Backup and Restore of Devices
On Demand Recovery can restore Azure AD device objects that were removed from the Azure Portal. For registered or joined devices, single sign-on (SSO) data (if any) is also restored.
The following limitation exist when restoring devices in On Demand Recovery:
- Automatically restoring SSO data for a device that was permanently deleted together with the device owner. In this case, the device owner should join the device once again.
- If a device was unjoined by the device owner, it will be restored in the Azure Portal but SSO will not work.
The following scenarios are not supported in On Demand Recovery:
- Windows Hello for joined devices
- Microsoft Intune is not supported
- Restricted access for devices
- Restoring of devices in hybrid configuration
- Restoring devices to another tenant
Restored devices attributes
For a list of group attributes restored by On Demand Recovery, see Table 17 in the Attributes restored by On Demand Recovery section.
Backup and Restore of Conditional Access Policies
On Demand Recovery supports backing up and restoring conditional access policies in cloud-only and hybrid environments.
Note: On Demand Recovery does not restore the conditional access policy "Baseline policy: Require MFA for admins".
Backing up conditional access policies is not enabled by default. You must select this option when configuring backup options.
To backup conditional access policies
- Click Manage backups on the Dashboard screen.
- Select the tenant from the list and click Edit.
The Configure backup dialog opens.
- Select the Backup MFA settings, conditional access policies and data related to inactive mailboxes option and specify service account credentials for the tenant. The specified account must have the following permissions:
- The specified account must have at least one of the following roles in the Azure portal for backup operations; Exchange administrator or User administrator.
- To restore conditional access polices, the account must be a member of Company administrator or Conditional access administrator Azure AD role.
- Click Save.
If a backup contains conditional policies, the Objects view will show the following types of objects:
- Conditional Access Policy
- Named Locations
On Demand Recovery restores the whole policy object and does not detail which attribute has been restored in the Differences report. When restoring permanently deleted objects that are assigned to the conditional access policy, the policy settings are updated as well.
On Demand Recovery checks whether objects (users, groups, named locations) assigned to the policy exist in Azure Active Directory. If any objects are missing, the policy is restored but an error is shown.
Restore Email Address/Phone for Self-Service Password Reset
On Demand Recovery restores an email address or phone that was specified as an authentication method for the self-service password reset user option in the Azure portal. So users can reset their passwords without help of the tenant Administrator.
The following scenarios are supported by On Demand Recovery:
- Restoring email, mobile phone number, and office phone number for the self-service password reset option.
The following scenarios are not supported by On Demand Recovery:
- Restoring user passwords and the password reset is the only option to log in to the Azure portal after the restore of a permanently deleted user.
- The following authentication methods are not restored; security questions, mobile app notification, and mobile app code.
For details on how to enable self-service password reset in your Azure AD tenant, click here.
To log in to the Azure portal after the user restore if an email address was specified as authentication method for the password reset option
- Go to the Azure portal and enter the user name.
- On the Enter password screen, click Forgot my password.
- On the Get back into your account screen, type the user name and prove that you are not a robot by entering the characters you see on the screen, and then select Next.
- On the next screen, select Email my alternate email, and then select Email.
- Type the verification code from the email into the box, and then select Next.
- Type and confirm your new password, and then select Finish. Your password has been reset and can be used to log in to the Azure portal.
- Log in with the new password.
- Then you may see the screen where you will be asked to verify your email address if the Converged service is not enabled in your environment. You can click Cancel and verify the email address later.
- If the Converged service is enabled, you will get the screen like below. In this case, no further action is required.
Integration with Recovery Manager for Active Directory
Integration with Recovery Manager for Active Directory
On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore and undelete on-premises objects that are synchronized with cloud by Azure AD Connect. The following figure illustrates the hybrid restore process.
Figure 1: Hybrid Restore Operation Flow Diagram
- All attributes that can be modified by Azure AD Graph API are considered as cloud attributes and restored on the first step. For example: assignedLicense, usageLocation, membership in cloud groups.
- On Demand Recovery also restores users from the Recycle Bin or recreates them before the on-premises restore with the Undelete option. Azure AD Connect matches these objects after the cloud restore by the immutableID attribute which is restored from the On Demand Recovery backup.
- On-premises restore is always performed for member, memberOf, accountEnabled, manager and directReports attributes.
- If the Restore all attributes option is selected in the Restore Objects dialog, we always perform the on-pemises restore even if the cloud restore was successful.
- Groups are restored always after the on-premises restore, because in case of permanent deletion, On Demand Recovery needs to wait until a group is recreated by Azure AD Connect.
- Azure AD tenant that is synchronized with on-premises Active Directory by Azure AD Connect
- Recovery Manager Portal 9.0. If you have Azure AD Connect version 126.96.36.199 or higher, the Recovery Manager Portal 10.1 is required.
The portal can be run in any machine in your environment. It is not required to install all Recovery Manager for Active Directory components. To get the latest version of Recovery Manager Portal, go to https://www.quest.com/products/recovery-manager-for-active-directory-forest-edition/.
To configure Recovery Manager Portal to enable integration with cloud
- Connect to the Recovery Manager Portal with your Web browser.
- In the Recovery Manager Portal, open the Configuration tab.
- Expand Portal Settings
- Recommended: Select the Automatically unpack backups for restore operations option to automatically unpack the required backup. If the option is not selected, the restore operation may fail because the backup was not unpacked or was removed due to retention policies for the unpack operation. For more details, see the Recovery Manager for Active Directory User Guide.
- Click On Demand integration. In the On Demand integration dialog, select the Enable integration check box and specify the Relay URL and credentials. To get these parameters, go to On Demand Recovery and perform the following steps:
- On the Dashboard screen, click Configure hybrid connection.
