Microsoft Azure Active Directory (AD) has great feature to provide single sign on (SSO) access to Enterprise applications for either cloud or on premises users. There are a lot of applications available for integration such as Salesforce, Box, Google App, Amazon Web Services in Azure AD Application Gallery. Non-gallery applications extend this list with any other cloud service supporting SAML SSO or Open ID Connect. It is also possible to configure cloud access for on premises web applications. But this is the configuration which can be broken and restore can be painful.
As an on-premises user (Robert), I have access to Salesforce application with Marketing User role. I use my on premises password to authenticate to the application. SSO works well for me.
One day Salesforce access is broken - it gives me authentication error - I cannot do my daily job.
I have to call IT helpdesk to get help.
IT administrator has found the root cause - malware has permanently deleted Azure AD users. Azure Portal has some level of protection from accidental deletion - delete operation is grayed out but still it is possible to delete them with PowerShell command-let
Remove-AzureADUser or with Graph API. So script can harm the directory.
On premises user is alive in our scenario - so we can force Azure AD Connect to synchronize it to the cloud - but Application access is still not restored. Azure AD Connect doesn't know anything about cloud properties including application role assignments.
If thousands of users are deleted and they were assigned to hundreds of application, then it will be really hard to get this restored quickly.
On Demand Recovery does backup of Application role assignments and can restore them quickly.
The following are steps to restore.
1. First of all we need to find our deleted users - it is easy to do with Difference report
2. Just click to Restore. On Demand Recovery will care of complex things - restore cloud only attributes including Application role assignments, then if necessary, restore on premises object with use Recovery Manager for AD and force Azure AD Connect to sync these changes.
As a result we have role assignments restored and Robert now able to access Salesforce application.
The following Azure Portal settings were restored by On Demand Recovery.
More details about Applications and Service Principal restore are in On Demand Recovery documentation: https://support.quest.com/technical-documents/on-demand-recovery-for-azure-active-directory/current/user-guide/2#TOPIC-945959