For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What Entra ID Customers Back Up, How They Do It, and What They Restore

Entra ID: Automation and Advanced Restores Driving Data Backup Success. Entra ID is the dominant cloud-based identity platform, connecting more than 610 million users across 800,000 organizations to their business-critical applications. So how are organizations backing up and recovering these users to minimize downtime in case of an accident or attack? At Quest, we’ve been supporting the backup and recovery of Microsoft Active Directory since its inception 25 years ago. And we’ve expanded our capabilities as Microsoft has evolved, including the backup and restoration of cloud-based identities in Entra ID.
Entra ID Backup and Restore Success

Entra ID Backup by the Numbers: Powered by Quest On Demand Recovery

37B

Objects backed up within Entra ID

30%

Growth of total objects backed up over 12 months

75%

Organizations that perform full restores monthly

Background

While this is a large and growing user base for Microsoft, many enterprises struggle with managing this new, evolving identity environment, especially as the majority of organizations maintain hybrid identity infrastructure (both on-premises Active Directory and Entra ID). They turn to Quest to help migrate, manage, protect, back up, and restore these new cloud-based identities as part of their overall Identity Threat Detection and Response (ITDR) practice, including utilizing Quest On Demand Recovery, a SaaS-based Entra ID backup and recovery solution.

Based on analysis of anonymized telemetry data from the Quest On Demand Recovery, we found several interesting insights into the backup and recovery trends of cloud-based identities.

Findings and Analysis

Findings and Analysis

Massive Volume of Data Backed Up

Over the past year, organizations have collectively backed up around 37 billion objects within Entra ID. including:

  • Groups (35%): 13 billion objects backed up, reflecting the importance of managing and preserving group configurations. Entra ID groups are critical for controlling permissions and streamlining security across multiple resources.
  • Devices (34%): Another 13 billion device objects backed up, showing the growing number of devices being managed. This includes new customer onboarding and a growing shift of organizations transitioning more devices from on-premises-joined to Entra ID-joined through their hybrid journey.
  • Users (27%): 10 billion user objects, including guest users, protecting the objects that end users need to interact with all systems—i.e., this is the core of identity management.
  • Service Principals and Applications: Smaller, yet critical components that are also regularly backed up. This includes applications or services like those provided by On Demand Recovery to access Microsoft 365 for backup and recovery scenarios. These are key elements that allow users to interact and use services and tools required for their daily tasks.

Backup Growth Rates Show Expansion

The total objects backed up have grown by nearly 30% over 12 months, with device backups growing even faster at 44%.

Backup Automation Drives Consistency and Reliability

Nearly 99.74% of organizations automate their backups, reducing the risk of errors and ensuring that data is protected without manual intervention.

Full restores still critical, but shift toward differential restores

  • A large majority (75%) of organizations perform full restores monthly, ensuring that entire objects can be fully recovered when needed, providing peace of mind that data can be restored completely.
  • 25% of organizations use differential restores, and this number is increasing, reflecting a trend toward more efficient, granular recovery processes. Differential restores allow organizations to restore only what has changed, reducing downtime and resource use. As organizations become more familiar with their restore options, they are shifting toward more targeted, efficient differential restores, demonstrating that they are embracing the advanced capabilities of the platform.
Takeaways

Takeaways

Understand Shared Backup and Recovery Responsibilities

As organizations continue to grow their usage of Entra ID due to the inherent security and incentives like the MACC program, they will need to understand and evaluate where Microsoft’s responsibilities for backup and restore ends and what is and is not covered. While new skillsets are being developed for cloud deployments, existing processes and proven methods should be leveraged as much as possible to accelerate adoption even further.

Mind the Gaps in Native Restore Options

Microsoft offers various backup and recovery strategies and tools, but it’s a shared responsibility with the end user per the service agreement. In other words, it’s incomplete and requires PowerShell scripting and deep knowledge of Entra ID APIs. For this reason, many organizations turn to third-party providers like Quest to fill the gaps in backup and recovery. Those gaps include soft deleted items in the Recycle Bin. These items are only retained for 30 days and then they are hard deleted (and cannot be recovered by native tools). Also, changes to objects do not go into the Recycle Bin, making it impossible to recover them using native tools.

Furthermore, the Recycle Bin only covers limited restores of users, groups and application registrations. For example, linked objects and relations such as group members and role assignments are not restored. Administrators must manually restore these relationships, which can be a complex and time-consuming process. Additionally, Conditional Access Policies are also not saved and restored within the Recycle Bin, which breaks the security of Entra ID for the restored user.

Protect the Growing Set of Cloud-Joined Devices

Additional gaps exist around device objects. Organizations have a growing set of Entra ID-joined devices through their own endpoint modernization and Active Directory modernization journeys, which means its critical for user productivity and organizational security to back up and restore device objects. Entra ID device objects manage access, enforce security policies and ensure only compliant devices can access corporate resources. When these objects are missing or corrupted, users will lose access to applications and services, thus impacting productivity.

As organizations continue to adopt cloud services and SaaS solutions, the need for a robust Entra ID backup and recovery strategy becomes increasingly critical to maintain productivity and organizational security.

On Demand Recovery

On Demand Recovery
Establish a complete Entra ID recovery plan that minimizes downtime with no impact on end users. On Demand Recovery makes it possible. Run difference reports comparing your backups with live Entra ID to identify cloud-only users or attributes and pinpoint specific changes or deletions. Granularly search and restore exactly what you need or recover multiple users, groups and group memberships in bulk without PowerShell. This Entra ID recovery solution helps you mitigate the risk of data loss or service outage from human error and save valuable time and resources.

Gartner names Quest as a representative vendor in the following reports:

  • 2024 Emerging Tech Impact Radar: Security under Identity Threat Detection and Response (ITDR) capabilities
  • 2023 IAM Best Practices for Active Directory
  • 2022 IAM Best Practices for Active Directory
  • 2021 How to Protect Backup Systems from Ransomware Attacks

About Quest

About Quest

Quest creates software solutions that make the benefits of new technology real in an increasingly complex IT landscape. From database and systems management, to Active Directory and Microsoft 365 migration and management, and cybersecurity resilience, Quest helps customers solve their next IT challenge now. Around the globe, more than 130,000 companies and 95% of the Fortune 500 count on Quest to deliver proactive management and monitoring for the next enterprise initiative, find the next solution for complex Microsoft challenges and stay ahead of the next threat. Quest Software. Where next meets now. For more information, visit www.quest.com.

ISO Certifications: Quest On Demand is included in the scope of the Platform Management ISO/IEC 27001, 27017 and 27018 certification.

Get started now

See which recovery scenarios are covered by native Entra ID tools