Why on-prem backup for Azure Active Directory isn't enough

Infrastructure and operationsFeb. 15, 2023 | 10 minutesBy Paul Robichaux

And 5 reasons why you should back up Azure AD in the cloud

Imagine a busy city with multiple roads leading to various destinations, such as a hospital, a shopping mall, and a stadium. Just like a traffic light controlling the flow of vehicles to and from these destinations, Active Directory (AD) and Azure Active Directory (AAD) control the flow of and access to information from apps and services such as Microsoft 365, Salesforce, Google Workspace, and others. Organizations rely heavily on AD and AAD to ensure a smooth flow of and access to their data.

However, just like how a city can experience traffic jams, frustrations, accidents, and general chaos when the traffic light is out, when AD or AAD are not accessible, the flow of and access to control-plane information can cause severe business disruption. This post will explore the importance of data protection for Azure AD.

The evolution of identity management: From Active Directory to Azure AD and the need for different backup solutions

But first, how did we come to rely so heavily on AD and AAD? Active Directory was introduced in 1999 as a solution for on-premises identity management, providing a centralized repository for user and device information and allowing administrators to manage these resources effectively and efficiently.

As the use of cloud-based services grew, the need for an identity management solution that could integrate with cloud-based resources became more important.

This led to the creation of Azure Active Directory, which was designed to serve as the bridge between on-premises and cloud resources, not only creating a seamless and secure identity management solution for cloud computing, but also offering a range of features and capabilities (including single sign on, multi-factor authentication, and conditional access) to help organizations meet their security and compliance requirements.

Microsoft Azure Active Directory and Active Directory seem to be a bit shrouded in mystery. For many, the distinction between them is not always clear, and this distinction becomes even more blurred when it comes to the topic of backing up and protecting the data within each.

Instead of covering all the differences between AD and Azure AD, this post will mainly focus on backup for Azure AD, and it will explore five ways in which AAD requires a different backup solution from the traditional backups used for on-premises AD. Before we can do that though, we need to quickly establish — roughly — what the difference is.

What’s the difference between AD and AAD?

As Stephen Covey put it, “the main thing is to keep the main thing the main thing.” That quote might make more sense if you consider the key difference between cloud and on-prem AD to be the main thing… and in this case, the main difference between the two is that Active Directory is designed for managing user access and application infrastructure for an on-premises world; Azure Active Directory is for managing user access to cloud applications in a cloud-based environment.

Even more simply? Sure: AD is on prem, AAD is cloud based.

If you’re interested in exploring the differences further, here’s what Microsoft has to say: Compare Active Directory to Azure Active Directory.

Every object in either AD or Azure AD has one permanent home. That’s the primary copy of the object, and the copy to which changes are applied. If you are on-prem-only, or cloud-only, then there’s only one copy of each object.

In hybrid mode, though, no matter where the object is homed, there will be two copies of it: the primary copy and a synchronized copy on the “other side.”

For organizations using both Active Directory and Azure AD in a hybrid environment, you can think of the cloud copy of an on-prem object as being like a shadow. When you look at a shadow on the pavement, you’re only getting a partial set of information about the real object.

In the same vein, Azure AD only has a partial set of attributes from on-premises AD objects because not every object attribute is replicated to the cloud. However, all the attributes of cloud-based Azure AD objects are stored in full in the cloud. This allows organizations to use Azure AD as an identity provider for on-premises resources and allows for SSO for cloud-based resources.

How does this distinction change backup strategy?

The distinction of where (which environment) your identity objects are homed is paramount. Active Directory backup via on-premises solutions is exactly that: making a backup of on-prem data by copying it to/from an on-premises solution. Azure Active Directory, as a cloud-based application utilizing cloud-based data (and metadata), creates and manages cloud data in the cloud.

Why it matters: Comprehensive data coverage requires the ‘right’ backup

“Some” Azure AD data and metadata only exist in the cloud environment. You could copy these objects to an on-prem storage location (which is roughly as useful as putting backup tapes on top of the server they’re made from), but these objects must be restored to the cloud.

Therefore, with clear gaps in coverage, the data and metadata are not covered holistically. This means your data may not be fully protected when you back up your cloud data with an on-premises Active Directory-oriented tool as your Azure AD backup solution.

In other words: what’s homed on premises and what’s homed in the cloud are physically separate. You introduce new problems for yourself when you cross the streams, including speed of access, data fidelity and quality, and security.

Let’s dive into five reasons why on-prem AD backup is not a viable option for comprehensive backup of Azure AD.

5 things you should consider if you’re backing up AAD on premises

1. Some attributes in Azure Active Directory are not available on premises

If you take an on-prem AD account and sync it to the cloud, the sync process (and Azure AD) adds some attributes to it. Some of these may be synced back to on prem (a process called writeback) but some will not. Backing up Azure AD captures these; backing up the on-prem AD won’t.

2. Azure AD may have user objects or attributes that do not exist on premises

You can define your own users, groups, roles, et cetera, that exist only in the cloud. If you do not back these up independently, they will not be preserved nor well protected, and your only recourse is to recreate and define these custom entries every time.

And yet not everyone sees the value in protecting these objects when their identity management (IdM) anchor is on prem. Even if an organization's IdM anchor is on premises, objects and attributes like Intune and conditional access policies are important for several reasons, often forming a key part of organizations’ zero trust security, and, as such, need to be protected against loss or damage. (Read our article on the zero trust principle here.)

Still not convinced of the value of protecting control-plane objects? Here are five reasons highlighting the case for securing data protection:

Cloud-based management: Intune and Azure AD conditional access are both cloud-based services that can be accessed and managed from anywhere. They cannot be accessed from on-prem systems, so if you lose the copy in the cloud, it’s gone.
Security: Azure AD provides additional layers of security, such as multi-factor authentication and identity protection, that can help to protect against potential security threats such as compromised credentials or unauthorized access.
Compliance: Intune and conditional access can help organizations meet compliance requirements, such as HIPAA by providing features such as device compliance and role-based access control.
Scalability: Azure AD allows organizations to scale their IdM infrastructure as needed, without the need for additional hardware or software.
Remote work: Intune and conditional access can help organizations to secure and manage remote workers' devices, even if they are not connected to the on-premises network.

Now are these objects and attributes vital to operations? You can decide for yourself. But, considering the impact that could result from losing these in one data loss scenario or another (and the resource investment required to manually recreate and administer them, not to mention the security concerns of not ensuring the right users have the permissions to access company data), adequate data protection of these should be a business imperative.

3. Azure AD will have configuration/state objects that don’t exist on prem

Enterprise apps, app registrations, Conditional Access (CA) policies, and many other policy- and security-related objects exist only in the cloud. Microsoft's native protection for these objects is mostly non-existent — delete a conditional access policy, for example, and it’s just gone. Let’s drill down into two important-to-protect Azure AD features:

Conditional Access: Azure AD Conditional Access is a feature that allows you to set policies that determine how users are granted access to resources based on conditions such as device compliance, location, and user identity. It allows you to control who can access your resources and under which conditions. This feature can be used to protect against security threats, such as compromised credentials, by requiring multi-factor authentication or other forms of authentication.
Intune: Intune is a mobile device management (MDM) and mobile application management (MAM) service that is integrated with Azure AD. This feature allows you to manage and secure mobile devices, desktops, and apps, including those used by remote workers. It allows you to set policies for devices and apps, such as requiring a passcode or encrypting data, and to remotely wipe a device if it is lost or stolen.

What about the Active Directory Recycle Bin? As these AAD-only configurations/state objects only exist in the cloud, there’s no available recycle bin for these policy objects, so there’s no undo. It’s akin to an immediate hard delete, meaning there is no 30-day or 90-day grace period as there is with soft deletions.

How to recover from hard deletion? Microsoft shares that “hard-deleted items must be re-created and reconfigured. It’s best to avoid unwanted hard deletions.”

