On Demand Recovery Current

On Demand Recovery Current - User Guide

About On Demand Recovery Before You Start On Demand Recovery Console Overview Sign up for Quest On Demand Required Permissions Adding an Azure Active Directory Tenant Office 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Which Objects Can Be Restored from Recycle Bin? Backup and Restore of Service Principal Objects Backup and Restore of Application Proxy Backup and Restore of MFA Settings Restoring Group Licenses Restoring SharePoint Online File Access Backup and Restore of Devices Backup and Restore of Conditional Access Policies Integration with Recovery Manager for Active Directory Hybrid Connection Widget Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restore Email Address/Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is not protected by Azure Active Directory Connect in a hybrid environment but can be restored by On Demand Recovery?

Required Permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure Account used for adding Azure tenant to the On Demand

To add a tenant and grant admin consent for the On Demand Recovery module, the Azure Global administrator directory role is required. For more details, see Add an Azure AD tenant.
On Demand Recovery needs Basic consent at the Recovery section. If you plan to use SharePoint functionality, On Demand Recovery requires the Resource Processing for SharePoint Online consent. For more details about SharePoint Online restore, see Restoring SharePoint Online File Access.
After the tenant is added, you can change the permissions to the User administrator role. Basic backup and restore operations will work.
To use the whole product functionality, you need to specify a service account in backup settings.

About the service account

Resources/Images/configure_backup.png

The service account is used to backup and restore the following data:

Conditional access policies
Multi-Factor Authentication (MFA) settings
Identifiers of Inactive mailboxes
Gallery applications and SSO settings data
Application Proxy settings and connector groups

Required permissions for the service account depending on the feature

On Demand Recovery Feature	Required Directory role
Restoring conditional access policies	Conditional access administrator
Restoring MFA settings	User administrator
Restoring inactive mailboxes and backup required data	Exchange administrator
Restoring Gallery applications and SSO settings	Application administrator or Cloud application administrator
Restoring Application Proxy settings and connector groups	Application administrator

Note	The Application administrator role is required to restore the Application Proxy settings; the Global reader role is sufficient for the backup operation.

Adding an Azure Active Directory Tenant

For instructions on how to add or remove an Azure AD tenant, please see the Tenant Management section in On Demand Global Settings User Guide.

Note	Creation of backups is disabled by default. After the tenant is added, you must enable the backup creation as described in Step 6 on the Working with On Demand Recovery page.

Office 365 Tenant Requirements (Mailbox Data Protection)

Office 365 and on-premises Exchange offer some means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from Recycle Bin, we strongly recommend that you use Office 365 retention policy or Litigation Hold (for hybrid configuration).

Office 365 retention policy

Retention policies do two basic things: they either protect data from deletion and delete unnecessary items.

Retain content - content cannot be permanently deleted before the end of the retention period.
Delete content - unnecessary content is permanently deleted at the end of the retention period.

You can create and manage retention policies on the:

Policies page in the Microsoft 365 compliance center.
Retention page under Data governance in the Office 365 Security & Compliance Center.

For details, see https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies.

Litigation Hold

As an alternative to retention policies, you can place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items.

For more information, see https://docs.microsoft.com/en-us/exchange/policy-and-compliance/holds/litigation-holds?view=exchserver-2019.

Access Control

Quest On Demand provides permission-based roles to determine what permission level a user has and what tasks the user can perform.

For more details, see Adding users to an organization section in On Demand Global Settings User Guide.

List of permissions that can be assigned to Recovery Users

Can manage backup settings
Can download hybrid credentials
Can run backup manually
Can unpack backups
Can run difference report
Can restore from objects
Can restore from differences
Can read backup history
Can read unpacked objects
Can read differences
Can read task history
Can read events
Can read restore attributes
Can read UI projects
Can read UI collections
Can manage events

Note	On Demand administrators have full access to global settings and all module permissions.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem