Recovery for Azure AD
Morgan Holm
Jan 25, 2022
Azure Active Directory (Azure AD or AAD) is Microsoft’s identity and access management (IAM) solution for the cloud. It provides sign in and access control for external resources such as Microsoft 365, the Azure portal and other SaaS applications. Many organizations have gone though or are currently going through digital transformations that leverage Azure AD as their primary IAM. Problems or mistakes with Azure AD could have a costly impact on user productivity or even put your data at risk of being exposed. This is especially the case now due to the substantial increase of work from home.
Microsoft does provide SLAs around uptime of resources in Azure, but they do not backup or provide any guarantees for your data, you need to manage it yourself. A common approach for identities in hybrid environments is to sync users from on-premises Active Directory (AD) to Azure AD using Azure AD Connect. This could give a false sense of security that since the identity information is coming from AD that your on-premises enterprise backup software and tools have you covered. The issue is that there are Azure AD cloud only objects such as users, groups and roles that are not backed up or recoverable from these solutions.
Another common misconception is that the Azure recycle bin has you covered. It does work in some cases but has substantial drawbacks. The Azure recycle bin will only retains deleted objects for 30 days and currently this value can not be extended. Another issue is that an object can be hard deleted meaning it will not be retained in the recycle bin or is removed from the recycle bin and therefore cannot be restored. One of the two biggest issues with the native Azure recycle bin that it shares with its on-premises counterpart is that it only contains objects that have been deleted. The protection is only for accidental deletions but does nothing for unwanted changes to objects such as a scripting error that may have updated many objects with incorrect values. The other big issue is that not all object types are protected by the Azure recycle bin leaving significant gaps in your enterprise data recovery. There is no coverage for:
- MFA settings
- security groups
- service principals
- conditional access policies
- devices
Cygna Recovery for Azure AD allows you to quickly and easily backup your Azure Active Directory data to help eliminate costly downtime. There is integration with Cygna Auditor for Azure AD where you can rollback unwanted or malicious changes right from the details of an audit event. You can also compare backups down to the attribute level between backups and to live environment. This allows you to granularly search and restore from individual attributes to bulk restorations of users, groups etc. to mitigate the risk of data loss and impacts to productivity.