Move from point-in-time restore to a full tenant recoverability strategy with resilient backup and recovery in Microsoft Entra.
Microsoft Entra Backup and Recovery is now generally available. Microsoft Entra customers licensed for Entra ID P1 or P2 now can restore supported critical identity data after accidental changes or malicious updates, rolling out to all workforce tenants this week.
Identity resilience and disaster recovery are top challenges for IT teams. Microsoft Entra Backup and Recovery helps address both by automatically backing up core directory objects daily. Supported objects include users, groups, applications, service principals, managed identities, Conditional Access policies, named locations, and authentication and authorization policy, helping administrators return their environment to a previously known‑good state.
Microsoft Entra Backup and Recovery is a built-in backup and recovery solution that lets you recover critical Microsoft Entra directory objects to a previously known good state after accidental changes or security compromises. The overview dashboard highlights alerts, recent backups, difference reports, and protected actions.What's changed since public preview?
Based on feedback from the Backup and Recovery public preview, we’ve increased the retention period for supported directory objects from 5 days to 7 days to provide extended protection.
Identity admins now have more flexibility when viewing available snapshots, generating difference reports to understand what changed, and running recovery jobs to restore objects to a prior state. These capabilities help teams quickly assess what changed and take action to return to a known good state.
But recovery is not just about restoring objects. It’s about being prepared to return your tenant to a known‑good state under pressure. Entra Backup and Recovery fits into a broader tenant recoverability strategy so you can reduce disruption, respond to common recovery scenarios, and recover with confidence.
Why recoverability matters
Accidental deletion, misconfiguration, and malicious changes can disrupt sign‑in, block access to business‑critical applications, and quickly impact downstream operations.
Backup and Recovery provides an important foundation for restoring supported objects, but tenant recoverability requires a broader approach. Recoverability is the ability to restore tenant configuration and identity objects to a known‑good state after unintended or malicious changes, using clear processes and supported recovery paths.
This means recovery readiness is not a single solution. It is a combination of capabilities, processes, and preparation across your organization.
Layers of Recovery: Best Practices
Organizations that recover quickly combine built‑in capabilities like Backup and Recovery with additional layers of preparation and control.
Key elements of a strong tenant recoverability strategy include:
- Built‑in recovery for supported objects: Use Microsoft Entra Backup and Recovery to restore supported objects and configuration changes within the retention window.
- Maintaining a known‑good configuration state: Regularly capture tenant configuration using tools such as Tenant Configuration Management APIs and Microsoft Graph exports to support recovery beyond built‑in capabilities.
- Operational readiness: Define recovery processes, retain audit and sign‑in logs, and establish recovery objectives so that recovery actions can be executed under pressure.
- Reducing blast radius: Apply least‑privilege access, Privileged Identity Management, and protected actions to limit the scope of potential incidents and simplify recovery.
Together, these layers help organizations move from reactive fixes to a structured recovery strategy.
"Overall, we like the functionality offered by Microsoft Entra Backup and Recovery. The API support looks solid as well."
– A large European automobile manufacturer
Scenario: Conflicting identity changes disrupt access
To illustrate how organizations can use Backup and Recovery, let’s walk through a potential scenario using a fictitious company called “Contoso”.
Here's the situation:
The IT team at Contoso relies on Microsoft Entra Conditional Access policies and Privileged Identity Management to protect access to business-critical applications. Policies are tightly controlled, and administrative access is granted just in time.
But during a routine day, remote workers suddenly can’t sign in to a critical ordering application. Nothing appears compromised, and the application itself is healthy. The team needs to understand what changed—and restore access quickly.
Step 1: Identify and restore application access.
An administrator runs a Microsoft Entra Backup and Recovery difference report against a recent snapshot and correlates it with Entra audit logs to identify recent changes. The report shows a Conditional Access policy was modified by a known administrator. The update accidentally blocked the remote worker group from accessing the ordering application. Using Backup and Recovery, the administrator restores the policy to a previous state. Access is quickly re‑enabled.
Step 2: Investigate beyond the initial fix.
With access restored, the team continues investigating to understand how an unintended policy change reached production. They review Microsoft Entra Tenant Governance monitoring signals to identify any related configuration changes.
Step 3: Detect configuration drift.
Tenant Governance signals reveal drift in role governance configuration during the same timeframe: a change to role eligibility settings broadened who could administer the Conditional Access policy. This change does not align with the approved configuration baseline.
Step 4: Confirm conflicting changes.
Correlating audit logs with the drift findings, the team reconstructs the sequence. To resolve an urgent, unrelated issue, an administrator had temporarily modified role-eligibility settings — unintentionally allowing a second administrator to edit the Conditional Access policy and block the remote worker group. Two well-intended changes, made independently, combined to cause the outage.
Step 5: Restore governance baseline and prevent recurrence.
The team initiates an established workflow to restore role governance configuration to the approved baseline. Because Contoso routinely practices scenarios like this during Business Continuity and Disaster Recovery (BCDR) drills, the team is able to coordinate rapidly. They restore both application access and governance controls, reducing the likelihood of similar issues in the future.
Recover with confidence: Get started today
Microsoft Entra Backup and Recovery provides a built‑in foundation for restoring supported identity data that organizations can adopt as part of a layered recoverability approach that combines built‑in capabilities with preparation, governance, and operational discipline.
Microsoft Entra Backup and Recovery is built as an API‑first, extensible platform that gives customers the flexibility to design backup and recovery workflows aligned to their operational needs. These same APIs enable independent software vendors (ISVs) to integrate and deliver complementary solutions that extend Entra with their domain expertise.
By aligning Backup and Recovery with a broader identity resilience strategy, organizations can reduce downtime, respond faster to change‑related incidents, and maintain confidence in the integrity of their identity environment.
Ready to strengthen your identity resilience?
- Cindy Crane, Principal Product Manager
Additional resources
- Learn more about how to plan for Tenant recoverability
- Watch the webinar: Microsoft Entra Backup and Recovery: Recover with confidence
- Learn how to Strengthen Identity Resilience with Microsoft Entra Backup and Recovery
- Microsoft Entra Backup and Recovery documentation on Microsoft Learn
- Learn more about Recoverability best practices in Microsoft Entra ID
Read the new monthly blog series: What’s new in Microsoft Security
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.