It’s no secret that more and more organizations have moved to the cloud — for example, RightScale’s January 2018 State of the Cloud Survey found that a whopping 96 percent of respondents already use at least one public or private cloud. Moreover, many of those organizations are adopting a cloud-first approach, following the lead of U.S. federal government agencies, whose a cloud-first policy dates all the way back to 2010.
But it’s critical to understand that a cloud strategy, and even a cloud-first strategy, does not necessarily mean a cloud-only strategy. Although small businesses might do everything in the cloud, most medium and large organizations rely on on-premises IT systems as well as cloud services. In fact, Microsoft says that three quarters of customers with more than 500 users have a hybrid Active Directory environment.
It’s a great approach — but you have to realize that your on-premises Active Directory backup and recovery solution won’t cover all of your data in the cloud, and native Recycle Bin recovery can’t pick up the slack. Unless you take steps to address this issue, you’ll be left with a gaping hole in your enterprise data recovery strategy.
These 5 quick facts explain why:
1. Most hybrid AD environments rely on a one-way sync using Azure AD Connect.
In most organizations, the on-premises Active Directory remains the primary source of authentication and authorization, and they synchronize that on-premises AD to Azure AD using Azure AD Connect. That way, users can use a single identity to access both on-premises applications and cloud services, such as Office 365.
However, it’s critical to understand that this sync is normally one way, from on-premises AD to Azure AD. As a result, any cloud-only objects and attributes you have are not covered by your on-premises backup and recovery solution.
2. Yes, you have cloud-only objects.
It’s practically impossible to run Office 365 or Azure without creating some cloud-only objects. Here are just the three top examples:
- Office 365 groups — Organizations often create Office 365 groups to establish sets of people who need to collaborate and specify resources (like an Exchange Online mailbox and SharePoint Online site) for them to share.
- Azure AD groups — Organizations also create Azure AD groups to manage access to resources efficiently and in keeping with best practices.
- Azure AD business-to-business (B2B) and business-to-consumer (B2C) accounts — Organizations often have thousands or even millions of B2B and B2C accounts, which help them support external customers and partners. For instance, many companies use B2C accounts to allow customers to use their Facebook or LinkedIn credentials to log in to their Azure AD. But by design, B2B and B2C accounts are not Azure Enterprise accounts, and therefore they are not part of the Azure AD Connect synchronization.
3. Plus, some of your other objects have cloud-only attributes.
Most Azure AD objects have attributes that exist only in the cloud. In particular, every Azure AD user has an Office 365 license type that determines the features to which the user is entitled, and Azure AD allows you to create new attributes for certain objects — for example, you might build an application in Azure and create an extension attribute that controls access to it.
4. Native Azure AD tools will not save you.
You might be thinking, well, even if my on-premises solution won’t enable me to back up and recover these cloud-only objects and attributes, it’s no big deal; if any of them gets deleted or modified when it shouldn’t, I’ll just restore it from the Azure AD Recycle Bin. But that’s not a viable strategy, for several reasons:
- It’s hard to figure out what you need to restore — There is no native change log or comparison report to help you determine exactly which Azure AD objects have been changed or deleted.
- You can recover only recently deleted objects — The Azure AD Recycle Bin keeps deleted objects for a maximum of 30 days. If it has been longer than that since the user was deleted, you’re out of luck.
- Some objects can’t be recovered at all — Some types of objects, including Azure AD groups and group membership, are never put in the Recycle Bin when they are deleted. And even objects that normally do go in the Recycle Bin can be hard-deleted, which means they don’t get put in it. You can’t restore any of those objects using native tools no matter how recently they were deleted.
- You can’t restore in bulk without PowerShell — An outside attacker, an errant script or a malicious insider can easily cause a massive number of incorrect changes or deletions in your Azure AD. But there’s no native way to restore multiple objects at one time without using PowerShell.
- There is no way to restore specific attributes that have been changed in a user object — The Azure AD Recycle Bin is useful only for deleted objects; it can’t help you at all if an object’s properties are changed. And if the changes are to cloud-only attributes like Office 365 license type or extension attributes, which are never recorded in your on-premises AD, you’ll have no way to restore them.
5. The gap in your enterprise disaster recovery strategy really does matter — to security, business continuity and compliance.
Suppose a bunch of users are deleted by runaway script. If you restore them from your on-premises backup, their Office 365 license type and extension attributes will be gone, and they won’t be able to access any Office 365 applications until you manually go in and fix their accounts. What if those users need to finalize a contract or deliver a document to the CEO?
It’s even worse if an Azure AD group or its membership is deleted. Since Azure AD groups and group membership are not moved to the Recycle Bin when they are deleted, they can’t be recovered with native tools. You’ll have to recreate the group manually from scratch, which means the business disruption will be even longer.
Finally, consider what will happen if a malicious user were to add an account to several of your important Azure groups. Without any change log or comparison report to help you determine which Azure AD objects were affected, you’ll be hard-pressed to know exactly what changed, and the Azure AD Recycle Bin won’t be of any help in remediating the issue, since nothing was deleted. While you try to figure it all out, not only will you be fielding calls from users who can’t get their work done, you’ll also be at risk for data breaches and compliance failures.
But don’t put your cloud adoption plans on hold! You can get the comprehensive backup, recovery and disaster recovery you need for your hybrid AD environment with Quest solutions. Read our white paper, “Plugging the Gaps Azure AD - Connect Leaves in Your Cloud Disaster Recovery Strategy,” to learn more about:
- How a hybrid AD environment works
- The types of cloud-only objects and attributes you’ll have
- The limitations of native tools for backup and recovery in the cloud