> Commvault SaaS > Active Directory > Granular Recovery for Azure Active Directory > Restores > Restoring Azure AD Objects

Restore Behavior in Azure Active Directory

Restoring object relationships

Roles and group membership behavior

When restoring an object that owns relationships such as a role (which has role members), any existing relationships will be overwritten with the relationships from the selected backup.

For example, select an Azure AD role to restore from backup.

  • During backup, the role members were Sally, Michael, and Phil.

  • Currently, in Azure AD, the same role has Sally, Phil, Steve, and Cindy as the members.

  • After restoring the role from backup, the members will be Sally, Michael, and Phil. Steve and Cindy will be removed as they were not members when the backup was created.

Restore behavior for relationships

When restoring Azure AD objects, associated relationships (such as group memberships, role assignments, and application access) are also restored in most cases. However, certain types of relationships are not backed up and therefore cannot be recovered. The ability to restore relationships depends on whether the object still exists and is being rolled back to a previous state, has been soft deleted, or has been permanently deleted.

  • Rollback (object still exists): Most core relationships are restored (For example group memberships, role assignments, application access).

  • Soft-deleted objects (via recycle bin): If no changes were made to relationships between the time of backup and deletion, all relationships are restored.

  • Hard-deleted objects: When an object is permanently deleted, most core relationships are restored.

The following configuration elements are not restored:

Object type

Relationship not supported

App registrations

  • Certificates

  • Client secrets

  • Federated credentials

Enterprise applications

  • Access reviews

  • Attributes & claims - SSO

  • Custom security attributes

  • Permissions

Groups*

  • Access reviews

  • Azure role assignments

  • Roles - expired assignments

Protected actions
  • Permissions

Roles

  • Role settings

  • Roles - expired assignments

Users

  • Authentication methods

  • Custom security attributes

  • Roles - expired assignments

*Security and Microsoft 365 groups are supported, except for the above mentioned relationships. Mail-enabled Security groups are not supported.

Restore behavior for attributes

Most common object attributes (For example display name, description, membership type) are restored when an Azure AD object is recovered. However, certain attributes are not backed up and cannot be restored.

The following attributes are not restored:

Object type

Attributes not supported

App registrations, Enterprise applications
  • Logo

App registrations, Enterprise applications
  • Conditions

Groups

  • Role start & end dates

  • Sensitivity label

Roles
  • Role settings

Users

  • Email

  • Manager

  • Role start & end dates

  • Sponsors

Applications

The Application Object (found under App registrations) is the template for the application definition within an Azure AD tenant. Every Application Object has a corresponding Service Principal Object (found under Enterprise applications). The relationship between the two is described in this Microsoft article. When restoring applications, the App registration must be restored before the corresponding Enterprise application.

Note

For information on the behavior for restoring objects that own relationships in Active Directory, see Restore Options and Behavior in Active Directory.

×

Loading...