立即与支持人员聊天
与支持团队交流

On Demand Recovery Current - User Guide

Access Control

Quest On Demand provides permission-based roles to determine what permission level a user has and what tasks the user can perform.

For more details, see Adding users to an organization section in the On Demand Global Settings User Guide.

List of permissions that can be assigned to Recovery module users
  • Can manage backup settings
  • Can download hybrid credentials
  • Can run backup manually
  • Can unpack backups
  • Can run difference report
  • Can restore from objects
  • Can restore from differences
  • Can read backup history
  • Can read unpacked objects
  • Can read differences
  • Can read task history
  • Can read events
  • Can read restore attributes
  • Can read UI projects
  • Can read UI collections
  • Can manage events

Note: On Demand administrators have full access to global settings and all module permissions.

Working with On Demand Recovery

This section provides step-by-step instructions on how to use On Demand Recovery.

Note:

  • For Office 365 tenants: On Demand Recovery can backup and restore Office 365 users, Office 365 groups and Security groups. Group membership and ownership is restored for both types of groups. The product does not restore any resources associated with Office 365 groups and Microsoft Teams, such as conversations, Planner tasks and plans.
  • Email notifications about failed backups can be enabled by request. For assistance, contact Quest Support.
  1. Go to Quest On Demand and sign up for Quest On Demand. For more details, refer to Signing up for Quest On Demand.
  2. Add your Azure Active Directory tenant as described in the Tenant Management section in the On Demand Global Settings User Guide.
  3. After the tenant is added, make sure that the permissions required to work with Azure Active Directory tenant are granted. To grant the required permissions, click Go on the tenant tile and check that the Recovery module has the Granted status. For details, please see the Admin Consent Status section in the On Demand Global Settings User Guide. For a list of permissions that need to be granted consent for On Demand Recovery, refer to Consent permissions.

    Note: Microsoft admin consent status is "expired" after 90 days and the Recovery module status is changed to "Not Granted". Once expired, you must grant admin consent again to continue using the module.

  4. To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.
  5. To launch On Demand Recovery, click Recovery on the left pane. The Dashboard screen opens.
  6. To configure a hybrid connection with on-premises Active Directory, see Integration with Recovery Manager for Active Directory.
  7. To configure the backup settings, perform the following steps:
    1. Click Manage Backups on the Dashboard screen.
    2. Select the tenant from the list and click Edit. The Configure backup dialog opens.

      • To enable the backup creation, select Enabled next to the Schedule option. On Demand Recovery will attempt up to 4 backups per day. Depending on the completion time required for each, the number of backups may be less.
      • Choose to immediately run the backup by selecting the Run backup immediately option. Deselecting this option will allow backups to only run when scheduled.
      • Specify the backup retention period using the Retention policy option. The backup retention policy is also applied to backups that are started manually.
      • To backup multifactor authentication settings, inactive mailboxes, and Conditional Access policies, select the Back up MFA settings, conditional access policies and data related to inactive mailboxes option.
      • To backup Application proxy settings, select the Back up Application proxy settings and connector groups option.
      • Specify service account credentials for the tenant. For details about required permissions, see Required permissions.
    3. Check the status of the module admin consent.
    4. If you need to run the backup creation manually, go to the Tasks screen, select the Backup task and click Start.
  8. To start the backup creation manually, you can use the Create Backup option on the Dashboard screen.
  9. To unpack a backup:
    1. Go to the Backups screen. Here, you will find each packed backup, and the properties associated with that backup.

      Note:The Users column reflects the total number of users including guest accounts. The Guest column reflects only guest accounts.

    2. From the Tenant drop-down list, select the tenant, then select the backup you want.
    3. You can specify predefined or custom date ranges to narrow the search results by selecting Custom range.
    4. Click Unpack in the actions menu.
    5. If the option Unpack service principals and devices is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. For more details about this option, see Backup unpacking.
    6. In the Backup Unpacking dialog, click Unpack.
  10. When the Unpack backup task is completed, go to the Unpacked Objects screen and select the users and groups that you want to restore and click Restore.

    Note: If you do not unpack a backup, the Unpacked Objects screen will contain no objects or show a list of objects that were extracted from the previously unpacked backup.

  11. In the Restore Objects dialog, you can select the options listed in point 3 here.
  12. Also, you can view differences between the selected backup and live Azure Active Directory or Office 365 and revert the selected changes using the Differences report tool. For more details, see the Reporting section. You can export the selected report data to the CSV file.
  13. You can view the status of your Restore objects task on the Tasks screen.

  14. Open the Events screen to view errors or warnings, if they occur during the restore operation.
    • Use the Export option to export the selected log data to the CSV format.
    • Use the Acknowledge option to hide events that are not actual anymore. The status of acknowledged events is changed from 'Current' to 'Obsolete'. To view the list of obsolete events, click Obsolete on the left side of the screen.

Backup Unpacking

In the Backup Unpacking dialog, you have the option to Unpack service principals, devices, and conditional access policies. If this option is not selected, the unpack operation will work faster and the Differences report will contain only changes related to users and groups. Otherwise, you will see changes related to users, groups, service principals, devices, and Conditional Access policies. The table below provides the full list of objects and changes that will be shown on the corresponding screens.

If the Unpack service principals, devices, and conditional access policies option is NOT selected, the following items will be shown:

Unpacked Objects view

  • User
  • Group

Differences view

  • User
  • Group
  • DirectoryLinkChange
  • DirectoryRoleLinkChange

If the Unpack service principals, devices, and conditional access policies option is selected, the following items will be shown:

Unpacked Objects view

  • User
  • Group
  • Service Principal
  • Device

Differences view

  • User
  • Group
  • Service Principal
  • Device
  • OAuth2PermissionGrant
  • AppRoleAssignment
  • OwnerLinkChange
  • GroupOwnerLinkChange
  • DirectoryRoleLinkChange
  • RegisteredOwnerDeviceLinkChange
  • RegisteredUserDeviceLinkChange

If Perform differences during the unpack is selected, then the differences operation will automatically begin. If this is not selected, then only the unpack operation will be performed.

Restoring objects

After you complete an Unpack backup task, go to the Unpacked Objects tab to select the objects that you want to restore.

Note: If you do not unpack a backup, the Unpacked Objects tab does not display any objects or shows a list of objects that were extracted from the previously unpacked backup.

You can choose one of the following views to see the unpacked objects:

  • List View - This view lists the unpacked objects from your backup. You can select objects to export to a CSV file or select objects to restore.
  • Objects - This view displays the number of unpacked objects by category in graph form. You can use the filters to display specific types of objects.

To restore objects

  1. On the Unpacked Objects tab, in List View, click the check boxes next to the objects that you want to restore.
    1. You can use the Search field to search for specific objects to restore.
    2. You can use the filters to display specific objects that you want to restore. The following filters are available:
      • Tenant - allows you to filter objects by a specified tenant.
      • Backup - allows you to filter objects by a specified backup.
      • Type - allows you to filter objects by type.
      • User Type - allows you to filter objects by type of user.
      • AAD Connect - allows you to filter by objects synced from a hybrid environment.
      • MFA - allows you to filter objects by multifactor authentication setting.
      • Mail Enabled - allows you to filter by objects that have a mailbox (enabled) or do not have a mailbox (disabled).

Caution:Restore of objects from multiple tenants is not supported by On Demand Recovery. The Restore button will be disabled when objects from multiple tenants are selected or no tenant is selected. To display the Restore button, please select a tenant.

  1. Click Restore.
  2.  In the Restore Objects dialog, you can select the following options:
    • Restore deleted users and groups from Recycle Bin - This restores accidentally deleted users and Office 365 groups from the Recycle Bin. On Demand Recovery preserves original object identifiers (GUID).
    • If a user or group is not found in Recycle Bin, create a new one - This recreates permanently deleted users, groups, and subgroups. This option recreates users and groups with attributes that are required for object identification. If you need to restore all attributes for the object including membership information (links), use this option together with the Restore all attributes option.
    • If a hybrid user already exists in Azure Active Directory, delete it before the restore operation - This action lets you preserve the original cloud mailbox of a hybrid user after restore in the following scenario:
      1. There is a hybrid user. This user is deactivated by the administrator for some reason.
      2. Then the user returns, and the account is enabled again by the administrator. After the activation, the user is recreated in the cloud with the new mailbox.
      3. We want to use the original cloud mailbox for the user. The only one way to do this is to restore the user from a backup. But before the restore, the newly created cloud user must be removed from Azure AD using this option.
    • Restore all attributes - This restores all object attributes including membership information (links). If this option is not selected, you can specify specific attributes that you want to restore by clicking Browse.
    • Specify password for the encrypted backup - This allows you to type a password that is used to decrypt the encrypted backup. This is strongly recommended only for hybrid users.


  3. Click OK.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级