Backup and Restore of Conditional Access Policies
Backup and Restore of Conditional Access Policies
On Demand Recovery supports backing up and restoring conditional access policies in cloud-only and hybrid environments.
Note: On Demand Recovery does not restore the conditional access policy "Baseline policy: Require MFA for admins".
Backing up conditional access policies is not enabled by default. You must select this option when configuring backup options.
To backup conditional access policies
- Click Manage backups on the Dashboard screen.
- Select the tenant from the list and click Edit.
The Configure backup dialog opens.
- Select the Backup MFA settings, conditional access policies and data related to inactive mailboxes option and specify service account credentials for the tenant. The specified account must have the following permissions:
- The specified account must have at least one of the following roles in the Azure portal for backup operations; Exchange administrator or User administrator.
- To restore conditional access polices, the account must be a member of Company administrator or Conditional access administrator Azure AD role.
- Click Save.
If a backup contains conditional policies, the Objects view will show the following types of objects:
- Conditional Access Policy
- Named Locations
On Demand Recovery restores the whole policy object and does not detail which attribute has been restored in the Differences report. When restoring permanently deleted objects that are assigned to the conditional access policy, the policy settings are updated as well.
On Demand Recovery checks whether objects (users, groups, named locations) assigned to the policy exist in Azure Active Directory. If any objects are missing, the policy is restored but an error is shown.
Integration with Recovery Manager for Active Directory
Integration with Recovery Manager for Active Directory
On Demand Recovery can be integrated with Recovery Manager for Active Directory 9.0 or higher to restore and undelete on-premises objects that are synchronized with cloud by Azure AD Connect. The following figure illustrates the hybrid restore process.
Figure 1: Hybrid Restore Operation Flow Diagram
- All attributes that can be modified by Azure AD Graph API are considered as cloud attributes and restored on the first step. For example: assignedLicense, usageLocation, membership in cloud groups.
- On Demand Recovery also restores users from the Recycle Bin or recreates them before the on-premises restore with the Undelete option. Azure AD Connect matches these objects after the cloud restore by the immutableID attribute which is restored from the On Demand Recovery backup.
- On-premises restore is always performed for member, memberOf, accountEnabled, manager and directReports attributes.
- If the Restore all attributes option is selected in the Restore Objects dialog, we always perform the on-pemises restore even if the cloud restore was successful.
- Groups are restored always after the on-premises restore, because in case of permanent deletion, On Demand Recovery needs to wait until a group is recreated by Azure AD Connect.
- Azure AD tenant that is synchronized with on-premises Active Directory by Azure AD Connect
- Recovery Manager Portal 9.0. If you have Azure AD Connect version 126.96.36.199 or higher, the Recovery Manager Portal 10.1 is required.
The portal can be run in any machine in your environment. It is not required to install all Recovery Manager for Active Directory components. To get the latest version of Recovery Manager Portal, go to https://www.quest.com/products/recovery-manager-for-active-directory-forest-edition/.
To configure Recovery Manager Portal to enable integration with cloud
- Connect to the Recovery Manager Portal with your Web browser.
- In the Recovery Manager Portal, open the Configuration tab.
- Expand Portal Settings
- Recommended: Select the Automatically unpack backups for restore operations option to automatically unpack the required backup. If the option is not selected, the restore operation may fail because the backup was not unpacked or was removed due to retention policies for the unpack operation. For more details, see the Recovery Manager for Active Directory User Guide.
- Click On Demand integration. In the On Demand integration dialog, select the Enable integration check box and specify the Relay URL and credentials. To get these parameters, go to On Demand Recovery and perform the following steps:
- On the Dashboard screen, click Configure hybrid connection.
- In the Configure hybrid connection dialog, click Download hybrid credentials to download a configuration file with Relay credentials.
- When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box.
- Save the file to the folder of your choice.
- Go back to the On Demand integration dialog, click Choose file and select the configuration file. For security reasons, you should remove this file from your computer after the credentials will be specified in the Recovery Manager Portal.
