Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery On Demand Recovery Module Overview Before You Start Sign up for Quest On Demand Adding a Microsoft Entra Tenant Required Permissions Microsoft 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring Objects Restoring Directory Roles and Application Roles Restoring Users Restoring Groups Restoring Service Principal Objects Restoring Applications Restoring Application Proxy Settings Restoring Multifactor Authentication Settings Restoring Group Licenses Restoring Devices Restoring Conditional Access Policies Backup and Restore of Tenant Level Settings Backup and Restore Administrative Units Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restoring Email Address or Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?

Adding a Microsoft Entra Tenant

For instructions on how to add or remove a Microsoft Entra tenant, see the Tenant Management section in the On Demand Global Settings User Guide.


NOTE: Although GCC High tenants can be added on the Tenants page for use in other On Demand modules, On Demand Recovery does not support restoring objects from GCC High tenants. This type of tenant will not be available for selection in On Demand Recovery. GCC tenants are also not supported.

 

When a tenant is added, the creation of backups is disabled by default. You must enable the backup creation as described in Step 6 in Working with On Demand Recovery.

Required Permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure Account Used to Grant Consents

The ability for On Demand service principals to access and operate with tenant assets requires explicit permissions. The Tenant Administrator grants these permissions through consents.

Each tenant that is added has granted consent to the initial Core – Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Recovery. There are two service principals for On Demand Recovery; On Demand Recovery Basic and On Demand Recovery Restore. For more information on explicit permission for each service principal, see Basic Consent Permissions and Restore Consent Permissions.

  • On Demand Recovery requires Basic consent in the Recovery section. Basic consent is used for all read operations including backups.
    • For backup operations, the Global Reader role can be used.
  • On Demand Recovery requires Restore consent in the Recovery section. Restore consent is used for all write operations including restore.
    • For restore operations, the Authentication Administrator, User Administrator, Windows 365 Administrator and Conditional Access Administrator roles must be used. In addition, if any Conditional Access policies use a custom security attribute, the Attribute Definition Reader role will also be required.

For some advanced features, a separate service account is required and you must specify this service account in the backup settings.

Role definitions for On Demand Recovery

  • User Administrator: User Administrator role is required to check if user is soft-deleted. It checks if the user is in the Recycle Bin or not.
  • Authentication Administrator: Authentication Administrator role is required to set the MFA setting of the user to enforced state from either enabled or disabled state.
  • Windows 365 Administrator: Windows 365 Administrator role is required to restore devices and their owner or owned links.
  • Conditional Access Administrator: Conditional Access Administrator role is required to restore Conditional Access policies.
  • Attribute Definition Reader: Attribute Definition Reader is role is required only if Conditional Access policy uses filters for application on custom security attributes. If the filters are on default schema attributes, this role is not required while restoring or updating Conditional Access policies.

Basic Consent Permissions

In addition to the base consents required by On Demand, On Demand Recovery requires the following consents and permissions.

To view the list of Basic consent permissions in On Demand Recovery:

  1. Click Tenants in the navigation panel on the left and click Edit Consents for the required tenant.
  2. Go to the Basic tile, under Recovery.
  3. Under Status and Actions, click View Details.

Application permissions are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. Only an administrator or owner of the service principal can consent to application permissions.

Delegated permissions are permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves could not access.

For more information on application and delegated permissions, click here.

Consent Version 2.2

Type Permissions Application API Name
Application

Application.Read.All

Allows the app to read all applications and service principals without a signed-in user.

Microsoft Graph
Application

DelegatedPermissionGrant.Read.All

Allows the app to read all delegated permission grants, without a signed-in user.

Microsoft Graph
Application

Device.Read.All

Allows the app to read your organization's devices' configuration information without a signed-in user.

Microsoft Graph
Application

Directory.Read.All

Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

Microsoft Graph
Application

Group.Read.All

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

Microsoft Graph
Application

Member.Read.Hidden

Read all hidden memberships.

Microsoft Graph
Application

Policy.Read.All

Allows the app to read all your organization's policies without a signed-in user.

Microsoft Graph
Application

RoleManagement.Read.Directory

Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships.

Microsoft Graph
Application

User.Read.All

Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.

Microsoft Graph
Application

UserAuthenticationMethod.Read.All

Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Microsoft Graph
Delegated

email

Allows the app to read your users' primary email address.

Microsoft Graph
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating