How to restore access to enterprise applications if a user account is hard deleted — cloud or on premises

If your enterprise application uses SSO, restoring broken access may not be as easy as you think.

Microsoft Azure Active Directory (AD) has a great feature to provide single sign-on (SSO) access to enterprise applications for either cloud or on-premises users. There are a lot of applications available for integration — such as Salesforce, Box, Google, and Amazon Web Services — in the Azure AD Application Gallery. You can use this Azure AD SSO feature for any non-gallery applications for any cloud services supporting SAML SSO or OpenID Connect. It is also possible to configure cloud access for on-premises web applications. This is a great way to leverage secure logon access to many business-critical applications, either on premises or in the cloud.  Good news, right?

Of course it is, but what happens when your actual Azure AD account gets deleted? 

Robert's problem

As an on-premises user, Robert has access to the Salesforce application as a Marketing User. He uses his on-premises AD password to authenticate to Salesforce. SSO does its job, and Robert doesn’t need to know or care about how he gets into the app; he just logs in with the same credentials that he uses to log in to his desktop. Except one day, he tries to open Salesforce and gets an authentication error. Now he can’t get to an important report he needs for a big campaign. Frustrated, he opens an IT help desk ticket and has to wait for help.

Over to support

The IT administrator found the root cause: Malware permanently deleted Azure AD users. You’re probably thinking, how can this happen? Surely, the Azure Portal should prevent this?

And you’re right, but even though the Azure Portal has some level of protection from accidental deletion, the delete operation is grayed out, and it is still possible to delete users with a PowerShell commandlet (Remove-AzureADUser) or with Graph API. So a simple script and the right access can harm the directory. 

The on-premises user is live in our scenario, so we can force Azure AD Connect to synchronize from the on-premises AD instance to the cloud and restore the user. However, application access is still not restored. Azure AD Connect doesn't know anything about cloud properties, including application role assignments.  

If thousands of users are deleted and they were assigned to hundreds of applications, then it will be really hard to get these restored quickly. 

The solution

Quest® On Demand Recovery backs up application role assignments and can quickly restore them with the following steps.

1. Find the deleted users. This is easy to do with the difference report.

2. Just click to restore. On Demand Recovery will take care of complex things, such as restoring cloud-only attributes including application role assignments, then if necessary, restore on-premises objects with Quest Recovery Manager for AD and force Azure AD Connect to sync these changes. 

As a result, role assignments are restored, and Robert is now able to access the Salesforce application. 

Using On Demand Recovery, you can fully recover Robert’s account, as well as his application access.  

More details about applications and service principal restore are in the On Demand Recovery documentation.

Learn more