Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery Before You Start On Demand Recovery Console Overview Working with On Demand Recovery Backup Unpacking Restoring objects Integration with Recovery Manager for Active Directory Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is not protected by Auzure AD Connect in a hybrid environment but can be restored by On Demand Recovery?

Working with On Demand Recovery

This section provides step-by-step instructions on how to use On Demand Recovery.

Note:

  • For Office 365 tenants: On Demand Recovery can backup and restore Office 365 users, Office 365 groups and Security groups. Group membership and ownership is restored for both types of groups. The product does not restore any resources associated with Office 365 groups and Microsoft Teams, such as conversations, links to SharePoint sites, Planner tasks and plans.
  • Email notifications about failed backups can be enabled by request. For assistance, contact Quest Support.
  1. Go to Quest On Demand and sign up for Quest On Demand. For more details, refer to Signing up for Quest On Demand.
  2. Add your Azure Active Directory tenant as described in the Tenant Management section in the On Demand Global Settings User Guide.
  3. After the tenant is added, make sure that the permissions required to work with Azure Active Directory tenant are granted. To grant the required permissions, click Go on the tenant tile and check that the Recovery module has the Granted status. For details, please see the Admin Consent Status section in the On Demand Global Settings User Guide.

    Note: Microsoft admin consent status is "expired" after 90 days and the Recovery module status is changed to "Not Granted". Once expired, you must grant admin consent again to continue using the module.

  4. To launch On Demand Recovery, click Recovery on the left pane. The Dashboard screen opens.
  5. To configure a hybrid connection with on-premises Active Directory, see Integration with Recovery Manager for Active Directory.
  6. To configure the backup settings, perform the following steps:
    1. Click Manage Backups on the Dashboard screen.
    2. Select the tenant from the list and click Edit. The Configure backup dialog opens.

      • To enable the backup creation, select Enabled next to the Schedule option.
      • Specify the backup retention period using the Retention policy option. The backup retention policy is also applied to backups that are started manually.
      • To back up multi-factor authentication settings, inactive mailboxes, and conditional access policies, select the Back up MFA settings, conditional access policies and data related to inactive mailboxes option.
      • To back up Application proxy settings, select the Back up Application proxy settings and connector groups option.
      • Specify service account credentials for the tenant. For details about required permissions, see Required permissions.
    3. Check the status of the module admin consent.
    4. If you need to run the backup creation manually, go to the Tasks screen, select the Backup task and click Start.
  7. To start the backup creation manually, you can use the Create Backup option on the Dashboard screen.
  8. To unpack a backup:
    1. Go to the Backups screen.
    2. From the Tenant drop-down list, select the tenant, then select the backup you want.
    3. You can specify predefined or custom date ranges to narrow the search results.


    4. Click Unpack in the actions menu.
    5. If the option Unpack service principals and devices is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. For more details about this option, see Backup unpacking.
    6. In the Backup Unpacking dialog, click Unpack.
  9. When the Unpack backup task is completed, go to the Unpacked Objects screen and select the users and groups that you want to restore and click Restore.

    Note: If you do not unpack a backup, the Unpacked Objects screen will contain no objects or show a list of objects that were extracted from the previously unpacked backup.

  10. In the Restore Objects dialog, you can select the following options:
    • Restore deleted users and groups from Recycle Bin - Restores accidentally deleted users and Office 365 groups from the Recycle Bin. On Demand Recovery preserves original object identifiers (GUID).
    • If a user or group is not found in Recycle Bin, create a new one - Recreates permanently deleted users, groups, and subgroups. This option recreates users and groups with attributes that are required for object identification. If you need to restore all attributes for the object including membership information (links), use this option together with the Restore all attributes option.
    • If a hybrid user already exists in Azure Active Directory, delete it before the restore operation - This action lets you preserve the original cloud mailbox of a hybrid user after restore in the following scenario:
      1. There is a hybrid user. This user is deactivated by the administrator for some reason.
      2. Then the user returns, and the account is enabled again by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.
      3. We want to use the original cloud mailbox for the user. The only one way to do this is to restore the user from a backup. But before the restore, the newly created cloud user must be removed from Azure AD using this option.
    • Restore all attributes - Restores all object attributes including membership information (links). If this option is not selected, you can specify specific attributes that you want to restore by clicking Browse.

  11. Also, you can view differences between the selected backup and live Azure Active Directory or Office 365 and revert the selected changes using the Differences report tool. For more details, see the Reporting section. You can export the selected report data to the CSV file.
  12. You can view the status of your Restore objects task on the Tasks screen.

  13. Open the Events screen to view errors or warnings, if they occur during the restore operation.
    • Use the Export option to export the selected log data to the CSV format.
    • Use the Acknowledge option to hide events that are not actual anymore. The status of acknowledged events is changed from 'Current' to 'Obsolete'. To view the list of obsolete events, click Obsolete on the left side of the screen.

Backup Unpacking

In the Backup Unpacking dialog, you have the option to Unpack service principals, devices, and conditional access policies. If this option is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. Otherwise, you will see changes related to users, groups, service principals, devices, and conditional access policies. The table below provides the full list of objects and changes that will be shown on the corresponding screens.

If the Unpack service principals, devices, and conditional access policies option is NOT selected, the following items will be shown:

Unpacked Objects view

  • User
  • Group

Differences view

  • User
  • Group
  • DirectoryLinkChange
  • DirectoryRoleLinkChange

If the Unpack service principals, devices, and conditional access policies option is selected, the following items will be shown:

Unpacked Objects view

  • User
  • Group
  • Service Principal
  • Device

Differences view

  • User
  • Group
  • Service Principal
  • Device
  • OAuth2PermissionGrant
  • AppRoleAssignment
  • OwnerLinkChange
  • GroupOwnerLinkChange
  • DirectoryRoleLinkChange
  • RegisteredOwnerDeviceLinkChange
  • RegisteredUserDeviceLinkChange

Restoring objects

After you complete an Unpack backup task, go to the Unpacked Objects tab to select the objects that you want to restore.

Note: If you do not unpack a backup, the Unpacked Objects tab does not display any objects or shows a list of objects that were extracted from the previously unpacked backup.

You can choose one of the following views to see the unpacked objects:

  • List View - This view lists the unpacked objects from your backup. You can select objects to export to a CSV file or select objects to restore.
  • Objects - This view displays the number of unpacked objects by category in graph form. You can use the filters to display specific types of objects.

To restore objects

  1. On the Unpacked Objects tab, in List View, click the check boxes next to the objects that you want to restore.
    1. You can use the Search field to search for specific objects to restore.
    2. You can use the filters to display specific objects that you want to restore. The following filters are available:
      • Tenant - allows you to filter objects by a specified tenant.
      • Backup - allows you to filter objects by a specified backup.
      • Type - allows you to filter objects by type.
      • User Type - allows you to filter objects by type of user.
      • AAD Connect - allows you to filter by objects synced from a hybrid environment.
      • MFA - allows you to filter objects by MFA setting.
      • Mail Enabled - allows you to filter by objects that have a mailbox (enabled) or do not have a mailbox (disabled).
  2. Click Restore.
  3. In the Restore Objects dialog, you can select the following options:
    • Restore deleted users and groups from Recycle Bin - This restores accidentally deleted users and Office 365 groups from the Recycle Bin. On Demand Recovery preserves original object identifiers (GUID).
    • If a user or group is not found in Recycle Bin, create a new one - This recreates permanently deleted users, groups, and subgroups. This option recreates users and groups with attributes that are required for object identification. If you need to restore all attributes for the object including membership information (links), use this option together with the Restore all attributes option.
    • If a hybrid user already exists in Azure Active Directory, delete it before the restore operation - This action lets you preserve the original cloud mailbox of a hybrid user after restore in the following scenario:
      1. There is a hybrid user. This user is deactivated by the administrator for some reason.
      2. Then the user returns, and the account is enabled again by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.
      3. We want to use the original cloud mailbox for the user. The only one way to do this is to restore the user from a backup. But before the restore, the newly created cloud user must be removed from Azure AD using this option.
    • Restore all attributes - This restores all object attributes including membership information (links). If this option is not selected, you can specify specific attributes that you want to restore by clicking Browse.
    • Specify password for the encrypted backup (hybrid configuration only) - This allows you to type a password that is used to decrypt the encrypted backup. This is only available in a hybrid configuration.


  4. Click OK.

Which Objects Can Be Restored from Recycle Bin?

On Demand Recovery can restore the following objects from the Recycle Bin:

  • Users (all types of users including B2B guests, B2C, hybrid)
  • Office 365 Groups
  • Applications

Note: Links, permissions, and roles cannot be restored from the Recycle Bin. But if an object from the above list is soft deleted and then recovered from the Recycle Bin, all attributes and links including group membership and app role assignments are preserved by Microsoft.

Objects that cannot be restored from the Recycle Bin:

  • Distribution lists
  • Security groups
  • Mail-enabled security groups
  • All groups synchronized by Azure AD Connect from on-premises Exchange server (hybrid configuration)
  • Service principals
  • Devices
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating