Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

About On Demand Recovery Before You Start On Demand Recovery Console Overview Sign up for Quest On Demand Required Permissions Adding an Azure Active Directory Tenant Office 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring objects Restoring roles Backup and Restore of Service Principal Objects Restoring Application Proxy settings Backup and Restore of MFA Settings Backup and restore group licenses Backup and restore SharePoint Online resource access Backup and Restore of Devices Backup and Restore of Conditional Access Policies Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restore Email Address/Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is not protected by Auzure AD Connect in a hybrid environment but can be restored by On Demand Recovery?

Limitations

All of the Application Proxy settings can only be restored at once, granular restore of Application Proxy settings is not supported.

Configuration data restored for an Application Proxy item

On Demand Recovery restores the following configuration data for an Application Proxy item:

Connector Groups

For deleted connector groups, On Demand Recovery restores the following attributes:

  • name
  • region

Other connector group data is currently backed up but cannot be restored.

OnPremisesPublishing Settings

An onPremisesPublishing object represents the set of properties for configuring Application Proxy for an on-premises application.

  • externalUrl
  • internalUrl
  • externalAuthenticationType
  • isTranslateHostHeaderEnabled
  • isTranslateLinksInBodyEnabled
  • isOnPremPublishingEnabled
  • isHttpOnlyCookieEnabled
  • isSecureCookieEnabled
  • isPersistentCookieEnabled
  • applicationServerTimeout
  • useAlternateUrlForTranslationAndRedirect

For details, see https://docs.microsoft.com/en-us/graph/api/resources/onpremisespublishing?view=graph-rest-beta.

Connectors

Connector data is currently backed up but cannot be restored.

  • id
  • machineName
  • externalIp
  • status
  • connectorGroupId

To backup Application Proxy settings and connector groups

  1. Click Manage Backups on the Dashboard screen.
  2. Select the tenant from the list and click Edit.
    The Configure backup dialog opens.
  3. Select the Back up Application Proxy settings and connector groups option and specify the service account credentials for the tenant. The specified account must be a member of the Application Administrator Azure AD or Global Reader role.
  4. Click Save.

For details, see How does On Demand Recovery handle object attributes.

Backup and Restore of MFA Settings

On Demand Recovery supports backing up and restoring the following multifactor authentication (MFA) settings:

  • Authentication Requirement State
  • Authentication Methods. Possible values:
    • One Way SMS
    • Two Way Voice Mobile
    • Two Way Voice Office
    • Phone App Notification
    • Phone App One Time Password
  • Default Authentication Method
  • Authentication Phone
  • Authentication Email
  • Alternate Authentication Phone
  • Alternate Authentication Email

For more details, see the How does On Demand Recovery handle object attributes? section.

Note:

  • If a user that uses Microsoft Authenticator as an additional authentication method is permanently deleted, then all authentication methods for this user cannot be restored. On Demand Recovery does not restore binding of the application to the user.
  • On Demand Recovery does not restore user passwords.
Prerequisites

Backing up MFA settings is not enabled by default. You must select this option when configuring backup options.

To backup MFA settings

  1. Click Manage Backups on the Dashboard screen.
  2. Select the tenant from the list and click Edit.
    The Configure backup dialog opens.
  3. Select the Back up MFA settings, conditional access policies and data related to inactive mailboxes option and specify service account credentials for the tenant. The specified account must have at least one of the following roles in Azure portal; Exchange administrator or User administrator.
  4. Click Save.

Note:

  • It is possible to determine the scope of customer IP Prefixes that can access the customer Azure AD tenant using Azure Active Directory (Azure AD) conditional access. This option significantly reduces security risks and can be recommended for customers who want to backup MFA settings. For further information, contact Quest Support.
  • Multifactor authentication must be disabled for the On Demand Recovery service account or you should add On Demand Recovery IP prefixes to the list of 'Trusted IPs'.

To configure Trusted IP settings

  1. Sign in to Azure portal.
  2. Go to Azure Active Directory > Security > MFA > Getting started.
  3. Click Additional cloud-based MFA settings under Configure.
  4. On the multi-factor authentication page, click service settings.
  5. In the trusted ips section, complete the following steps, under the Skip multi-factor authentication for requests from following range of IP address subnets heading, type the following IP addresses that correspond to your region:
    Region IP Address IP Prefixes
    US

    52.149.28.17,

    52.149.27.185

    52.233.76.96/29


    EU

    20.191.53.111,

    20.191.48.105

    13.69.216.192/29

    Canada

    52.228.119.56,

    52.228.112.16

    20.104.81.8/29

    UK

    20.49.211.37,

    20.49.213.24

    51.145.35.32/29

  6. Click save.

For more details, see Configure Azure Multi-Factor Authentication settings.

Backup and restore group licenses

On Demand Recovery restores group licenses, which means reassignment of a license to a group after its recreation or restore from the Recycle Bin. Granular restore of the assignedLicenses attribute is supported as well.

Supported scenarios

The following scenarios are supported by On Demand Recovery:

  • If a group is moved to the Recycle Bin, group licenses are restored simultaneously with the group object.
  • Direct and inherited licenses for users are now distinguished.
  • Inherited licenses are reassigned automatically by restoring membership.
  • If the licenseAssignmentStates attribute is not present in old backups, user object assignments in Azure AD are used to distinguish inherited and direct licenses.
  • The same logic is applied to the Differences report to show only one change if a group which is giving licenses was changed or deleted. In this case, the report will contain only the "Group change" or "Group deletion" action.
NOTE: If you are restoring a permanently deleted user from an old backup, the user license may be assigned twice; by group and directly.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating