I feel compelled to create this blog post from a tweet thread that I read this morning. This means that what you’re about to read here are not my original thoughts for the most part but have come from the brain of Merill Fernando, project manager for Azure AD.
Understanding what we can recover from deletion and what cannot be recovered is important. Especially, the not recoverable part. That means we have to rely on documentation and knowing what was a deleted and maybe ever what else was dependent on that deleted item and repairing that too. As Azure AD has become such an important daily management tool, this tweet thread is a critical read.
Where I have comments, the are in italic
Soft delete or hard delete?
You might have started noticing recycle bin type of tabs in the Azure AD portal. Eg: Deleted Groups in the Groups blade. These give you a 30 day window to undelete accidental deletions. Go past the 30 day window and it’s going to be hard to recover.
Once hard deleted, objects cannot be recovered. Instead you need to recreate and reconfigure. E.g. If you accidentally delete a device object, there is no option to recover it.
Important: in the picture below we learn that ONLY users and Microsoft 365 groups and applications are soft deleted. This means that for everything else when you hit delete, its gone-gone. Devices – gone. Conditional access policies – gone. Security groups – gone.
The Scream Test
To avoid getting into this scenario always make sure your clean up scripts perform a “scream test”. How do you do one? Always do a logical delete first (set Enabled = false) and wait for a few weeks/months. If no one screams you can safely delete.
“I thought the cloud was magical and I didn’t have to deal with any of this?” While we are continually working on improving Azure ADs recoverability story it is always a shared responsibility between Microsoft and you the customer.
Arguably the most important piece of documentation that the Microsoft lawyers have ever produced. This is the messaging that I use for my clients when discussing backup. Microsoft backs up for their purposes, which it to make sure that the service is available. You have to backup for your own purposes, which is to recover your data and in the case of the cloud, that includes data that we typically don’t think about like policies. However, there’s no backup service that is going to capture this type of data for you.
Document, document, document
Let’s say someone deleted all your conditional access policies in one go. How do you recover quickly? If you didn’t plan for this, you will need to trawl through the audit logs and recreate each CA policy by hand. This is where forward planning can help.
Resources and links
A quick plug for the Azure AD Exporter tool http://aka.ms/azureadexporter that I co-authored which allows you to run a daily export of your AAD Config. Chuck it in source control and you have a version history.
To learn more see this excellent new section in the docs https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/recoverability-overview… This is an area we are investing in so watch out for greater support out of the box..
Recover from deletions Recover from deletions in Azure Active Directory | Microsoft Docs
The Microsoft 365 desired state configuration tool What is Microsoft365DSC · microsoft/Microsoft365DSC Wiki · GitHub
Microsoft Graph API’s Overview of Microsoft Graph – Microsoft Graph | Microsoft Docs
Can’t we just import our exported Azure AD stuff?
I asked Merill whether or not there’s an Azure AD Importer tool, since there exists an Azure AD Exporter. His reply:
Merill Fernando@merillReplying to @thirdtierBuilding an importer is a bit more complex, but it can be done 😉
All we do is support IT professionals.Microsoft 365 technical assistance, Super Secret News, Security community, MSP Legislation community, EndPoint, Defender and Lighthouse community, Peer groups, Kits, papers, Business consulting and more.https://www.thirdtier.net
