nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Microsoft Entra Backup and Recovery (Preview) – Overview

Microsoft Entra Backup and Recovery is a new built-in solution (currently in public preview) that automatically backs up critical Microsoft Entra ID (Azure Active Directory) objects and allows administrators to restore them to a previous good state after accidental changes or security incidents. It captures daily snapshots (retaining the last 5 days of backups) of key directory components – such as user accounts, groups, application registrations, service principals, and security policies – and stores them securely in your tenant’s region

By using difference reports, admins can compare the current state of the tenant with a prior backup to see what changed, then selectively recover any or all objects back to their earlier values. This capability provides a safety net for identity management, complementing other Microsoft backup and recovery tools.

Key Features and How It Works

Microsoft Entra Backup and Recovery is designed to protect your organization’s identity configuration and provide quick fixes if something goes wrong. Below are its core capabilities and how they function:

Automated Backups: The system automatically backs up supported directory objects once every 24 hours, with up to five daily restore points available at any time. Backups are taken without manual intervention and are retained for 5 days on a rolling basis. Notably, administrators (even global admins) cannot disable or delete these backups, ensuring an attacker or accidental action can’t wipe out the safety net. The backup data is stored in the same geographic location as your tenant for compliance.
Supported Objects: Entra Backup & Recovery covers key Azure AD objects and settings, including users and their attributes, security groups, application registrations (and service principals), Conditional Access policies, named location definitions, authentication method policies, and even the tenant’s organization settings. (It also supports backup of “Agent ID” objects, a special category of service identities.) In essence, most core identity-related configurations in Entra ID are within scope. (For a detailed list of exactly which object attributes are backed up, Microsoft provides a “supported attributes” reference.)
Difference Reports: Before performing a recovery, administrators can generate a difference report to see exactly what has changed between a selected backup snapshot and the current tenant state. These reports list only the objects that have been added, modified, or deleted since that backup. You can filter the report by object type or a specific object ID to focus on particular changes if needed. This feature is extremely useful for change auditing – for example, if a critical Conditional Access policy was accidentally altered, the difference report will highlight that change. For hybrid environments, even changes to on-premises-synchronized objects will appear in the report, though those objects must ultimately be restored on-premises rather than via Entra (cloud) recovery.
Granular or Full Recovery: When ready to revert changes, you can initiate a recovery job choosing which objects to restore. Entra Backup & Recovery lets you recover all changes in the backup or apply filters – e.g. recover only a certain object type (such as just users, or just groups) or even a specific object by its ID. This flexibility means you don’t always have to do an all-or-nothing rollback; you can precisely target the items that need fixing. During recovery, the service intelligently handles each change according to its type: for instance, if an object was deleted since the backup, the tool will undelete (restore) the object; if an object was added after the backup, the tool will soft-delete that new object to remove it (it won’t hard-delete anything); and if an object was changed, it will revert the attributes to the backup state . This model ensures the tenant is returned to the prior state as closely as possible without permanently deleting data. Recovery time will depend on how many changes are being applied (e.g. a large number of objects might take several hours), and only one recovery or report job can run at a time to avoid conflicts.
Recovery History and Audit: The portal provides a Recovery History page to review completed or in-progress recovery operations . Each operation is logged, which helps with auditing and understanding when and what was restored. Additionally, administrators should use Azure AD’s existing audit logs for detailed events (e.g., who deleted a user account) to supplement this history when investigating incidents.

Important limitations:

Microsoft Entra Backup & Recovery cannot recreate objects that were “hard-deleted” (permanently deleted) from the directory . In other words, if an object was deleted and beyond the soft-delete retention (e.g., a user account purged after the standard 30-day Azure AD recycle bin window or explicitly permanently deleted), the backup service will not be able to bring that object back. It also will not create entirely new objects if something was missing in the backup; it only restores or reverts existing entries. For this reason, Microsoft strongly recommends enabling “protected actions” in Entra ID – a feature that restricts who can permanently delete objects – to prevent accidental hard deletions of users, applications, etc.

Also note that organizations using hybrid identity (AD DS synchronization) should be aware that while changes to synced objects show up in reports, those objects must be recovered in the on-premises AD – the cloud backup tool can’t override on-prem directory authority . Entra Backup & Recovery currently supports only “workforce” (internal) tenants; Azure AD B2C or External ID tenants are not supported in the preview.

The image above shows a summary of what Microsoft Entra Backup and Recovery can do.

Overall, Microsoft Entra Backup and Recovery is a significant step toward protecting the often-overlooked identity layer of the cloud. It provides peace of mind that if someone misconfigures a Conditional Access policy or accidentally deletes a batch of users, those changes are not irreversible. Administrators of all experience levels can benefit from this safety net, knowing that with a few clicks, they can rewind the state of Azure AD to undo a mistake or mitigate an attack. As the feature progresses from preview to general availability, we can expect support for even more object types and attributes to make it an even more robust guardian of your organization’s identity configuration. By implementing the best practices above and combining this tool with other backup solutions, you can achieve a strong, multi-layered defense against data loss and configuration errors in the Microsoft cloud ecosystem.

How Advania Can Help

Microsoft Entra Backup and Recovery is a strong foundation for protecting identity configurations, but it works best when supported by the right governance and operational processes. Advania helps organisations assess their Entra ID environment, identify high‑risk identity configurations, and align backup and recovery with best‑practice security controls such as protected actions, privileged access, and change management.

We also support secure configuration, recovery readiness, and incident response, helping teams interpret difference reports, scope recovery safely, and coordinate cloud and hybrid recovery activities when needed. Through practical guidance and administrator training, Advania ensures recovery processes are understood and tested before an incident occurs.

If you’d like help validating your Entra ID resilience or implementing Entra Backup and Recovery as part of a wider identity security strategy, contact Advania to speak with our Microsoft security specialists.