> Software > Protect > Identity > Entra ID > Granular recovery for Azure Active Directory > Restores > Restoring Azure AD Objects

Restore Behavior in Azure Active Directory

Restoring object relationships

Roles and group membership behavior

When restoring an object that owns relationships such as a role (which has role members), any existing relationships will be overwritten with the relationships from the selected backup.

For example, select an Azure AD role to restore from backup.

  • During backup, the role members were Sally, Michael, and Phil.

  • Currently, in Azure AD, the same role has Sally, Phil, Steve, and Cindy as the members.

  • After restoring the role from backup, the members will be Sally, Michael, and Phil. Steve and Cindy will be removed as they were not members when the backup was created.

Restore behavior for relationships

When restoring Azure AD objects, associated relationships (such as group memberships, role assignments, and application access) are also restored in most cases. However, certain types of relationships are not backed up and therefore cannot be recovered. The ability to restore relationships depends on whether the object still exists and is being rolled back to a previous state, has been soft deleted, or has been permanently deleted.

  • Rollback (object still exists): Most core relationships are restored (For example group memberships, role assignments, application access).

  • Soft-deleted objects (via recycle bin): If no changes were made to relationships between the time of backup and deletion, all relationships are restored.

  • Hard-deleted objects: When an object is permanently deleted, most core relationships are restored.

The following configuration elements are not restored:

Object type

Relationship not supported

App registrations

  • Certificates

  • Client secrets

Enterprise applications

  • Attributes & claims - SSO

  • Custom security attributes

Groups*

  • Azure role assignments

  • Roles - expired assignments

Intune policies

  • Android Device Administrator configuration policy (MX Profile – Zebra Only)

  • Windows 10/11 Properties Catalog (Settings Catalog) configuration policy

Roles
  • Roles - expired assignments

Users

  • Authentication methods (passwords, temporary access keys, QR codes)

  • Roles - expired assignments

*Security and Microsoft 365 groups are supported, except for the above mentioned relationships. Mail-enabled Security groups are not supported.

Restore behavior for attributes

Most common object attributes (For example display name, description, membership type) are restored when an Azure AD object is recovered. However, certain attributes are not backed up and cannot be restored.

The following attributes are not restored:

Object type

Attributes not supported

App registrations, Enterprise applications
  • Logo

App registrations, Enterprise applications
  • Conditions

Groups
  • Sensitivity label

Applications

The Application Object (found under App registrations) is the template for the application definition within an Azure AD tenant. Every Application Object has a corresponding Service Principal Object (found under Enterprise applications). The relationship between the two is described in this Microsoft article. When restoring applications, the App registration must be restored before the corresponding Enterprise application.

×

Loading...