- In the Configure hybrid connection dialog, click Download hybrid credentials to download a configuration file with Relay credentials.
- When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box.
- Save the file to the folder of your choice.
- Go back to the On Demand integration dialog, click Choose file and select the configuration file. For security reasons, you should remove this file from your computer after the credentials will be specified in the Recovery Manager Portal.
Note: Azure AD Connect synchronization occurs automatically after the restore operation. But On Demand Recovery has the ability to force synchronization cycles and requires credentials for the machine where Azure AD Connect is installed.
- Specify Azure AD Connect host name and credentials. If Azure AD Connect and Recovery Manager Portal are installed on the same machine, leave the fields blank.
Note: You may get an error related to the proxy settings while configuring integration with On Demand Recovery. To resolve this issue, perform the following actions:
- Open the Recovery Manager Portal configuration file %Program Files%\Quest\Recovery Manager Portal\EnterprisePortalSettings.xml.
- Set the UseDefaultSystemProxy parameter to False and check that ProxyAddress has the correct value.
- If UseDefaultSystemProxy is set to False and ProxyAddress is specified, the value of ProxyAddress will be used as a proxy server address.
- If UseDefaultSystemProxy is set to False and ProxyAddress is not specified, the direct connection will be used.
- If UseDefaultSystemProxy is set to True and ProxyAddress is specified or has no value, the proxy server specified for your browser will be used.
- Make sure that URI contains the protocol prefix and the port number, e.g. http:/localhost:8080/.
- Restart the Recovery Manager Portal service.
For more information about integration with Recovery Manager for Active Directory, see Integration with On Demand Recovery.
What can be restored in hybrid configuration
- On-premises groups
- User licenses (e.g. Office 365 licenses and assignedLicenses property for cloud users) and cloud group membership
- Deleted on-premises users and groups
- Service principals' appRoleAssignments to on-premises users
- appRoleAssignments to non-Office groups (used for SSO and App Roles)
- Directory roles: Global administrator, Exchange administrator, Compliance administrator
- Other cloud-only properties: such as Block sign in, Authentication contact information, Minors and Consent
- Multi-factor authentication (MFA) settings if a customer uses cloud MFA
- Azure application custom attributes (schema extension attributes)
- Conditional access policies
- Inactive mailboxes of permanently deleted users; the Federated Domain scenario is also supported.
- To restore on-premises objects, On Demand Recovery uses attribute values from the RMAD backup that is closest in time but older than the cloud backup unpacked in the On Demand Recovery user interface. If the closest on-premises backup is 24 hours older than the cloud backup, you will receive the warning message.
By default, the search of the closest in time on-premises backup is performed among the backups that were unpacked in Recovery Manager Portal. You can use the Automatically unpack backups for restore operations option on Portal Settings of the Configuration tab in the Recovery Manager Portal – in this case, the on-premises backup will be unpacked automatically during the restore operation.
- On Demand Recovery shows only on-premises attributes synchronized with the cloud and cloud-only attributes for the selected object when you click Browse in the Restore Objects dialog. On-premises only attributes are not included in this list. To restore on-premises only attributes, you must select the Restore all attributes option in the Restore Objects dialog.
- After the hybrid restore operation, On Demand Recovery forces Azure AD Connect synchronization to push on-premises changes to the cloud and wait until it completes the synchronization. Restore events can be used to track steps of Azure AD Connect synchronization, such as export and import.
- Restore of group membership from the Differences report is not supported for hybrid environments. Use the Objects view, to restore 'member' or 'memberOf' attribute of an object.
- Hybrid restore from the Differences report uses attribute values from the on-premises backup. These values may be different from the corresponding values shown in the Differences report.
- On Demand Recovery supports one hybrid connection per On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Azure AD tenant.
- One instance of Recovery Manager Portal can be used with one Azure AD tenant and one Azure AD Connect server. Install multiple RMAD web portals if you need to work with multiple Azure AD tenants and Azure AD connect servers.
- On Demand Recovery restores Back Link attributes: 'memberOf' (the back link for the 'member' attribute) and 'directReports' (the back link for the 'manager' attribute). These attributes can be selected along with all other attributes when you click Browse in the Restore Objects dialog.
- Separate Microsoft Azure Relay service is used for each hybrid connection (one per On Demand organization). On Demand Recovery creates WCF Relay per On Demand organization. No changes to On-Premises Firewall settings are required.
- Delegation settings specified in Recovery Manager Portal are not applied in the hybrid configuration, so On Demand Recovery users can restore objects from all on-premises domains and forests that are synchronized with the Azure AD tenant. Also, in Recovery Manager Portal, you need to add domain controllers for every domain that will be restored and specify the account under which the restore operation will be performed. For more details, see the Administering Recovery Manager Portal section of the Recovery Manager for Active Directory User Guide.
To perform a restore operation in On Demand Recovery
- Unpack a backup.
- Go to the Objects screen and select on-premises objects to restore.
- Click Restore.
- In the Restore Objects dialog, if you select the Restore all attributes option, On Demand Recovery will restore all on-premises attributes and cloud-only attributes from the backup.
- You can perform the restore of on-premises objects from the Differences report as well.
||NOTE: You can restore a hybrid user using only On Demand Recovery without configuring a hybrid connection. In this case, do not forget to clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. If the hybrid connection is not configured, On Demand Recovery restores a cloud user and their cloud attributes without an on-premises user. For more information, see How does On Demand Recoveryhandle object attributes? This scenario does not work for Federated Domains. For details, see Working with inactive mailboxes.|