring Application Proxy settings and connector Application administrator
NOTE: The Application administrator role is required to restore the Application Proxy settings. The Global reader role is sufficient for the backup operation.

Adding an Azure Active Directory Tenant

For instructions on how to add or remove an Azure AD tenant, see the Tenant Management section in the On Demand Global Settings User Guide.

NOTE: Although GCC High tenants can be added on the Tenants page for use in other On Demand modules, On Demand Recovery does not support restoring objects from GCC High tenants. This type of tenant will not be available for selection in On Demand Recovery.


When a tenant is added, the creation of backups is disabled by default. You must enable the backup creation as described in Step 6 in Working with On Demand Recovery.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating