No more data loss? How secure backup & recovery works in Microsoft Entra ID

The spread of the cloud has led to significant changes in data backup and recovery. While it is still possible to back up servers, for example for Microsoft Active Directory, in their entirety and restore them in full, the same cannot be done as simply for objects in Microsoft Entra ID. When it comes to backing up users, groups, applications or tenant settings, you need appropriate backup and recovery solutions and a strategy that suits your company.

Imagine for a moment that parts of your Microsoft Tenant have been deleted. Such data loss presents numerous risks: the two most significant are operational and security related. One major scenario in this context would be the loss of a large number of security groups, for example. This can have serious consequences. Problems with access and non-functioning applications can severely impact operations. If security groups that were stored in conditional access rules were also deleted, users would only be able to log on to applications and resources using less secure methods. For instance, where multi-factor authentication was previously required, this feature would now be missing. This reduced security situation can make ransomware attacks more likely.

But this need not always directly impact a large number of objects like groups. Sometimes all it takes is a loss of data of individual attributes such as application settings – the resulting loss of data has significant ramifications, e.g. when it comes to the application’s authorizations. Too few authorizations will generally lead to operational problems, while too many will lead to unwanted access possibilities.

Looking for Microsoft experts?

As a Microsoft Solutions Partner, we are always informed about the latest developments at Microsoft and can offer you fast, competent support for your projects. Microsoft has certified us as a Solutions Partner in the areas of Data & AI, Modern Work and Security.

Depending on the scale of the data loss, entire departments, production facilities or even the whole company may no longer be able to work. In addition, there is a risk of severe reputational harm in the eyes of the public if, for example, data loss or paralyzed business processes result in payment delays or data protection regulations such as the EU GDPR are violated. The financial implications of an entire company being unable to operate for an extended period of time are also extremely serious. If no recovery plan is in place, companies also face severe fines, especially if, like banks and insurance companies, they are subject to special regulatory requirements.

The BAIT and VAIT guidelines (“BAIT” standing as the German acronym for “Bankaufsichtliche Anforderungen an die IT” [“Banking Supervisory Requirements for IT”] and “VAIT” for “Versicherungsaufsichtliche Anforderungen an die IT” [“Insurance Supervisory Requirements for IT”]) set out regulations for the provision of infrastructure. At federal level, the requirements of “KRITIS” (short for “critical infrastructure”) must be taken into account in the financial sector and other areas of critical infrastructure, where the restoration of operations is also an important factor.

A way to counteract this is to have a documented backup and recovery strategy and corresponding measures that take into account the special features of Microsoft Entra ID.

Side note

How do you spot a good backup & recovery solution for Microsoft Entra ID?

Companies should ensure that the following criteria are met when making a selection:


The backup & recovery solution should be able to back up objects completely. Many providers only ensure a smaller selection of attributes. This can lead to gaps in the backup, something that must be counteracted.

Attribute recovery

Furthermore, the solution should also be able to restore individual attributes. This is particularly important when hybrid objects are restored from on-premises environments and then need to be supplemented with the cloud attributes.

Restoration of complex dependencies

It is also important especially for Entra ID to be able to restore complex dependencies if an object has to be completely recreated.

Where existing solutions fall short

Of course, there are solutions that are already available in Entra ID or solutions from third-party providers. But these have open flanks and are therefore not sufficient:

The Microsoft Entra ID recycle bin

If you are familiar with Entra ID, you might think that there is already an out-of-the-box solution – the recycle bin. This can be used to restore users, applications, Microsoft 365 groups and service principals. Regrettably, this is only true at first glance, as the recycle bin has several weak points. It is true that it can restore the objects, even with all attributes and relationships, but this only applies as long as the object has not been permanently deleted. Other weak points include:

  • No recovery in tenant loss scenario
  • No recovery if all admin accounts have been deleted
  • Backup of only a few object types
  • No recovery of tenant settings
  • No recovery of security groups

Especially when hybrid security groups have been permanently deleted, the recycle bin does not offer a sufficient solution.

Commercial and open-source solutions

In our experience, there are only a few providers on the market that can completely backup and restore Entra ID objects. They do have gaps though, particularly in the restoration of dependencies and with regard to the completeness of objects and attributes. This applies to commercial solutions as well as open-source solutions.

With open-source solutions, no manufacturer is responsible for the further development of the solution, as there is a community working on it. Here, companies must ensure operation and further development themselves.


Expert Talk: “Modern IT infrastructure is like a saw: it needs regular sharpening”

Modernizing an IT landscape is a major challenge for many companies and is often something difficult to accommodate in day-to-day business. In his role as […]

Strategy comes before the selection of a solution

One thing that all solutions have in common is that there is no single solution that covers all use cases. This is particularly important if tenant settings are also to be saved. Therefore, depending on the application, individual solutions may not be sufficient. If you want to be on the safe side, you may require a combination of different solutions and, if necessary, customized retrofitting.

In order to develop a suitable backup and recovery strategy, a few preliminary considerations need to be made. The most important ones are:

  • Clarify the tenant’s objects and settings to be backed up:
    Companies must first be clear about which objects and settings are to be backed up. Should, for example, only objects from the Entra ID area be taken into account? Who is responsible for backing up Exchange and other Microsoft 365 workloads?
  • Include and consider existing (hybrid) systems:
    What does the current IT landscape look like? Are there hybrid systems, for example the Active Directory? Are there already backup and recovery solutions for this and what exactly do they cover?
  • Conduct a market analysis and identify current gaps:
    Companies ought to know which solutions are currently available and where these solutions have gaps in order to be able to make an informed decision.
  • Clarify governance requirements:
    Where may company data be stored? In which country does a service provider process the data?

 The options can then be weighed up and a strategy drawn up for the various scenarios:

  • The next steps must be decided on the basis of the existing solutions in the company, solutions on the market and open-source solutions. Here it may make sense to expand existing solutions developed in-house.
  • Different data loss scenarios must be tailored to the various backup and recovery solutions.
  • A short-term solution may need to be implemented, e.g. a backup solution with manual recovery, until the definitive solution is in place.

Does all of this sound complex? We are happy to support you in developing a clear strategy and introducing solutions based on it. If you would like to discuss this topic, please contact Tobias Wurm and Christian Holtschneider: You can contact us here.