You can refine your search for the report data by using search expressions. To perform a keyword search in a specified column, you need to use the internal name of the column instead of the column display name. For example, <internal column name>:<search term or expression>. For a list of internal column names and string examples, see the tables below.
Table 6: Unpacked Objects screen
| Name |
displayName |
An object by object name |
displayName:SamJones |
| Type |
objectType |
An object by object type |
objectType:user |
| Backup Date |
backupDate |
An object by the specified backup date/time |
backupDate:[2017-06-27] |
| Directory |
tenant |
An object by directory name |
tenant:demo365 |
| Principal Name |
userPrincipalName |
An object by principal name |
userPrincipalName:Sam.Jones@mycompany.com |
| Mail |
mail |
An object by mail address |
mail:Sam.Jones@mycompany.com |
| City |
city |
An object by city |
city:London |
| Department |
department |
An object by department |
department:Sales |
| Job Title |
jobTitle |
An object by job title |
jobTitle:manager |
| Description |
description |
An object using keywords in the object descriptions |
description:Sales |
| User Type |
userType |
An object by user type |
userType:new |
| Telephone Number |
telephoneNumber |
An object by telephone number |
telephoneNumber:44658 |
Table 7: Differences screen
| Name |
objectName |
Changes related to a specified object name |
objectName:SamThomas* |
| Change |
changeType |
Objects by change type |
changeType:"Object hard deleted" |
| Object Type |
objectType |
Objects by object type |
objectType:User |
| Attribute |
changedAttribute |
Changes related to a specific attribute |
changedAttribute:link |
| Difference |
oldValue |
Search by old attribute value (value before the change) |
oldValue:User1@mycompany.com |
| Difference |
newValue |
Search by new attribute value (value after the change) |
newValue:User1@gmail.com |
| Backup time |
backupDate |
Search by the specified backup date/time |
backupDate:[2017-06-27] |
Table 8: Events screen
| Time |
timestamp |
Specified timestamp |
timestamp:NormanThomas* |
| Description |
message |
Keywords in event descriptions |
message:"Object attributes were restored" |
| Object Name |
object.name |
Objects by an object name |
object.name:User |
| Task Name |
task.name |
Specified task |
task.name:"Restore objects" |
Table 9: Tasks screen
| Title |
name |
A task by task name |
name:"restore objects" |
| State |
status |
A task by task status |
status:completed |
| Type |
type |
A task by task type |
type:restore |
| Modified |
modified |
A task by the date when the task was modified |
modified:[2017-06-26] |
| Created |
created |
A task by the date when the task was created |
created:[2017-06-27] |
| Operation |
lastResultDescription |
Keywords in the operation description |
lastResultDescription:unpack* |
How does On Demand Recovery handle object attributes?
The following tables detail attributes that are restored by On Demand Recovery.
Table 10: Azure Users general attributes
Users are the representation of an Azure Active Directory (Azure AD) work or school user account.
The lists below include all supported Azure user attributes that can be restored by On Demand Recovery.
| accountEnabled |
True if the account is enabled; otherwise, False. |
| ageGroup |
The age group of the user. |
| appRoleAssignment |
Used to record when a user is assigned an app role for an app. |
| assignedLicenses |
The licenses that are assigned to the user.
 |
NOTE: see Assigned Licenses and Plans list below for detailed information on complex attribute. | |
| businessPhones |
The telephone numbers for the user. |
| city |
The city in which the user is located. |
| companyName |
The company name which the user is associated. |
| consentProvidedForMinor |
Sets whether consent has been obtained for minors. |
| country |
The country/region in which the user is located. |
| department |
The name of the department in which the user works. |
| directReports |
This attribute contains the list of users that directly report to the user. |
| displayName |
The name displayed in the address book for the user. |
| employeeId |
The employee identifier assigned to the user by the organization. |
| faxNumber |
The fax number of the user. |
| First Name |
The given name (first name) of the user. |
| identities |
Represents the identities that can be used to sign in to this user account. |
| jobTitle |
The user’s job title. |
| Last Name |
The user's surname (family name or last name). |
| mail |
The SMTP address for the user. |
| mailNickname |
The mail alias for the user. |
| memberOf (Directory Role) |
The directory roles that the user is a member of. |
| memberOf (Groups) |
The groups that the user is a member of. |
| MFAState |
Identifies multifactor authentication state for the user.
| NOTE: see Multifactor Authentication list below for detailed information on this complex attribute. | |
| mobilePhone |
The primary cellular telephone number for the user. |
| officeLocation |
The office location in the user's place of business. |
| otherMails |
A list of additional email addresses for the user. |
| ownedDevices |
Devices that are owned by the user. |
| ownedObjects |
Get the list of directory objects that are owned by the user. |
| passwordPolicies |
Specifies password policies for the user. |
| postalCode |
The postal code for the user's postal address. |
| registeredDevices |
Devices that are registered for the user. |
| roles |
Specifies administrator roles assigned to a user. |
| signInNames (B2C only) |
The list of sign in names for the user. |
| state |
The state or province in the user's address. |
| streetAddress |
The street address of the user's place of business. |
| usageLocation |
A two letter country code (ISO standard 3166). |
| userPrincipalName |
The user principal name (UPN) of the user. |
| userType |
A string value that can be used to classify user types in your directory, such as “Member” and “Guest”. |
Table 11: Assigned Licenses and Plans (Azure Users) attributes
In Azure AD licenses and plans are assigned to users to give them access. Licenses and plans can be assigned and unassigned.
When the complex attribute 'assignedLicenses' is selected for restore, the following attributes will also be restored. Individual attributes cannot be selected and are all restored together.
| assignedDateTime (Assigned Plans) |
The date and time at which the plan was assigned. |
| capabilityStatus (Assigned Plans) |
Condition of the capability assignment. |
| disabledPlans |
A collection of the unique identifiers for plans that have been disabled. |
| licenseAssignmentStates |
State of license assignments for this user. |
| service (Assigned Plans) |
The name of the service to activate. |
| servicePlanId (Assigned Plans) |
The plan identifier of the service plan to activate. |
| skuId |
The unique identifier for the SKU. |
| state |
Indicate the current state of this assignment. |
Table 12: Multifactor Authentication (Azure Users) attributes
To secure user sign-in events in Azure AD, multifactor authentication can be enabled on user accounts.
When the complex attribute 'MFAState' is selected for restore, the following attributes will also be restored. Individual attributes cannot be selected and are all restored together.
| AlternateEmailAddresses |
This attribute is used to get Alternate Authentication Email. |
| mobilePhone |
This attribute is used to get Mobile Phone. |
| phoneNumber |
This attribute is used to get Office Phone. |
| StrongAuthenticationMethods |
This attribute is used to get Authentication Methods and Default Authentication Method. |
| StrongAuthenticationPhoneAppDetails |
This attribute is used to get Authentication Phone Details. |
| StrongAuthenticationRequirements |
This attribute is used to get Authentication Requirement State. |
| StrongAuthenticationUserDetails |
This attribute is used to get Authentication Phone, Authentication Email, and Alternate Authentication Phone. |
Table 13: Hybrid User (Azure Users) attributes
| onPremisesDistinguishedName |
Contains the on-premises Active Directory distinguished name or DN. |
| onPremisesDomainName |
Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory. |
| onPremisesExtensionAttributes |
Contains extensionAttributes 1-15 for the user. |
| onPremisesSamAccountName |
Contains the on-premises samAccountName synchronized from the on-premises directory. |
Table 14: Azure Groups general attributes
The lists below include all supported Azure group attributes that can be restored by On Demand Recovery.
| appRoleAssignments |
Applications that the service principal is assigned to. |
| assignedLicenses |
The licenses that are assigned to the group.
| |
NOTE: see Assigned Licenses and Plans list below for detailed information on complex attribute. | |
| description |
An optional description for the group. |
| displayName |
The display name for the group. |
| expirationDateTime |
Timestamp of when the group is set to expire. |
| groupTypes |
Specifies the group type and its membership. |
| mail |
The SMTP address for the group. |
| mailEnabled |
Specifies whether the group is mail-enabled. |
| mailNickname |
The mail alias for the group. |
| members (Enterprise Applications/Service Principals) |
Enterprise Applications/Service Principals members of this group. |
| members (Groups and Directory Roles) |
Groups and Directory Role members of this group. |
| members (Users) |
Users of this group. |
| membershipRule |
The rule that determines members for this group if the group is a dynamic group. |
| membershipRuleProcessingState |
Indicates whether the dynamic membership processing is on or paused. |
| membersOf |
Members of the group. |
| owners |
The owners of the group. |
| preferredDataLocation |
The preferred data location for the group. |
| securityEnabled |
Specifies whether the group is a security group. |
| theme |
Specifies a Microsoft 365 group's color theme. |
| visibility |
Specifies the visibility of a Microsoft 365 group. |
Table 15: Assigned Licenses and Plans (Azure Groups) attributes
Groups can be used in Azure AD to assign licenses and plans to large numbers of users or to assign user access to deployed enterprise applications. When a user becomes a member of a group they are automatically assigned the appropriate licenses.
When the complex attribute 'assignedLicenses' is selected to be restored, the following attributes will also be restored. Individual attributes cannot be selected and are all restored together.
| disabledPlans |
A collection of the unique identifiers for plans that have been disabled. |
| skuId |
The unique identifier for the SKU. |
Table 16: Service Principals (Enterprise Applications) general attributes
The lists below include all supported Enterprise application attributes that can be restored by On Demand Recovery.
| accountEnabled |
True if the service principal account is enabled; otherwise, False. |
| alternativeNames |
Alternative names of the service principal. |
| appDisplayName |
The display name exposed by the associated application. |
| displayName |
The display name of the service principal. |
| info |
Information on the service principal. |
| loginUrl |
Specifies the URL where the service provider redirects the user to Azure AD to authenticate. |
| logoUrl |
URL to the application's logo. |
| marketingUrl |
Link to the application's marketing page. |
| owners |
The owners are a set of non-admin users or service-Principals who are allowed to modify this object. |
| privacyStatementUrl |
Link to the application's privacy statement. |
| supportUrl |
Link to the application's support page. |
| tags |
A list of tags associated with the service principal object. |
| userAttributesAndClaims |
The attribute value shows how many attributes/claims were changed. This attribute can be restored if the User Attributes & Claims section was changed or a service principal was permanently deleted. |
Table 17: SAML Single Sign-On (SSO) (Service Principals) attributes
SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple applications after logging into the identity provider. As the user must log in once, SAML SSO provides a faster, seamless user experience.
| notificationEmailAddresses |
Specifies the list of email addresses where Azure AD sends a notification when the active certificate is near the expiration date. |
| preferredSingleSignOnMode |
Specifies the single sign-on mode configured for this application. |
| relayState |
The relative URI the service provider would redirect to after completion of the single sign-on flow. |
| samlSingleSignOnSettings |
Represents a container for settings related to SAML single sign-on. |
Table 18: App Role Assignments (Service Principals) attributes
Azure App Role assignments are used to assign application permissions to users. After a customer signs up to an application an admin for the Azure AD directory assigns users to the roles, thus giving the user permission to the application. When a user signs in, the user's assigned roles are sent as claims.
| appRoleAssignmentRequired |
Specifies whether users or other service principals need to be granted an app role assignment for this service principal before users can sign in or apps can get tokens. |
| displayName (App Role) |
Display name for the permission that appears in the app role assignment and consent experiences. |
| memberOf (Directory Role) |
The directory roles that the user is a member of. |
| memberOf (Groups) |
The groups that the user is a member of. |
Table 19: Devices general attributes
The list below includes all supported device attributes that can be restored by On Demand Recovery
| accountEnabled |
True if the account is enabled; otherwise, False. |
| approximateLastSignInDateTime |
The approximate date and time of the previous sign in of the device. |
| complianceExpirationDateTime |
The timestamp when the device is no longer deemed compliant. |
| deviceMetadata |
Metadata information of the device. |
| deviceVersion |
Version of the device. |
| displayName |
The display name for the device. |
| isManaged |
True if the device is managed by a Mobile Device Management (MDM) app; otherwise, false. |
| operatingSystem |
The type of operating system on the device. |
| operatingSystemVersion |
The version of the operating system on the device. |
| physicalIds |
Physical IDs for the device. |
| registeredOwners |
The user that cloud joined the device or registered their personal device. |
| registeredUsers |
Collection of registered users of the device. |
| systemLabels |
List of labels applied to the device by the system. |
Table 20: Applications (Application Registrations) general attributes
The lists below include all supported application registration attributes that can be restored by On Demand Recovery.
| acceptMappedClaims |
When true, allows an application to use claims mapping without specifying a custom signing key. |
| api |
The API of the application. |
| displayName |
The display name of the application. |
| groupMembershipClaims |
Configures the groups claim issued in a user or OAuth 2.0 access token that the application expects. |
| identifierUris |
The URIs that identify the application within its Azure AD tenant, or within a verified custom domain if the application is multi-tenant. |
| isFallbackPublicClient |
Specifies the fallback application type as public client, such as an installed application running on a mobile device. |
| knownClientApplications |
Used for bundling consent if for the solution that contains two parts: a client app and a custom web API app. |
| logoUrl |
URL to the application's logo. |
| marketingUrl |
Link to the application's marketing page. |
| oauth2PermissionsScopes |
The definition of the delegated permissions exposed by the web API represented by this application registration. |
| optionalClaims |
Declares the optional claims requested by an application. |
| preAuthorizedApplications |
Lists the client applications that are pre-authorized with the specified delegated permissions to access this application's APIs. |
| privacyStatementURL |
Link to the application's privacy statement. |
| signInAudience |
Specifies the Microsoft accounts that are supported for the current application. |
| supportUrl |
Link to the application's support page. |
| termsOfServiceUrl |
Link to the application's terms of service statement. |
Table 21: App Roles (Application Registrations) attributes
Azure Application Roles are used to assign application permissions to users. Application roles are defined by adding them to the application manifest. After a customer signs up to an application an admin for the Azure AD directory assigns users to the roles, thus giving the user permission to the application. When a user signs in, the user's assigned roles are sent as claims.
| allowedMemberTypes |
Specifies whether this app role can be assigned to users and groups, to other applications, or both. |
| appRoles |
The collection of roles the application declares. |
| description |
The description for the app role. |
| displayName |
Display name for the permission that appears in the app role assignment and consent experiences. |
| id |
Unique role identifier inside the appRoles collection. |
| isEnabled |
When creating or updating an app role, this must be set to true (which is the default). |
| value |
Specifies the value to include in the roles claim in ID tokens and access tokens authenticating an assigned user or service principal. |
Table 22: Conditional Access Policy general attributes
The list below includes all supported Conditional Access Policy attributes that can be restored by On Demand Recovery.
| displayName |
The display name for the Conditional Access policy. |
| excludeGroups |
Group IDs excluded from scope of policy. |
| excludeLocations |
Locations excluded from scope of policy. |
| excludePlatforms |
Platforms excluded from scope of policy. |
| excludeRoles |
Role IDs excluded from scope of policy. |
| excludeUsers |
User IDs excluded from scope of policy. |
| grantControls |
Specifies the grant controls that must be fulfilled to pass the policy. |
| includeGroups |
Group IDs in scope of policy unless explicitly excluded. |
| includeLocations |
Locations in scope of policy unless explicitly excluded. |
| includePlatforms |
Platforms in scope of policy unless explicitly excluded. |
| includeRoles |
Role IDs in scope of policy unless explicitly excluded. |
| includeUsers |
User IDs in scope of policy unless explicitly excluded. |
| isEnabled (Application Enforced) |
Specifies whether the session control is enabled. |
| isEnabled (Cloud App Security Session) |
Specifies whether the session control is enabled. |
| isEnabled (Persistent Browser Session) |
Specifies whether the session control is enabled. |
| modifiedDateTime |
The date and time the Conditional Access policy was last modified. |
| policyDetail* |
Contains general information about the Conditional Access policy. |
| policyType |
Identifies the policy type. The value for the Conditional Access policy is 18. |
| state |
Specifies the state of the conditionalAccessPolicy object. |
Table 23: Application Proxy general attributes
The list below includes all supported Application Proxy attributes that can be restored by On Demand Recovery.
| alternateUrl |
A user-friendly URL that will point to the traffic manager. |
| applicationServerTimeout |
The duration the connector will wait for a response from the backend application before closing the connection. Possible values are default or long. When set to default, the backend application timeout has a length of 85 seconds. When set to long, the backend timeout is increased to 180 seconds. Use long if your server takes more than 85 seconds to respond to requests or if you are unable to access the application and the error status is "Backend Timeout". |
| externalAuthenticationType |
Details the pre-authentication setting for the application. Pre-authentication enforces that users must authenticate before accessing the app. |
| externalUrl |
The address your users will go to in order to access the app from outside your network. |
| internalUrl |
The URL that you use to access the application from inside your private network. |
| isBackendCertificateValidationEnabled |
Indicates whether backend SSL certificate validation is enabled for the application. |
| isHttpOnlyCookieEnabled |
Indicates if the HTTPOnly cookie flag should be set in the HTTP response headers. Set this value to true to have Application Proxy cookies include the HTTPOnly flag in the HTTP response headers. If using Remote Desktop Services, set this value to False. Default value is False. |
| isOnPremPublishingEnabled |
Indicates if the application is currently being published via Application Proxy or not. |
| isPersistentCookieEnabled |
Indicates if the Persistent cookie flag should be set in the HTTP response headers. |
| isSecureCookieEnabled |
Indicates if the Secure cookie flag should be set in the HTTP response headers. Set this value to true to transmit cookies over a secure channel such as an encrypted HTTP request. Default value is True. |
| isTranslatedLinksInBodyEnabled |
If set to true, translates urls in body. Keep this value as No unless you have hardcoded HTML links to other on-premises applications and don't use custom domains. |
| isTranslateHostHeaderEnabled |
If set to true, translates urls in headers. Keep this value as true unless your application required the original host header in the authentication request. |
| singleSignOnSettings |
Represents the single sign-on configuration for the on-premises application. |
| useAlternateUrlForTranslationAndRedirect |
|
Table 24: Connector Group (Application Proxy) attributes
| name |
Name of the connector group. |
| region |
Region where the connector group is located. |
(*) General policy information
State: Enabled or Disabled
Assignments:
- Users and groups for which the policy is applied
- Cloud applications for which the policy is enabled
- Included/excluded locations
- Device platforms
Access controls:
- Block access
- Grant access (require multifactor authentication, compliant device or domain joined device)
On Demand Recovery does not back up passwords. During the restore of permanently deleted users, the application sets a random password that can be changed by the administrator at the next login.
