Different people have different needs. Different organizations operate differently. While all people and organizations are different, they all have some needs that are similar. In regards to security, availability is the primary need because without it there is nothing to secure.
While some organizations are dealing with a hybrid scenario (straddling the worlds of on premises Active Directory and Azure Active Directory [AD]), to take advantage of Office 365, other organizations are living in a pure Azure AD environment. The one thing that is certain is that changes WILL happen in both environments. It is vital to understand the recovery limitations BEFORE you have an incident in Active Directory (both On-premise and Azure).
Hybrid Scenario
Synching on prem and Azure AD
In the hybrid scenario your users and groups are synchronized from your on-premises Active Directory to Azure Active Directory. If you delete an OU with a thousand user objects, directory synchronization will delete those same thousand users from Azure AD. If you restore that OU with a thousand users, those same thousand users WILL be restored in Azure Active Directory (provided it is restored within 30 days as that is the limit for backups stored using native tools in Azure Active Directory). If you have backups on prem, you can still restore on prem and Azure AD Connect will re-synch and restore those objects in Azure Active Directory..
Pitfall #1 – Incomplete recycle bin restores
However, one glaring limitation with the recycle bin is that it only will restore the object back to the previous state. Most attributes in the hybrid scenario are controlled by directory synchronization, license allocation is NOT. With that said someone could change the licenses in Azure Active Directory via PowerShell (or through the Admin Center) and there is no easy way to restore those users back to their previous state. Suddenly a user may not be able to perform tasks required for their job and licenses may need to be reassigned.
As we learned from the past, the recycle bin is limited to only restoring the AD account entirely rather than only restoring modifications to that AD account. In hybrid scenarios, if a user is restored on-prem then the restored AD accounts will be synchronized to Azure. Unfortunately, some attributes are not in Active Directory, such as “License type”. If these attributes are deleted or modified accidentally or maliciously they will have to be manually added after the restore.
Pitfall #2 - Don’t forget about your pure cloud resources
Office 365 groups may also include members of your environment that are being replicated in the hybrid scenario, however the Office 365 groups (which can be used for Yammer, SharePoint, OneDrive, etc.) live in Azure Active Directory, NOT in your On-premise Active Directory. The situation may arise where your users start using these objects without you knowing -- until a change happens to the membership and you are asked to revert it back to the previous state. Adoption is growing for these group types, so while this may not be a problem for you today, it may grow to be a problem faster than you can imagine.
Cloud Only Identities
Some organizations begin with the hybrid scenario and then expand at a later time to have cloud only identities. Some organizations may start off and have ONLY cloud identities. There are things you need to be made aware of in this scenario as well.
Pitfall #3 - Recycle bin timeout is not configurable
First is the length of time an object is stored in the recycle bin. Thirty days is the amount of time that you can restore a user account in Azure Active Directory – and this cannot be changed. Items that were hard-deleted can’t be restored with the recycle bin at all. Similar to on-premises Active Directory recycle bin, you can’t restore specific attributes either.
Pitfall #4 – Tracking changes that occurred
Identifying WHAT has changed between backups and restores can prove to be challenging as well. Perhaps a script was running that was set to delete all users and you noticed this and killed the script prior to it executing fully. You won’t have an easy way to check what changes were made.
Pitfall #5 – Inability to do a simple restore of groups or attributes from a point in time
Office 365 groups and Azure AD groups are used to enhance productivity, so if these groups suddenly go missing there will be consequences. Unfortunately the recycle bin doesn’t allow you to easily restore groups or attributes. Recently the ability to restore groups via PowerShell has been added, however, you can’t do it from a targeted point in time
Fortunately Quest is working on finding the gaps and giving you options to make managing Azure AD and Office 365 more securely … watch this space!
Time
Today we help you with your On-Premise Active Directory Recovery. If you want more information about our capabilities please go here: https://www.quest.com/products/recovery-manager-for-active-directory/
As your needs evolve tomorrow and you need to extend your backup and recovery capabilities to the cloud, please talk to your Quest Representative about how we can best help today. And if you want to check out an early adopter program, get in touch: ondemand@quest.com