No more data loss? How secure backup & recovery works in Microsoft Entra ID

Imagine for a moment that parts of your Microsoft Tenant have been deleted. Such data loss presents numerous risks: the two most significant are operational and security related. One major scenario in this context would be the loss of a large number of security groups, for example. This can have serious consequences. Problems with access and non-functioning applications can severely impact operations. If security groups that were stored in conditional access rules were also deleted, users would only be able to log on to applications and resources using less secure methods. For instance, where multi-factor authentication was previously required, this feature would now be missing. This reduced security situation can make ransomware attacks more likely.

But this need not always directly impact a large number of objects like groups. Sometimes all it takes is a loss of data of individual attributes such as application settings – the resulting loss of data has significant ramifications, e.g. when it comes to the application’s authorizations. Too few authorizations will generally lead to operational problems, while too many will lead to unwanted access possibilities.

Looking for Microsoft experts?

As a Microsoft Solutions Partner, we are always informed about the latest developments at Microsoft and can offer you fast, competent support for your projects. Microsoft has certified us as a Solutions Partner in the areas of Data & AI, Modern Work and Security.

Learn more

Depending on the scale of the data loss, entire departments, production facilities or even the whole company may no longer be able to work. In addition, there is a risk of severe reputational harm in the eyes of the public if, for example, data loss or paralyzed business processes result in payment delays or data protection regulations such as the EU GDPR are violated. The financial implications of an entire company being unable to operate for an extended period of time are also extremely serious. If no recovery plan is in place, companies also face severe fines, especially if, like banks and insurance companies, they are subject to special regulatory requirements.

The BAIT and VAIT guidelines (“BAIT” standing as the German acronym for “Bankaufsichtliche Anforderungen an die IT” [“Banking Supervisory Requirements for IT”] and “VAIT” for “Versicherungsaufsichtliche Anforderungen an die IT” [“Insurance Supervisory Requirements for IT”]) set out regulations for the provision of infrastructure. At federal level, the requirements of “KRITIS” (short for “critical infrastructure”) must be taken into account in the financial sector and other areas of critical infrastructure, where the restoration of operations is also an important factor.

A way to counteract this is to have a documented backup and recovery strategy and corresponding measures that take into account the special features of Microsoft Entra ID.

Side note

In order to find suitable solutions, it is first worth taking a look at the possible causes of data loss. It often occurs as a result of the following:

Random deletions/changes

Incorrect sync settings from on-premises systems

Intentional deletions or manipulations by attackers

Data loss can affect single or multiple attributes (properties of the object, e.g. the affiliation of users to a department), an entire object (e.g. a user, user groups or apps) or the entire tenant.

Companies should take appropriate IT and cyber security precautions to prevent this. In addition to preventive measures, this also includes a backup and recovery strategy for when the loss has actually occurred. However, if a company uses Microsoft Entra ID, different strategies and solutions are required than those used on-premises.
Microsoft Azure is a complex service centered around Microsoft Entra ID (formerly Microsoft Azure AD). The administration of identities, devices, groups and applications takes place centrally here. Microsoft Azure itself consists of a large number of other connected services, e.g. Azure DevOps, and works closely with Microsoft 365 – and in a hybrid scenario with the on-premises Microsoft Active Directory system. This complexity must be taken into account when it comes to backup & recovery.

The dependencies between the objects are particularly noteworthy. Each object has a unique identification number, the so-called object ID. The challenge here lies in the accurate restoration of permanently deleted objects, as a new object ID is created and the previous dependencies are lost.

Data loss in the Microsoft Entra ID environment can then affect entire security and user groups and access rules (conditional access), entire applications or even the entire tenant.

How do you spot a good backup & recovery solution for Microsoft Entra ID?

Companies should ensure that the following criteria are met when making a selection:

Completeness

The backup & recovery solution should be able to back up objects completely. Many providers only ensure a smaller selection of attributes. This can lead to gaps in the backup, something that must be counteracted.

Attribute recovery

Furthermore, the solution should also be able to restore individual attributes. This is particularly important when hybrid objects are restored from on-premises environments and then need to be supplemented with the cloud attributes.

Restoration of complex dependencies

It is also important especially for Entra ID to be able to restore complex dependencies if an object has to be completely recreated.

Where existing solutions fall short

Of course, there are solutions that are already available in Entra ID or solutions from third-party providers. But these have open flanks and are therefore not sufficient:

The Microsoft Entra ID recycle bin

If you are familiar with Entra ID, you might think that there is already an out-of-the-box solution – the recycle bin. This can be used to restore users, applications, Microsoft 365 groups and service principals. Regrettably, this is only true at first glance, as the recycle bin has several weak points. It is true that it can restore the objects, even with all attributes and relationships, but this only applies as long as the object has not been permanently deleted. Other weak points include:

No recovery in tenant loss scenario
No recovery if all admin accounts have been deleted
Backup of only a few object types
No recovery of tenant settings
No recovery of security groups

Especially when hybrid security groups have been permanently deleted, the recycle bin does not offer a sufficient solution.

Commercial and open-source solutions

In our experience, there are only a few providers on the market that can completely backup and restore Entra ID objects. They do have gaps though, particularly in the restoration of dependencies and with regard to the completeness of objects and attributes. This applies to commercial solutions as well as open-source solutions.

With open-source solutions, no manufacturer is responsible for the further development of the solution, as there is a community working on it. Here, companies must ensure operation and further development themselves.

Blog

Expert Talk: “Modern IT infrastructure is like a saw: it needs regular sharpening”

Modernizing an IT landscape is a major challenge for many companies and is often something difficult to accommodate in day-to-day business. In his role as […]

Cyber Security & IT Infrastructure Implementation +1

Strategy comes before the selection of a solution

One thing that all solutions have in common is that there is no single solution that covers all use cases. This is particularly important if tenant settings are also to be saved. Therefore, depending on the application, individual solutions may not be sufficient. If you want to be on the safe side, you may require a combination of different solutions and, if necessary, customized retrofitting.

In order to develop a suitable backup and recovery strategy, a few preliminary considerations need to be made. The most important ones are:

Clarify the tenant’s objects and settings to be backed up:
Companies must first be clear about which objects and settings are to be backed up. Should, for example, only objects from the Entra ID area be taken into account? Who is responsible for backing up Exchange and other Microsoft 365 workloads?
Include and consider existing (hybrid) systems:
What does the current IT landscape look like? Are there hybrid systems, for example the Active Directory? Are there already backup and recovery solutions for this and what exactly do they cover?
Conduct a market analysis and identify current gaps:
Companies ought to know which solutions are currently available and where these solutions have gaps in order to be able to make an informed decision.
Clarify governance requirements:
Where may company data be stored? In which country does a service provider process the data?

The options can then be weighed up and a strategy drawn up for the various scenarios:

The next steps must be decided on the basis of the existing solutions in the company, solutions on the market and open-source solutions. Here it may make sense to expand existing solutions developed in-house.
Different data loss scenarios must be tailored to the various backup and recovery solutions.
A short-term solution may need to be implemented, e.g. a backup solution with manual recovery, until the definitive solution is in place.

Does all of this sound complex? We are happy to support you in developing a clear strategy and introducing solutions based on it. If you would like to discuss this topic, please contact Tobias Wurm and Christian Holtschneider: You can contact us here.