Note: Azure AD Connect synchronization occurs automatically after the restore operation. But On Demand Recovery has the ability to force synchronization cycles and requires credentials for the machine where Azure AD Connect is installed.
- Specify Azure AD Connect host name and credentials. If Azure AD Connect and Recovery Manager Portal are installed on the same machine, leave the fields blank.
Note: You may get an error related to the proxy settings while configuring integration with On Demand Recovery. To resolve this issue, perform the following actions:
- Open the Recovery Manager Portal configuration file %Program Files%\Quest\Recovery Manager Portal\EnterprisePortalSettings.xml.
- Set the UseDefaultSystemProxy parameter to False and check that ProxyAddress has the correct value.
- If UseDefaultSystemProxy is set to False and ProxyAddress is specified, the value of ProxyAddress will be used as a proxy server address.
- If UseDefaultSystemProxy is set to False and ProxyAddress is not specified, the direct connection will be used.
- If UseDefaultSystemProxy is set to True and ProxyAddress is specified or has no value, the proxy server specified for your browser will be used.
- Make sure that URI contains the protocol prefix and the port number, e.g. http:/localhost:8080/.
- Restart the Recovery Manager Portal service.
For more information about integration with Recovery Manager for Active Directory, see Integration with On Demand Recovery.
What can be restored in hybrid configuration
- On-premises groups
- User licenses (e.g. Office 365 licenses and assignedLicenses property for cloud users) and cloud group membership
- Deleted on-premises users and groups
- Service principals' appRoleAssignments to on-premises users
- appRoleAssignments to non-Office groups (used for SSO and App Roles)
- Directory roles: Global administrator, Exchange administrator, Compliance administrator
- Other cloud-only properties: such as Block sign in, Authentication contact information, Minors and Consent
- Multi-factor authentication (MFA) settings if a customer uses cloud MFA
- Azure application custom attributes (schema extension attributes)
- Conditional access policies
- Inactive mailboxes of permanently deleted users; the Federated Domain scenario is also supported.
- To restore on-premises objects, On Demand Recovery uses attribute values from the RMAD backup that is closest in time but older than the cloud backup unpacked in the On Demand Recovery user interface. If the closest on-premises backup is 24 hours older than the cloud backup, you will receive the warning message.
By default, the search of the closest in time on-premises backup is performed among the backups that were unpacked in Recovery Manager Portal. You can use the Automatically unpack backups for restore operations option on Portal Settings of the Configuration tab in the Recovery Manager Portal – in this case, the on-premises backup will be unpacked automatically during the restore operation.
- On Demand Recovery shows only on-premises attributes synchronized with the cloud and cloud-only attributes for the selected object when you click Browse in the Restore Objects dialog. On-premises only attributes are not included in this list. To restore on-premises only attributes, you must select the Restore all attributes option in the Restore Objects dialog.
- After the hybrid restore operation, On Demand Recovery forces Azure AD Connect synchronization to push on-premises changes to the cloud and wait until it completes the synchronization. Restore events can be used to track steps of Azure AD Connect synchronization, such as export and import.
- To restore 'member' or 'memberOf' attributes for an object, restore the group from the Unpacked Objects view. Restoring of group memberships from the Differences report is not supported in hybrid environments.
- Hybrid restore from the Differences report uses attribute values from the on-premises backup. These values may be different from the corresponding values shown in the Differences report.
- On Demand Recovery supports one hybrid connection per On Demand organization. If you need to manage multiple hybrid tenants, create a separate On Demand organization for each Hybrid Azure AD tenant.
- One instance of Recovery Manager Portal can be used with one Azure AD tenant and one Azure AD Connect server. Install multiple RMAD web portals if you need to work with multiple Azure AD tenants and Azure AD connect servers.
- On Demand Recovery restores Back Link attributes: 'memberOf' (the back link for the 'member' attribute) and 'directReports' (the back link for the 'manager' attribute). These attributes can be selected along with all other attributes when you click Browse in the Restore Objects dialog.
