Do you remember when Microsoft introduced the Active Directory Recycle Bin, way back in Windows Server 2008 R2? It was a huge advance, eliminating the need to perform an authoritative restore to recover deleted users, groups, OUs or other objects.
But IT pros quickly realized that the Azure AD Recycle Bin is not a comprehensive backup and recovery solution by any stretch of the imagination. Indeed, it was never intended to be; it’s designed merely to be a convenience in a small set of situations. There are plenty of recovery situations where the AD Recycle Bin won’t help at all, such as when an object gets improperly modified by a careless or malicious user, attributes get overwritten by a faulty script, a hard drive fails, a database becomes corrupted, or a natural disaster strikes. That’s why you have a true enterprise backup, recovery and disaster recovery solution for your on-premises environment.
Now everyone is moving to the cloud, which is often hyped as a paradise where everything is done for you, and all you have to do is pick and choose your applications and supply your own data. While it’s true that Microsoft will do quite a lot of the heavy lifting in the cloud — ensuring platform availability and automatically patching and updating applications, for instance — there are still important tasks that you’re responsible for. And one of the most important is cloud recovery and disaster recovery.
If you work at a smaller organization, you might be pursuing a cloud-only strategy, with no on-premises infrastructure at all. In that case, you need to know that the Azure AD Recycle Bin is no more a comprehensive backup and recovery solution than its on-premises counterpart. If you count on it to be one, you’ll be putting security, compliance and business continuity — in other words, your business — at serious risk.
Larger organizations tend to adopt a hybrid approach, synching their on-premises AD up to Azure AD. If you’re in that boat, you might be expecting your on-prem backup and recovery solution to cover the whole environment, and therefore think that any limitations of the Azure AD Recycle Bin are of no concern to you. But the truth is, it’s practically impossible to consume Office 365 or Azure services without creating some cloud-only objects and attributes — and they are very much at risk because they are invisible to your on-prem solution.
What exactly do these risks look like? Here are just five real-world use cases in which you’ll be out of luck if you don’t have an enterprise backup and recovery solution for your cloud or hybrid environment:
1. An attacker or malware deletes one of your Azure AD groups.
Certain objects are not moved to the Recycle Bin when they are deleted, and therefore they cannot be recovered with native tools. Most notably, this list of objects includes Azure AD groups — which are at the center of access control in your cloud environment. They manage access not only to your online applications and Microsoft online services like Office 365, but all the non-Microsoft SaaS applications your business depends on every day. If one of your Azure AD groups gets axed for whatever reason, your users won’t be able to do their jobs until you somehow piece together what it used to look like and rebuild it from scratch.
2. An attacker or malware hard-deletes one of your Azure AD users.
Even objects that normally would go into the Azure AD Recycle bin when they are deleted can be hard-deleted, which means they bypass the Recycle Bin entirely and simply disappear. There’s no way to restore a hard-deleted object with native tools, so again you’re looking at serious business disruption until you can manually create the user anew.
3. A newbie admin accidentally modifies the properties of an Azure AD user incorrectly.
Or maybe there was a miscommunication from HR or the business (not that that ever happens, right?). The Azure AD Recycle Bin helps with deleted objects only; there’s no way to restore specific attributes that have been modified in a user object. If you have a hybrid environment, in some cases, you’ll be able to restore the user object from your on-prem directory. But you might well have hundreds or even thousands of Azure AD users that are cloud-only, such as B2B (business-to-business) and B2C (business-to-consumer) accounts that your partners, consultants and customers depend upon; if one of them is altered improperly, you have no way to restore the user to its former state.
4. An errant script deletes hundreds of Azure AD objects.
There’s no way simple way to restore multiple deleted objects at one time; you’ll either have to pluck them out of the Azure AD Recycle Bin one at a time, or hope your PowerShell skills are up to snuff. Oh, and there are no change logs or comparison reports to help you determine exactly what you need to restore, so be sure to leave plenty of time for this task.
5. A business relationship with a partner ends, so you delete their Azure AD user accounts. But then the relationship comes back to life, and the C-suite needs those accounts back ASAP.
The Azure AD Recycle Bin will keep deleted objects for a maximum of 30 days; if it has been longer than that, you won’t be able to restore the users. Similarly, if an object is accidentally or maliciously deleted by a user or a script and it takes you longer than a month to discover it, you’ll have no way to get the object back.
These five use cases illustrate some of the risks in a cloud or hybrid environment, but there’s a lot more to know. Check out our white paper, “Active Directory Recovery in a Cloud or Hybrid World" to learn more about:
Download the White Paper