It’s no secret that more and more organizations have moved to the cloud — for example, RightScale’s January 2018 State of the Cloud Survey found that a whopping 96 percent of respondents already use at least one public or private cloud. Moreover, many of those organizations are adopting a cloud-first approach, following the lead of U.S. federal government agencies, whose a cloud-first policy dates all the way back to 2010.
But it’s critical to understand that a cloud strategy, and even a cloud-first strategy, does not necessarily mean a cloud-only strategy. Although small businesses might do everything in the cloud, most medium and large organizations rely on on-premises IT systems as well as cloud services. In fact, Microsoft says that three quarters of customers with more than 500 users have a hybrid Active Directory environment.
It’s a great approach — but you have to realize that your on-premises Active Directory backup and recovery solution won’t cover all of your data in the cloud, and native Recycle Bin recovery can’t pick up the slack. Unless you take steps to address this issue, you’ll be left with a gaping hole in your enterprise data recovery strategy.
These 5 quick facts explain why:
1. Most hybrid AD environments rely on a one-way sync using Azure AD Connect.
In most organizations, the on-premises Active Directory remains the primary source of authentication and authorization, and they synchronize that on-premises AD to Azure AD using Azure AD Connect. That way, users can use a single identity to access both on-premises applications and cloud services, such as Office 365.
However, it’s critical to understand that this sync is normally one way, from on-premises AD to Azure AD. As a result, any cloud-only objects and attributes you have are not covered by your on-premises backup and recovery solution.
2. Yes, you have cloud-only objects.
It’s practically impossible to run Office 365 or Azure without creating some cloud-only objects. Here are just the three top examples:
3. Plus, some of your other objects have cloud-only attributes.
Most Azure AD objects have attributes that exist only in the cloud. In particular, every Azure AD user has an Office 365 license type that determines the features to which the user is entitled, and Azure AD allows you to create new attributes for certain objects — for example, you might build an application in Azure and create an extension attribute that controls access to it.
4. Native Azure AD tools will not save you.
You might be thinking, well, even if my on-premises solution won’t enable me to back up and recover these cloud-only objects and attributes, it’s no big deal; if any of them gets deleted or modified when it shouldn’t, I’ll just restore it from the Azure AD Recycle Bin. But that’s not a viable strategy, for several reasons:
5. The gap in your enterprise disaster recovery strategy really does matter — to security, business continuity and compliance.
Suppose a bunch of users are deleted by runaway script. If you restore them from your on-premises backup, their Office 365 license type and extension attributes will be gone, and they won’t be able to access any Office 365 applications until you manually go in and fix their accounts. What if those users need to finalize a contract or deliver a document to the CEO?
It’s even worse if an Azure AD group or its membership is deleted. Since Azure AD groups and group membership are not moved to the Recycle Bin when they are deleted, they can’t be recovered with native tools. You’ll have to recreate the group manually from scratch, which means the business disruption will be even longer.
Finally, consider what will happen if a malicious user were to add an account to several of your important Azure groups. Without any change log or comparison report to help you determine which Azure AD objects were affected, you’ll be hard-pressed to know exactly what changed, and the Azure AD Recycle Bin won’t be of any help in remediating the issue, since nothing was deleted. While you try to figure it all out, not only will you be fielding calls from users who can’t get their work done, you’ll also be at risk for data breaches and compliance failures.
But don’t put your cloud adoption plans on hold! You can get the comprehensive backup, recovery and disaster recovery you need for your hybrid AD environment with Quest solutions. Read our white paper, “Plugging the Gaps Azure AD - Connect Leaves in Your Cloud Disaster Recovery Strategy,” to learn more about:
How Recovery Manager for Active Directory and Quest On Demand Recovery deliver a complete, integrated solution for enterprise backup, recovery and disaster recovery in hybrid AD environments.
Download the White Paper