- Separate Microsoft Azure Relay service is used for each hybrid connection (one per On Demand organization). On Demand Recovery creates WCF Relay per On Demand organization. No changes to On-Premises Firewall settings are required.
- Delegation settings specified in Recovery Manager Portal are not applied in the hybrid configuration, so On Demand Recovery users can restore objects from all on-premises domains and forests that are synchronized with the Azure AD tenant. Also, in Recovery Manager Portal, you need to add domain controllers for every domain that will be restored and specify the account under which the restore operation will be performed. For more details, see the Administering Recovery Manager Portal section of the Recovery Manager for Active Directory User Guide.
To perform a restore operation in On Demand Recovery
- Unpack a backup.
- Go to the Objects screen and select on-premises objects to restore.
- Click Restore.
- In the Restore Objects dialog, if you select the Restore all attributes option, On Demand Recovery will restore all on-premises attributes and cloud-only attributes from the backup.
- You can perform the restore of on-premises objects from the Differences report as well.
||NOTE: You can restore a hybrid user using only On Demand Recovery without configuring a hybrid connection. In this case, do not forget to clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. If the hybrid connection is not configured, On Demand Recovery restores a cloud user and their cloud attributes without an on-premises user. For more information, see How does On Demand Recoveryhandle object attributes? This scenario does not work for Federated Domains. For details, see Working with inactive mailboxes.|
Limitations when a hybrid connection is not configured
On Demand Recovery can restore cloud-only users and groups without a configured Recovery Manager for Active Directory hybrid connection. If a hybrid connection is not configured intentionally or Recovery Manager for Active Directory is not installed yet, recovery features for hybrid users and groups are limited. As a result, the following errors will occur: "Cloud restore was interrupted due to failed restore of the on-premise object" and "A hybrid connection is required to complete the restore of the on-premises attributes with RMAD".
- If a hybrid user is permanently deleted, On Demand Recovery will create a cloud object with cloud properties, including on-premises values, but actual values will be taken from the cloud backup, such as user surname, office, etc. If a hybrid user is recreated in the on-premises Active Directory by Recovery Manager for Active Directory or by any other on-premises recovery solution, this user object will be automatically synchronized by Azure AD Connect resulting in the full recovery of the hybrid user. If a hybrid user is not recreated, on-premises attributes will be missing, for example, on-premises groups membership, etc.
- If On Demand Recovery tries to restore a hybrid user that has not been deleted but has modified on-premises attributes, the task will fail with the following error: "Cannot restore attribute". This error occurs due to the "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing a migration" error. In this case, On Demand Recovery will show changes in the Difference report correctly, but will not be able to restore them.
- For a non-deleted hybrid group (modified in the cloud), cloud attributes such as licenses or assigned Enterprise applications can be restored. On Demand Recovery cannot restore a permanently deleted hybrid group that was synchronized by Azure AD Connect, so the error that Recovery Manager for Active Directory configuration is needed will be shown in the case of restoring of the permanently deleted group.
Hybrid connection widget
The Hybrid connection widget on the Dashboard screen shows issues with the hybrid connection. The widget state is synchronized automatically every time the page is updated.
When a customer does not want to configure a hybrid connection with Quest Recovery Manager for Active Directory, the corresponding connection error events can be deactivated by changing their severity from Error to Info. To do this, clear the Show hybrid restore errors if hybrid connection is not configured check box in the Configure hybrid connection dialog. For details, see Integration with Recovery Manager for Active Directory.
The widget has the following three states:
- If the hybrid connection is properly configured and works fine, the widget is green.
- If the hybrid connection is not configured because you do not need it, the widget is grey and advises you to configure the connection. In this case, the Show hybrid restore errors if hybrid connection is not configured check box is not selected in the Configure hybrid connection dialog.
- If the hybrid connection is not configured and the Show hybrid restore errors if hybrid connection is not configured check box is selected in the Configure hybrid connection dialog, the widget is yellow and has a warning sign.