- To add a tenant and grant admin consent for the On Demand Recovery module, the Azure Global administrator directory role is required. For more details, see Add an Azure AD tenant.
On Demand Recovery requires Basic consent in the Recovery section. If you plan to use SharePoint functionality, the Resource Processing for SharePoint Online consent is also required. For more details on restoring SharePoint Online, see Restoring SharePoint Online resource access. - After the tenant is added, you can change the permissions to the User administrator role. Basic backup and restore operations will work.
To use the whole product functionality, you must specify a service account in backup settings.
About On Demand Recovery
Before You Start
Sign up for Quest On Demand
Required Permissions
Adding an Azure Active Directory Tenant
Office 365 Tenant Requirements (Mailbox Data Protection)
Access Control
On Demand Recovery Console Overview
Working with On Demand Recovery
Backup Unpacking
Restoring objects
Which Objects Can Be Restored from Recycle Bin?
Restoring users
Restoring groups
Restoring roles
Backup and Restore of Service Principal Objects
Restoring Application Proxy settings
Backup and Restore of MFA Settings
Restoring group licenses
Restoring SharePoint Online resource access
Backup and Restore of Devices
Backup and Restore of Conditional Access Policies
Restore Email Address/Phone for Self-Service Password Reset
Integration with Recovery Manager for Active Directory
Limitations when a hybrid connection is not configured
Hybrid connection widget
Working with Inactive Mailboxes
Hybrid Connection Port and Protocol Requirements
Reporting
Advanced Search
How does On Demand Recovery Handle Object Attributes?
What is not protected by Auzure AD Connect in a hybrid environment but can be restored by On Demand Recovery?
Azure account used for adding tenants to On Demand
Service account permissions
The service account that is used to backup and restore Multi-Factor Authentication (MFA) settings, inactive mailboxes, conditional access polices, and Application Proxy settings must have the following permissions:
- For backup operations, this account must be a member of Exchange administrator or User administrator Azure AD role.
- To back up Application Proxy, the account must be a member of Application administrator role.
The service account is used to backup and restore the following data:
- Conditional access policies
- Multi-Factor Authentication (MFA) settings
- Identifiers of inactive mailboxes
- Gallery applications and SSO settings data
- Application Proxy settings and connector groups
Table 1: Required permissions for the service account by feature
| On Demand Recovery feature | Required Directory role |
|---|---|
| Restoring conditional access policies | Conditional access administrator |
| Restoring MFA settings | User administrator |
| Restoring inactive mailboxes and backup required data | Exchange administrator |
| Restoring Gallery applications and SSO settings | Application administrator or Cloud application administrator |
| Restoring Application Proxy settings and connector | Application administrator |
 |
NOTE: The Application administrator role is required to restore the Application Proxy settings. The Global reader role is sufficient for the backup operation. |
Adding an Azure Active Directory Tenant
For instructions on how to add or remove an Azure AD tenant, see the Tenant Management section in the On Demand Global Settings User Guide.
|
|
Note: Creation of backups is disabled by default. After the tenant is added, you must enable the backup creation as described in Step 6 in Working with On Demand Recovery. |
Office 365 Tenant Requirements (Mailbox Data Protection)
Office 365 and on-premises Exchange offer some native means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from the Recycle Bin, it is strongly recommend that you use Office 365 retention policy or Litigation Hold (for hybrid configuration).