On Demand Recovery can restore the following objects from the Recycle Bin:
- Users (all types of users including B2B, B2C, guests, hybrid)
- Office 365 Groups
Note: Links, permissions, and roles cannot be restored from the Recycle Bin. But if an object from the above list is soft deleted and then recovered from the Recycle Bin, all attributes and links including group membership and app role assignments are preserved by Microsoft.
Objects that cannot be restored from the Recycle Bin:
- Distribution groups
- Security groups
- Mail-enabled security groups
- All groups synchronized by Azure AD Connect from on-premises Exchange server (hybrid configuration)
- Service principals
On Demand Recovery backs up and restores the assigned roles in Azure AD.
The following scenarios are supported in On Demand Recovery:
The following roles are not restored by On Demand Recovery:
- Custom Azure AD roles are not restored.
- Custom Office 365 roles are not restored.
In Azure AD, there are two types of groups; Security and Microsoft 365. When a Microsoft 365 group is deleted in Azure AD, it is soft deleted. That is, the Microsoft 365 group is moved to the Deleted groups page where it can be restored or permanently deleted. When a Security group is deleted in Azure AD, it is hard deleted. That is, the security group is permanently deleted and not moved to the Deleted groups page. The Differences report in On Demand Recovery identifies groups as being either hard deleted or soft deleted in Azure AD. Both types of groups can be restored from the Differences report.
The following scenarios are supported in On Demand Recovery:
- Restoring group owners associated with a Security Group.
- Restoring group owners associated with a Microsoft 365 Group.
Restored group attributes
For a list of group attributes restored by On Demand Recovery, see Table 14 in the Attributes restored by On Demand Recovery section.
The following groups are not restored by On Demand Recovery:
Backup and Restore of Service Principal Objects
On Demand Recovery supports backing up and restoring service principal objects with the following properties:
- oAuth2PermissionGrants - the OAuth 2.0 scopes (delegated permissions) that have been granted to an application (represented by a service principal) as part of the user or admin consent process.
- appRoleAssignments - link between a service principal and a directory object.
- roles - administrator roles in Azure Active Directory. Refer to this article for details.
- appRoles - the collection of application roles that an application may declare.
- Service principal owners - the owners are a set of users who are allowed to modify service principal objects.
For the full list of service principal attributes that are restored and not restored by On Demand Recovery, see How does On Demand Recovery handle object attributes?
What is the difference between a service principal object and an application object?
When you register an Azure AD application in the Azure portal, two objects are created in your Azure AD tenant; an application object and a service principal object.
- Application object
An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. The Azure AD Graph Application entity defines the schema for an application object's properties.
- Service principal object
In order to access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in that tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.
When an application is given permission to access resources in a tenant (upon registration or consent), a service principal object is created. The Azure AD Graph ServicePrincipal entity defines the schema for a service principal object's properties.
For more details, see https://www.microsoftpressstore.com/articles/article.aspx?p=2473127.
Service principals provisioned from Azure Gallery
On Demand Recovery supports restoring service principals provisioned from Azure Gallery for users that have the service account for the tenant. This account must have at least the User Administrator role in the Azure portal.
Limitations: On Demand Recovery does not backup certificate settings for applications.
To make SAML SSO work after the restore of a service principal provisioned from Azure Gallery, you must install the new certificate for the corresponding application. For details on how to provide the certificate for a particular application, refer to the application configuration guide.
To access the application configuration guide
- In Azure Management Portal, navigate to the Azure Active Directory section in the left pane and click Enterprise applications.
- Choose the application for which you want to configure single sign-on.
- Under the Manage section, select Single sign-on.
- Click the configuration guide link.
Which actions are shown in the Differences report for a service principal?
- Deletion of a service principal object
- Changes to the accountEnabled attribute
- Add/remove roles assigned to service principals (custom roles are not monitored)
- Add/remove owners from service principals
- Add/remove owners from application
Names of administrator roles in the Azure portal are slightly different from the names of the corresponding roles that are shown in the Differences report. For information, see the following comparison table:
Table 2: Names of administrator roles in the Azure portal and the corresponding role in the Differences report
|Conditional Access administrator
||Conditional Access Administrator|
|Dynamic 365 administrator
||CRM Service Administrator|
||Exchange Service Administrator|
|Information Protection administrator
||Information Protection Administrator|
||Intune Service Administrator|
|Skype for Business administrator
||Lync Service Administrator|
|Power BI administrator
||Power BI Service Administrator|
|Privileged role administrator
||Privileged Role Administrator|
||Service Support Administrator|
||User Account Administrator|