In recent years, if you wanted to make backups of objects in Microsoft Entra ID (Azure AD) and be able to restore them reliably, there was only one vendor that met the bill. Now, at the end of 2023, I'm seeing other companies offering help with backing up and restoring objects in Microsoft Entra ID. In this blogpost, I'm sharing my views on the solutions that are now available.
Why Entra ID backup and restore matters
Hybrid Identity scenario
When organizations operate Hybrid Identity environments, consisting in most cases of Active Directory, Entra ID (Azure AD) and Entra Connect (Azure AD Connect), it’s critical for security and compliance purposes that they can ensure the availability and integrity of both on-premises Active Directory as well as Entra ID (Azure AD).
Regardless of the Hybrid Identity configuration, some attributes and some objects are not synchronized or synced back. Typical user attributes include strong authentication settings. Typical group attributes include memberships and dynamic group definitions. Entra-joined devices live in Entra ID only. Conditional Access policy definitions live in Entra ID only. When a user account is disabled in Active Directory on-premises, all the Teams memberships for the corresponding user object in Entra ID are irrevocably removed at that time.
Without the ability to backup and restore objects and attributes in Microsoft Entra ID, this information is lost forever when removed, inadvertently changed or improperly managed. As Entra ID provides authentication and authorization to all Microsoft 365, Dynamics 365 and Azure resource, this is increasingly seen as an unacceptable risk.
Cloud-only scenario
For organizations that merely have cloud-only objects and attributes that aren’t synchronized to an on-premises Identity store, the availability and integrity of objects and attributes in Entra ID is even more critical. When Entra ID is unavailable, all sign-ins stop and thus all access stops.
Products and Services
Today, in the last month of 2023, I'm aware of the following companies offering help with backing up and restoring objects in Microsoft Entra ID (sorted by founding date):
Quest
Quest Software Inc. is a privately owned company with its headquarters in Aliso Viejo, California. It was founded in 1987.
Quest On Demand Recovery for Azure Active Directory has been the solution for organizations wanting to make backups of objects in Entra ID (Azure AD). It provides restores of entire objects and roll-back of changes to objects. This functionality has been available since 2019 and offers backups and restores of user objects, group objects and Conditional Access policies. Quest On Demand is a Software-as-a-Service (SaaS) solution.
Commvault
Commvault is a public US company, founded in 1996 and headquartered in New Jersey.
Commvault is the only company in this overview that offers both an on-premises and a Software-as-a-Service (SaaS) solution for backing up and restoring objects in Entra ID (Azure AD):
- Commvault Backup & Recovery
Commvault's software solution to run by organizations in their own datacenters and on their own storage supports backing up and restoring Entra ID (Azure AD) user objects, groups, enterprise applications and application registrations. This feature has been part of Commvault v11.20, dated June 15, 2020. - Commvault Cloud
After introducing Metallic as a data protection solution for business of all sizes in 2019, in November 2023, Commvault folded Metallic back in under the Commvault Cloud monniker. In June 2021, Metallic introduced their backup-as-a-service of Azure AD users and groups as part of their Software-as-a-Service solution. In December 2023, backup and recovery for Conditional Access policies and privileged roles was added to the solution.
ManageEngine
ManageEngine is a subcompany of ZOHO, focusing on enterprise management software. ZOHO Corporation Pvt. Ltd. is a private company that was founded in 1996 and headquartered in Pleasanton, California.
RecoveryManager Plus by ManageEngine is a backup and recovery solution for Microsoft Entra ID (Azure AD). It offers automated full and incremental backups for all Microsoft Entra ID objects like Users, Groups, Devices, Application, Service Principals, Directory Roles, Subscribed SKUs, Policies, Administrative Units, and Domains. With support for object- and attribute-level restoration, it provides customizable retention periods for compliance. Organizations can store backups within their premises, in NAS, or cloud repositories.
AvePoint
AvePoint Inc is a public US company, founded in 2001 and headquartered in New Jersey. On July 2, 2021, AvePoint went public (AVPT).
AvePoint's Azure Backup service includes Azure Entra ID (Formerly Azure AD), Azure Virtual Machines, Azure Storage, AWS VMs and much more, as a Software-as-a-Service (SaaS) solution. However, its Microsoft 365 Backup Express service, does not include it.
Keepit
Keepit A/S is a Danish company, founded in 2007 and headquartered in Copenhagen, Denmark.
Keepit specialized in cloud-to-cloud backup and recovery services. They talked about their upcoming Azure AD Backup and Recovery solution at the 2022 European SharePoint Conference in Copenhagen late November 2022. They launched their solution as Backup and Recovery for Azure AD (now Entra ID), a Software-as-a-Service (SaaS) solution that provides resilience in the face of Entra ID (Azure AD) outages, compromises, and misconfigurations, as your organization needs access to data.
Keepit's solution offers backups and restores of user objects, groups, roles, administrative units (AUs), audit logs and sign-in logs. Along with backup and restore capabilities for other cloud services, like Microsoft 365, Dynamics 365, Power Platform, Azure DevOps, Zendesk, Google Workspace, and Salesforce, Keepit provides a wide range of capabilities for most cloud services in use.
Their data locations are located in Australia (for customers in the Asia-Pacific region), in Copenhagen, Frankfurt and London (for EU customers) and in Ashburn and Toronto (for customers in the Americas). This way, for their EU customers, Keepit promises data sovereignty.
Semperis
Semperis Inc. is a US company, founded in 2014 and headquartered in New Jersey and operates internationally. Their research and development teams are distributed between San Francisco and Tel Aviv and may also be known from Purple Knight, a free cybersecurity assessment tool downloaded by 10,000+ users, and Forest Druid, a first-of-its-kind Tier 0 attack path discovery tool.
Semperis offers Active Directory Security and Recovery solutions. Their new Recovery for Azure AD Software-as-a-Service (SaaS) solution provides backups and restores of user objects, groups and roles.
The Recovery for Azure AD solution adds Entra ID backup and restore capabilities as an addition to their award-winning Directory Services Protector (DSP) and Active Directory Forest Recovery (ADFR) products.
Rubrik
Rubrik Inc is a private US company, founded in 2014 and headquartered in Palo Alto, California,
In May 2023, Rubrik unfolded its plans to build support for Entra ID user objects, groups, enterprise apps, and application registrations directly into Rubrik Security Cloud as a Software-as-a-Service (SaaS) solution. Its Rubrik Security Cloud now supports Entra ID, with caveats.
Concluding
Currently, six SaaS solutions and two on-premises solutions are readily available to backup and restore objects and their attributes in Microsoft Entra ID.
Further reading
Why Azure AD Backup is Needed | Practical365
How to Back Up and Restore Azure Active Directory
EntraExporter: PowerShell module to export a local copy of an Entra (Azure AD)
Recoverability best practices in Microsoft Entra ID
SEMPERIS is a very good solution, the strongest point is the easy to use.