Backing up and Restoring Entra ID objects and their attributes in 2023 : Sander Berkouwer

December 12, 2023 December 12, 2023

Backing up and Restoring Entra ID objects and their attributes in 2023
by: Sander Berkouwer
blow post content copied from The DirTeam.com / ActiveDir.org Weblogs
click here to view original post

Reading Time: 4 minutes

Microsoft Entra ID

In recent years, if you wanted to make backups of objects in Microsoft Entra ID (Azure AD) and be able to restore them reliably, there was only one vendor that met the bill. Now, at the end of 2023, I'm seeing other companies offering help with backing up and restoring objects in Microsoft Entra ID. In this blogpost, I'm sharing my views on the solutions that are now available.

Why Entra ID backup and restore matters

Hybrid Identity scenario

When organizations operate Hybrid Identity environments, consisting in most cases of Active Directory, Entra ID (Azure AD) and Entra Connect (Azure AD Connect), it’s critical for security and compliance purposes that they can ensure the availability and integrity of both on-premises Active Directory as well as Entra ID (Azure AD).

Regardless of the Hybrid Identity configuration, some attributes and some objects are not synchronized or synced back. Typical user attributes include strong authentication settings. Typical group attributes include memberships and dynamic group definitions. Entra-joined devices live in Entra ID only. Conditional Access policy definitions live in Entra ID only. When a user account is disabled in Active Directory on-premises, all the Teams memberships for the corresponding user object in Entra ID are irrevocably removed at that time.

Without the ability to backup and restore objects and attributes in Microsoft Entra ID, this information is lost forever when removed, inadvertently changed or improperly managed. As Entra ID provides authentication and authorization to all Microsoft 365, Dynamics 365 and Azure resource, this is increasingly seen as an unacceptable risk.

Cloud-only scenario

For organizations that merely have cloud-only objects and attributes that aren’t synchronized to an on-premises Identity store, the availability and integrity of objects and attributes in Entra ID is even more critical. When Entra ID is unavailable, all sign-ins stop and thus all access stops.

Products and Services

Today, in the last month of 2023, I'm aware of the following companies offering help with backing up and restoring objects in Microsoft Entra ID:

Quest

Quest Software Inc. is a privately owned company with its headquarters in Aliso Viejo, California. It was founded in 1987.

Quest On Demand Recovery for Azure Active Directory has been the solution for organizations wanting to make backups of objects in Entra ID (Azure AD). It provides restores of entire objects and roll-back of changes to objects. This functionality has been available since 2019 and offers backups and restores of user objects, group objects and Conditional Access policies. Quest On Demand is a Software-as-a-Service (SaaS) solution.

Keepit

Keepit A/S is a Danish company, founded in 2007 and headquartered in Copenhagen, Denmark.

Keepit specialized in cloud-to-cloud backup and recovery services. They talked about their upcoming Azure AD Backup and Recovery solution at the 2022 European SharePoint Conference in Copenhagen late November 2022. They launched their solution as Backup and Recovery for Azure AD (now Entra ID), a Software-as-a-Service (SaaS) solution that provides resilience in the face of Entra ID (Azure AD) outages, compromises, and misconfigurations, as your organization needs access to data.

Keepit's solution offers backups and restores of user objects, groups, roles, administrative units (AUs), audit logs and sign-in logs. Along with backup and restore capabilities for other cloud services, like Microsoft 365, Dynamics 365, Power Platform, Azure DevOps, Zendesk, Google Workspace, and Salesforce, Keepit provides a wide range of capabilities for most cloud services in use.

Their data locations are located in Australia (for customers in the Asia-Pacific region), in Copenhagen, Frankfurt and London (for EU customers) and in Ashburn and Toronto (for customers in the Americas). This way, for their EU customers, Keepit promises data sovereignty.

Semperis

Semperis Inc. is a US company, founded in 2014 and headquartered in New Jersey and operates internationally. Their research and development teams are distributed between San Francisco and Tel Aviv and may also be known from Purple Knight, a free cybersecurity assessment tool downloaded by 10,000+ users, and Forest Druid, a first-of-its-kind Tier 0 attack path discovery tool.

Semperis offers Active Directory Security and Recovery solutions. Their new Recovery for Azure AD Software-as-a-Service (SaaS) solution provides backups and restores of user objects, groups and roles.

The Recovery for Azure AD solution adds Entra ID backup and restore capabilities as an addition to their award-winning Directory Services Protector (DSP) and Active Directory Forest Recovery (ADFR) products.

AvePoint

AvePoint Inc is a publicly traded US company, founded in 2001 and headquartered in New Jersey. On July 2, 2021, AvePoint went public (AVPT).

AvePoint's Azure Backup service includes Azure Entra ID (Formerly Azure AD), Azure Virtual Machines, Azure Storage, AWS VMs and much more, as a Software-as-a-Service (SaaS) solution. However, its Microsoft 365 Backup Express service, does not include it.

Rubrik

Rubrik Inc is a private US company, founded in 2014 and headquartered in Palo Alto, California,

In May 2023, Rubrik unfolded its plans to build support for Entra ID user objects, groups, enterprise apps, and application registrations directly into Rubrik Security Cloud as a Software-as-a-Service (SaaS) solution. Its Rubrik Security Cloud now supports Entra ID, with caveats.

Concluding

Currently, five SaaS solutions are readily available to backup and restore objects and their attributes in Microsoft Entra ID.

Dotnet Reader