Introduction
Managing information system security is a priority for every organization. In fact, the level of security provided by software vendors has become a differentiating factor for IT purchase decisions. Quest Software strives to meet standards designed to provide its customers with their desired level of security, whether it relates to privacy, authenticity and integrity of data, availability, or protection against malicious users and attacks.
This document describes the security features of On Demand Recovery. This includes access control, protection of customer data, secure network communication, and more.
About On Demand Recovery
On Demand Recovery cloud application automatically backs up Microsoft Entra ID and Microsoft 365 users, groups, service principals, device information, conditional access policies and navigation properties and lets you restore deleted or damaged data selectively.
Figure 1: On Demand Recovery overview
On Demand Recovery offers:
- Back up Microsoft Entra ID and Microsoft 365 users, groups, service principals, device information, conditional access policies, and navigation properties - On Demand Recovery automatically backs up a directory on a regular basis.
- Granular, selective restore – Objects can be selected in a backup and then restored to Microsoft Entra ID or Microsoft 365 without affecting other objects or attributes.
- Restore users from the Recycle Bin - Restore or recreate users that were inadvertently moved to the Recycle Bin.
- Cloud solution - On Demand Recovery does not require that you install or maintain any additional software. Backup snapshots are stored in the cloud.
Architecture overview
The following scheme shows the key components of the On Demand Recovery configuration.
Figure 2: Main architecture diagram
Figure 3: Hybrid restore components diagram
Table 1: On Demand Recovery and Recovery Manager for Active Directory ports and protocols
HTTPS |
443 (TCP/UDP) |
Outbound |
Hybrid configuration with Recovery Manager for Active Directory requires only outbound TCP/UDP port 443 to be opened on the Recovery Manager Portal server to access the internet. If the Recovery Manager Portal server already has access to the internet, you do not need to change the Firewall configuration.
If you do not want to open all outbound IP addresses and your firewall or proxy lets you specify a DNS allow list, you can add connections to <your name space>.servicebus.windows.net to your allow list.
Figure 4: Hybrid restore operation flow diagram
- All attributes that can be modified by Microsoft Graph API are considered as cloud attributes and restored on the first step. For example, assignedLicense, usageLicense, and membership in cloud groups.
- On Demand Recovery also restores users from the Recycle Bin or recreates them before the on-premises restore with the Undelete option. Microsoft Entra Connect matches these objects after the cloud restore by the immutableID attribute which is restored from the On Demand Recovery backup.
- On-premises restore is always performed for member, memberOf, accountEnabled, manager, and directReports attributes.
- If the Restore all attributes option is select in the Restore Objects dialog, we always perform the on-premises restore even if the cloud restore was successful.
- Groups are restored always after the on-premises restore, because in case of permanent deletion, On Demand Recovery needs to wait until a group is recreated by Microsoft Entra Connect.
Azure datacenter security
Microsoft Azure datacenters have the highest possible physical security and are considered among the most secure and well protected datacenters in the world. They are subject to regular audits and certifications including Service Organization Controls (SOC) 1, SOC 2 and ISO/IEC 27001:2005.
Relevant references with additional information about the Windows Azure datacenter security can be found here: