What is not protected by Azure AD Connect in a hybrid environment but can be restored by On Demand Recovery?
Azure Active Directory Connect synchronizes many attributes for users and groups from on-premises Active Directory but there are also cloud objects, properties, and links to Office 365 resources which are not protected by Azure AD Connect and restored only with On Demand Recovery.
Table 25: Types of cloud-only objects restored by On Demand Recovery
| Guest users |
An Azure AD business-to-business (B2B) collaboration user that typically resides in a partner organization and has limited privileges in the inviting directory. |
30 days |
| Office 365 Groups |
Groups that are used for collaboration between users, both inside and outside the company. |
30 days |
| Cloud only Security Groups |
Groups that are used for granting access to Office and Azure resources. |
No |
| Dynamic Security Groups |
Groups with dynamic rule-based membership. |
No |
| Dynamic Office 365 Groups |
Office 365 Groups with dynamic rule-based membership. |
30 days |
| Devices |
Device registration records in Azure Active Directory. |
No |
| Application Registration |
Stores application manifest (non-Gallery application manifests are not supported), logo, sign in, up URLS and other information. |
30 days |
| Conditional Access Policies |
Azure Active Directory policies that are used to control user access to cloud applications and resources. |
No |
| Named Locations |
Named lists of IP prefixes that are used in Conditional Access Policies. |
No |
Table 26: User attributes
| Office 365 Mailbox Link |
Contains a link to the inactive mailbox that is protected by Office 365 retention policies. |
| assignedLicenses |
Contains Azure and Office 365 licenses that are assigned to the user (examples: Azure Active Directory Premium P2 or Office 365 E3) and license options (examples: Exchange Online (Plan 2), Microsoft Teams, Microsoft Planner, Power BI). |
| memberOf |
Specifies membership in cloud groups such as Office 365 Groups, Teams, Security Groups. |
| Roles |
Specifies Azure roles that are assigned to a user. |
| appRoleAssignments |
Application roles assignments; control access to applications like Salesforce, zScaler, Box, and other gallery or non-gallery applications. |
| usageLocation |
A two letter country code (ISO standard 3166) which can be either cloud-only or synchronized from on-premises. |
| StrongAuthenticationUserDetails |
Stores phone, email, and alternate phone for multifactor authentication. |
| StrongAuthenticationMethods |
Specifies the authentication method that was configured for multifactor authentication. |
| conditionalAccessPolicyMemberOf |
Membership in conditional policies: include and exclude lists. |
| Custom |
Custom properties that are created by Azure AD applications. |
Table 27: Group attributes
| memberOf |
Membership in cloud-only Security Groups. |
| appRoleAssignments |
Application role assignments: control access to applications like Salesforce, zScaler, Box, and other gallery or non-gallery applications. |
| conditionalAccessPolicyMemberOf |
Membership in conditional policies: include and exclude lists. |
