On Demand Recovery Current

On Demand Recovery Current - User Guide

Restoring assigned roles Restoring groups Backup and Restore of Service Principal Objects Restoring Application Proxy settings Backup and Restore of MFA Settings Backup and restore group licenses Backup and Restore of Devices Backup and Restore of Conditional Access Policies Integration with Recovery Manager for Active Directory

Limitations when a hybrid connection is not configured Hybrid connection widget

Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements

Hybrid connection security

Restore Email Address/Phone for Self-Service Password Reset Reporting Advanced Search

Using operators in keyword queries Search by date range Using query strings

How does On Demand Recovery Handle Object Attributes?

Attributes restored by On Demand Recovery Restoring passwords

What is not protected by Azure AD Connect in a hybrid environment but can be restored by On Demand Recovery?

Cloud attributes restored for on-premises users and groups by On Demand Recovery

Required Permissions

Required permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure account used for adding tenants to On Demand

Required Permissions > Azure account used for adding tenants to On Demand

To add a tenant and grant admin consent for the On Demand Recovery module, the Azure Global administrator directory role is required. For more details, see Add an Azure AD tenant.
On Demand Recovery requires Basic consent in the Recovery section.
After the tenant is added and admin consent has been granted, you can change the permissions on the Azure AD Account to the required roles based on product features.
- For backup operations, the Global Reader role can be used.
- For restore operations, you can change the permissions to the User Administrator role.
For some advanced features, a separate service account is required and you must specify this service account in backup settings. The permissions required depend on the feature. See Service account permissions for details on permissions required.

Consent permissions

Required Permissions > Consent permissions

In addition to the base consents required by On Demand, On Demand Recovery requires the following consents and permissions.

To view the list of Basic consent permissions in On Demand Recovery:

Click Tenants in the navigation panel on the left.
Go to the Basic tile, under Recovery.
Under Status and Actions, click View Details.

Type	Permissions	Application api name
Application	Directory.ReadWrite.All Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.	Microsoft Graph
Application	Group.Read.All Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.	Microsoft Graph
Application	Group.ReadWrite.All Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.	Microsoft Graph
Application	Directory.Read.All Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.	Microsoft Graph
Application	RoleManagement.ReadWrite.Directory Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.	Microsoft Graph
Application	AppRoleAssignment.ReadWrite.All Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.	Microsoft Graph
Application	Directory.Read.All Allows the app to read data in your company or school directory, such as users, groups and apps.	Windows Azure Active Directory
Application	Directory.ReadWrite.All Allows the app to read and write data in your company or school directory, such as users, and groups. Does not allow user or group deletion.	Windows Azure Active Directory
Delegated	Directory.ReadWrite.All Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.	Microsoft Graph
Delegated	Directory.AccessAsUser.All Allows the app to have the same access to information in the directory as the signed-in user.	Microsoft Graph
Delegated	Group.Read.All Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.	Microsoft Graph
Delegated	Group.ReadWrite.All Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.	Microsoft Graph
Delegated	Directory.Read.All Allows the app to read data in your organization's directory, such as users, groups and apps.	Microsoft Graph
Delegated	RoleManagement.ReadWrite.Directory Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.	Microsoft Graph
Delegated	AppRoleAssignment.ReadWrite.All Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.	Microsoft Graph
Delegated	User.Read Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users.	Windows Azure Active Directory
Delegated	Group.Read.All Allows the app to read basic group properties and memberships on behalf of the signed-in user.	Windows Azure Active Directory
Delegated	Group.ReadWrite.All Allows the app to create groups on behalf of the signed-in user and read all group properties and memberships. Additionally, this allows the app to update group properties and memberships for the groups the signed-in user owns.	Windows Azure Active Directory
Delegated	Directory.ReadWrite.All Allows the app to read and write data in your company or school directory, such as users, and groups. Does not allow user or group deletion.	Windows Azure Active Directory
Delegated	Directory.Read.All Allows the app to read data in your company or school directory, such as users, groups, and apps.	Windows Azure Active Directory

Exchange Online PowerShell

To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.

Service account permissions

Required Permissions > Service account permissions

For advanced features, a service account must be specified in the backup settings. The service account is used to backup and restore the following advanced features:

Multifactor authentication (MFA) settings

Identifiers of inactive mailboxes

Conditional Access policies

Application Proxy settings

Legacy Gallery applications

Single sign-on (SSO) application settings

Table 1: Required permissions for the service account by feature

On Demand Recovery feature	Required Directory role
Restoring Conditional Access policies	Conditional Access Administrator
Restoring MFA settings	User Administrator
Restoring inactive mailboxes	User Administrator
Restoring Legacy Gallery applications and SSO settings	Application Administrator
Restoring Application Proxy settings and connector	Application Administrator
Backup of MFA settings	Global Reader
Backup of inactive mailboxes	Global Reader
Backup of Conditional Access policies	Global Reader
Backup of Application Proxy settings	Global Reader
Backup of Legacy Gallery applications and SSO settings	Global Reader

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案