Let that sink in for a moment: “It’s best to avoid unwanted hard deletions.” This advice is nigh impossible to follow as common data loss scenarios, like accidental deletions), are a question of when, not if. It highlights how the Recycle Bin was never intended to be a replacement for dedicated backup. Read our post on why backup is a risk-management imperative here.

4. Record preservation

How long does Azure AD store reporting data? That’s a very good question: According to Microsoft, activity reports are stored as follows:

As you can see, there is no point-in-time record preservation. With a backup, you can preserve and review cloud-only Azure AD data at a specific point in time and examine which permissions, users, groups, and role assignments existed in your directory, as well as whether an object has changed within a specified time period and preserve these records for as long as required or needed to comply with company or governmental policies.

Clearly, these benefits are useful for forensic purposes but also for governance and compliance reasons. Learn more in our eDiscovery post (with a customer Office 365 use case).

5. Microsoft doesn’t provide native protection for many cloud-only objects

Microsoft doesn't provide the same recovery tools in Azure AD as they do for Active Directory itself. According to Microsoft recoverability best practices, it’s clearly important to understand the object types that are protected by Microsoft under soft-deletion and hard-deletion scenarios, visualized here:

The recovery features for soft deletions are typically limited to 30 days retention, so if you want to recover on day 31, it’s too late! The data is gone, as Microsoft shares here in its Azure Active Directory fundamentals:

Soft-deleted objects are hard deleted after a deletion time of 30 days. The only object types that support a soft delete are Users, Microsoft 365 Groups, Application registration, Service principal, administrative unit.

So, the question is this: Are these objects that are automatically hard deleted important to your business operations? And a natural follow-up question is this: Is the 30-day restore period for soft-deleted objects enough protection for your data? (Often, mandatory minimum data retention periods are determined by governments.)

Note: It’s important to mention that changes are not covered by the recycling bin, such as editing or overwriting, even to objects that would normally be soft deleted . Any change, intentional or otherwise, replaces the previous version with no option of reverting or recovering. When these changes are done accidentally, we euphemistically refer to them as an “oops,” but they are quite serious and actually one of the leading causes of data loss, so this gap in coverage should concern those tasked with ensuring data protection.

The writing on the wall is that native coverage is insufficient for recoverable, comprehensive coverage and that the solution to this coverage gap is having your own third-party backup. This extends your ability to recover these objects for as long as your backup exists.

Explore this in more depth here: Azure Active Directory recoverability best practices from Microsoft.

What’s next? Choosing a backup solution for Azure Active Directory

Now that we’ve highlighted the need for dedicated cloud data backup for Azure AD, let’s explore what Keepit provides with its Azure AD service offerings (one of which — Azure AD Standard — is offered completely free of charge).

Leading AAD data protection for your cloud security strategy

Keepit helps you recover business-critical identity and application objects that Microsoft doesn't protect. Extend your retention period and strengthen security with protection of policies as well as full auditing and traceability of changes. Protect against day-to-day data loss and improve IT efficiencies with the ability to roll back changes and speed up troubleshooting.

Azure Active Directory backup coverage

The Azure AD connector protects the following Microsoft 365 Azure Active Directory objects: Users, Groups, Administrative Units, and Roles. It also protects Audit logs (and Sign-in logs with audit logs enabled).

For an exhaustive coverage list, visit our AAD support site here.

Interested in backing up (and restoring) AAD with Keepit for Azure AD?

To learn more about how you can protect your business-critical data and ensure disaster recovery resolve with Keepit for Azure AD – the leading protection for your cloud security strategy – visit service page.

Azure AD Entra ID Cloud security Data protection

Author

Paul Robichaux is Senior Director of Product Management at Keepit and a Microsoft MVP (Most Valuable Professional) – a title he has been awarded every year since 2003. Paul has worked in IT since 1978 and held a number of CTO and senior product development positions in the software industry.

Paul is a prolific contributor to the Microsoft community: He is the author of an impressive amount of books and articles about Microsoft technologies, including the best-selling Office 365 for IT Pros, a contributing editor for Practical 365, and produces a continuous stream of videos, podcasts, and webinars. He is based in Alabama in the United States.

Find Paul on LinkedIn and Twitter