Restoring Service Principal Objects
Restoring Service Principal Objects
On Demand Recovery supports backing up and restoring service principal objects with the following properties:
- oAuth2PermissionGrants - the OAuth 2.0 scopes (delegated permissions) that have been granted to an application (represented by a service principal) as part of the user or admin consent process.
- appRoleAssignments - link between a service principal and a directory object.
- roles - administrator roles in Azure Active Directory. Refer to this article for details.
- appRoles - the collection of application roles that an application may declare.
- Service principal owners - the owners are a set of users who are allowed to modify service principal objects.
For the full list of service principal attributes that are restored and not restored by On Demand Recovery, see How does On Demand Recovery Handle Object Attributes?
What is the difference between a service principal object and an application object?
When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant; an application object and a service principal object.
- Application object
An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. The Azure AD Graph Application entity defines the schema for an application object's properties.
- Service principal object
In order to access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in that tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. The Azure AD Graph ServicePrincipal entity defines the schema for a service principal object's properties.
For more details, see https://www.microsoftpressstore.com/articles/article.aspx?p=2473127.
Service principals provisioned from Azure Gallery
On Demand Recovery supports restoring service principals provisioned from Azure Gallery for users that have the service account for the tenant. This account must have at least the User Administrator role in the Azure portal.
Limitations: On Demand Recovery does not backup certificate settings for applications.
To make SAML SSO work after the restore of a service principal provisioned from Azure Gallery, you must install the new certificate for the corresponding application. For details on how to provide the certificate for a particular application, refer to the application configuration guide.
To access the application configuration guide
- In Azure Management Portal, navigate to the Azure Active Directory section in the left pane and click Enterprise applications.
- Choose the application for which you want to configure single sign-on.
- Under the Manage section, select Single sign-on.
- Click the configuration guide link.
Which actions are shown in the Differences report for a service principal?
- Deletion of a service principal object
- Changes to the accountEnabled attribute
- Add/remove roles assigned to service principals (custom roles are not monitored)
- Add/remove owners from service principals
- Add/remove owners from application
Names of administrator roles in the Azure portal are slightly different from the names of the corresponding roles that are shown in the Differences report. For information, see the following comparison table:
Table 2: Names of administrator roles in the Azure portal and the corresponding role in the Differences report
| Global Administrator |
Company Administrator |
| Billing Administrator |
Billing Administrator |
|
Compliance Administrator |
Compliance Administrator |
| Conditional Access Administrator |
Conditional Access Administrator |
| Dynamics 365 Administrator |
CRM Service Administrator |
| Exchange Administrator |
Exchange Service Administrator |
| Guest Inviter |
Guest Inviter |
| Password Administrator |
Helpdesk Administrator |
| Azure Information Protection administrator |
Information Protection Administrator |
| Intune Administrator |
Intune Service Administrator |
| Skype for Business Administrator |
Lync Service Administrator |
| Power BI Administrator |
Power BI Service Administrator |
| Privileged role Administrator |
Privileged Role Administrator |
| Reports Reader |
Reports Reader |
| Security Administrator |
Security Administrator |
| Security Reader |
Security Reader |
| Service Administrator |
Service Support Administrator |
| User Administrator |
User Account Administrator |
Restoring Application Proxy Settings
Restoring Application Proxy Settings
On Demand Recovery supports the recovery of Application Proxy settings, Connector groups, and Connector group membership.
Supported scenarios
The following scenarios are supported in On Demand Recovery:
- Restoring changes to Application Proxy configuration.
- Restoring connector group membership if an Application Proxy is moved into another connector group.
- If an Application Proxy is moved into another connector group and the previous connector group was deleted, On Demand Recovery puts the Application Proxy back to the connector group with the same name.
- If an Application Proxy is put into another connector group and the previous connector group is deleted and there is no connector group with the same name, the new connector group with this name will be automatically recreated and the Application Proxy will be put into it.
Limitations
All of the Application Proxy settings can only be restored at once, granular restore of Application Proxy settings is not supported.
Configuration data restored for an Application Proxy item
On Demand Recovery restores the following configuration data for an Application Proxy item:
Connector Groups
For deleted connector groups, On Demand Recovery restores the following attributes:
Other connector group data is currently backed up but cannot be restored.
OnPremisesPublishing Settings
An onPremisesPublishing object represents the set of properties for configuring Application Proxy for an on-premises application.
- externalUrl
- internalUrl
- externalAuthenticationType
- isTranslateHostHeaderEnabled
- isTranslateLinksInBodyEnabled
- isOnPremPublishingEnabled
- isHttpOnlyCookieEnabled
- isSecureCookieEnabled
- isPersistentCookieEnabled
- applicationServerTimeout
- useAlternateUrlForTranslationAndRedirect
For details, see https://docs.microsoft.com/en-us/graph/api/resources/onpremisespublishing?view=graph-rest-beta.
Connectors
Connector data is currently backed up but cannot be restored.
- id
- machineName
- externalIp
- status
- connectorGroupId
Prerequisites
Backing up Application Proxy settings is not enabled by default. You must select this option when configuring backup options.
To backup Application Proxy settings and connector groups
- Click Manage backups on the Dashboard screen.
- Select the tenant from the list and click Edit.
The Configure backup dialog opens.
- Select the Backup Application Proxy settings and connector groups option.
- Click Save.
For details, see How does On Demand Recovery Handle Object Attributes?
Restoring Multifactor Authentication Settings
Restoring Multifactor Authentication Settings
On Demand Recovery supports backing up and restoring the following multifactor authentication (MFA) settings:
- Authentication Requirement State
- Authentication Methods. Possible values:
- One Way SMS
- Two Way Voice Mobile
- Two Way Voice Office
- Phone App Notification
- Phone App One Time Password
- Default Authentication Method
- Authentication Phone
- Authentication Email
- Alternate Authentication Phone
- Alternate Authentication Email
For more details, see the How does On Demand Recovery Handle Object Attributes? section.
|
|
Note:
- If a user that uses Microsoft Authenticator as an additional authentication method is permanently deleted, then all authentication methods for this user cannot be restored. On Demand Recovery does not restore binding of the application to the user.
- On Demand Recovery does not restore user passwords.
|
Prerequisites
Backing up multifactor authentication settings is not enabled by default. You must select this option when configuring backup options.
To backup multifactor authentication settings
- Click Manage backups on the Dashboard screen.
- Select the tenant from the list and click Edit.
The Configure backup dialog opens.
- Select the Backup MFA settings option.
- Click Save.
|
|
Note:
- It is possible to determine the scope of customer IP Prefixes that can access the customer Azure AD tenant using Azure Active Directory (Azure AD) Conditional Access. This option significantly reduces security risks and can be recommended for customers who want to backup multifactor authentication settings. For further information, contact Quest Support.
- Multifactor authentication must be disabled for the On Demand Recovery service account or you should add On Demand Recovery IP prefixes to the list of 'Trusted IPs'.
|
To configure Trusted IP settings, use this table to allow the following subnets for relevant region:
| US |
52.233.76.96/29
|
| EU |
13.69.216.192/29 |
| Canada |
20.104.81.8/29 |
| UK |
51.145.35.32/29 |
| Australia |
20.191.252.152/29 |
For more details, see Configure Azure Multi-Factor Authentication settings.
Restoring Group Licenses
On Demand Recovery restores group licenses, which means reassignment of a license to a group after its recreation or restore from the Recycle Bin. Granular restore of the assignedLicenses attribute is supported as well.
Supported scenarios
The following scenarios are supported by On Demand Recovery:
- If a group is moved to the Recycle Bin, group licenses are restored simultaneously with the group object.
- Direct and inherited licenses for users are now distinguished.
- Inherited licenses are reassigned automatically by restoring membership.
- If the licenseAssignmentStates attribute is not present in old backups, user object assignments in Azure AD are used to distinguish inherited and direct licenses.
- The same logic is applied to the Differences report to show only one change if a group which is giving licenses was changed or deleted. In this case, the report will contain only the "Group change" or "Group deletion" action.
| |
NOTE: If you are restoring a permanently deleted user from an old backup, the user license may be assigned twice; by group and directly. |
