On Demand Recovery does not backup passwords. During the restore of permanently deleted users, the application sets a random password that can be changed by the administrator at the next login.
About On Demand Recovery
On Demand Recovery Module Overview
Before You Start
Sign up for Quest On Demand
Adding a Microsoft Entra Tenant
Required Permissions
Azure Account Used to Grant Consents
Basic Consent Permissions
Restore Consent Permissions
Exchange Online PowerShell Consent
Service Credential Permissions
Trusted IP Settings
Microsoft 365 Tenant Requirements (Mailbox Data Protection)
Access Control
Working with On Demand Recovery
Backup Unpacking
Restoring Objects
Restoring Directory Roles and Application Roles
Restoring Users
Restoring Groups
Restoring Service Principal Objects
Restoring Applications
Restoring Application Proxy Settings
Restoring Multifactor Authentication Settings
Restoring Group Licenses
Restoring Devices
Restoring Conditional Access Policies
Backup and Restore of Tenant Level Settings
Backup and Restore Administrative Units
Integration with Recovery Manager for Active Directory
Working with Inactive Mailboxes
Hybrid Connection Port and Protocol Requirements
Restoring Email Address or Phone for Self-Service Password Reset
Reporting
Advanced Search
How does On Demand Recovery Handle Object Attributes?
What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?
Restoring Passwords
Restoring Directory Roles and Application Roles
Restoring Directory Roles and Application Roles
On Demand Recovery backs up and restores the assigned roles in Microsoft Entra ID.
Supported scenarios
The following scenarios are supported in On Demand Recovery:
- Restoring eligible/active assigned roles that are associated with applications integrated with Microsoft Entra ID. For more information, see Restoring Service Principal Objects.
- Restoring directory roles and their members including users and group members.
- Restoring role assignments for users, groups and service principals.
Limitations
The following roles are not restored by On Demand Recovery:
- Custom Microsoft Entra roles are not restored.
- Custom Microsoft 365 roles are not restored.
Restoring Users
Restoring Users
Users that were accidentally deleted can be restored using On Demand Recovery. Users who have been moved to the Deleted users page (soft deleted) can be restored along with users who have been permanently deleted (hard deleted) from Microsoft Entra ID.
Supported scenarios
The following scenarios are supported by On Demand Recovery:
- Restoring a soft or hard deleted user as a group owner if they were previously an owner of a security group or Microsoft 365 group.
|
|
Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects. |
Restored user attributes
For a list of user attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide.
Restoring Groups
Restoring Groups
In Microsoft Entra ID, there are two types of groups; Security and Microsoft 365. When a Microsoft 365 group is deleted in Microsoft Entra ID, it is soft deleted. That is, the Microsoft 365 group is moved to the Deleted groups page where it can be restored or permanently deleted. When a security group is deleted in Microsoft Entra ID, it is hard deleted. That is, the security group is permanently deleted and not moved to the Deleted groups page. The Differences report in On Demand Recovery identifies groups as being either hard deleted or soft deleted in Microsoft Entra ID. Both types of groups can be restored from the Differences report.
Supported scenarios
The following scenarios are supported in On Demand Recovery:
- Restoring security groups and group membership
- Restoring Microsoft 365 groups and group membership
- Restoring dynamic groups
- Restoring group owners associated with a security group
- Restoring group owners associated with a Microsoft 365 group
|
|
Note: Because of Microsoft requirements, hard deleted objects will receive a new Object ID upon restore of these objects. Please consider the implications of having a new Object ID after restoring these objects. |
Restored group attributes
For a list of group attributes restored by On Demand Recovery, visit the On Demand Recovery Supported Attributes guide.
Limitations
The following groups are not restored by On Demand Recovery:
- Distribution groups