Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

Working with Inactive Mailboxes

On Demand Recovery supports restore of inactive mailboxes of hard-deleted users. Federated Domain scenario is also supported. This feature requires Recovery Manager for Active Directory 9.0 or higher.

To preserve the original cloud mailbox of a hybrid user after restore, you have to select the If a hybrid user already exists in Azure Active Directory, delete it before the restore operation option in the Restore Object dialog.

User scenario:

  1. There is a hybrid user. This user is deactivated by the administrator for some reason. This means that the user account goes to Recycle Bin. After 30 days, Azure AD cleans this account from Recycle Bin.

  2. Then, the user returns and the account is enabled again by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.

  3. We want to use the original cloud mailbox for the user. The only one way to do this is to restore the user from backup. But before the restore, the newly created cloud user must be removed from Azure AD using this new option.


If you restore a hybrid user and its mailbox with On Demand Recovery

  • For Non-Federated Domain, On Demand Recovery restores a cloud user and its mailbox without an on-premises user.

  • For Federated Domain, restore of hybrid users requires Recovery Manager for Active Directory. In this scenario, On Demand Recovery restores a hybrid user and its mailbox in the cloud. Recovery Manager for Active Directory restores this hybrid user on-premises, then it calls Azure AD Connect to synchronize the user back to the cloud and make the cloud user previously restored by On Demand Recovery be in the Federated Domain. Without Recovery Manager for Active Directory, the cloud user will be non-federated after restore and you will not log in with this user.


Hybrid Connection Port and Protocol Requirements

Protocol Ports Direction
HTTPS 443 (TCP/UDP) Outbound

Hybrid configuration with Recovery Manager for Active Directory requires only outbound TCP/UDP port 443 to be opened on the Recovery Manager Portal server to access the Internet. If the Recovery Manager Portal server already has access to the Internet, you do not need to change the Firewall configuration.


If you do not want to open all outbound IP addresses and your firewall or proxy lets you specify DNS allow list, you can add connections to <your name space> to your allow list.

Hybrid Restore Components Diagram


Hybrid Connection Security

FIPS 140-2 compliant TLS protocol is used for traffic encryption. HTTPS certificate is validated on our client side (Recovery Manager Portal).

Server side is Azure WCF Relay that is created and configured in Quest Azure Subscription.

Shared Access Signature (SAS) is used for authentication. A SAS token is based on an access key generated by On Demand Recovery cloud. This key is downloaded to the on-prememises server with Recovery Manager Portal and used in the portal configuration to establish the Hybrid connection (from on-premises to the cloud). The SAS token is sent to the cloud and verified on each connection request. For details about Shared Access Signature algorithm, see here:


Restore Email Address/Phone for Self-Service Password Reset

On Demand Recovery restores an email address/phone that was specified as an authentication method for the self-service password reset user option in the Azure portal. So the user can reset his or her password without help of the tenant Administrator.

  • On Demand Recovery does not restore user passwords and the password reset is the only option to log in to the Azure portal after the restore of the permanently deleted user.

  • On Demand Recovery restores Email, Mobile phone and Office phone for the self-service password reset option.

  • The following authentication methods are not restored: Security questions, Mobile app notification, Mobile app code.

For details on how to enable self-service password reset in your Azure AD tenant, see here.

How to log in to the Azure portal after the user restore if an email address was specified as authentication method for the password reset option:
  1. Go to the Azure portal and enter the user name.

  2. On the Enter password screen, click Forgot my password.


  3. On the Get back into your account screen, type the user name and prove that you are not a robot by entering the characters you see on the screen, and then select Next.


  4. On the next screen, select Email my alternate email, and then select Email.


  5. Type the verification code from the email into the box, and then select Next.

  6. Type and confirm your new password, and then select Finish. Your password has been reset and can be used to log in to the Azure portal.


  7. Log in with the new password.

  8. Then you may see the screen where you will be asked to verify your email address if the Converged service is not enabled in your environment. You can click Cancel and verify the email address later.


  9. If the Converged service is enabled, you will get the screen like below. In this case, no further action is required.




On Demand Recovery includes the comparison report feature that is used to monitor and roll back changes occurred in live Azure Active Directory or Office 365 since the backup was created. The report assists you with troubleshooting and resolving problems that may result from the deletion of critical objects or parameter changes.

The report shows the following changes:

  • Creation of new users or groups

  • Changes to Azure AD B2C "local accounts", "guest accounts", "social accounts"

  • Changes to object attributes, including licenses

  • Group membership and manager property changes (DirectoryLinkChange object type)

  • Changes to service principal objects: deletion of a service principal, add/remove roles (custom roles are not monitored), changes to the accountEnabled property.

  • Objects moved to Recycle Bin

  • Permanently deleted objects

  • When deleting a group, all links that were affected by this action are shown in the Differences report, e.g. Azure AD group membership, SharePoint groups membership, conditional access policies, group owners, and application assignments.


Restore of group membership from the Difference report is not supported for hybrid environments. Please use the Objects view, to restore 'member' or 'memberOf' attribute of an object.

To view and roll back changes in Azure Active Directory or Office 365

Objects added to the directory after the backup was created cannot be deleted using the Restore option in the comparison report. This option removes only membership information for the selected object and logs an event.

  1. Create a backup of your directory.

  2. Change any object attributes in your live Azure Active Directory or Office 365.

  3. Unpack the backup to compare with the current version of your directory. For that, click Unpack backup on the Dashboard view. In the Backup Unpacking dialog, click Browse and select the backup.

  4. After the backup is unpacked, go to the Differences view.

  5. To refine the data, use the Search field or facets on the left side of the screen.

    For more information about the search syntax, see Advanced Search.

  6. Select the changes you want to roll back and click Restore.

  7. To update the report data, use the Refresh option.

  8. The Export feature allows you to export the selected report data to the CSV format. Note that the CSV file contains internal column names, for example: the Attribute column in the Difference greed has the "changedAttribute" internal name. You can use internal column names to create search queries. For more information, refer to Advanced Search.


Related Documents