Listen to this Post
Introduction
Unintended deletions and misconfigurations in Microsoft Entra ID are not a matter of if but when. Whether caused by human error, a compromised admin account, or a rogue script, the impact can range from a broken Conditional Access policy to a full-scale identity outage. To combat this, Microsoft Entra has introduced a powerful, built-in backup and recovery solution—now in preview—that automatically backs up critical directory objects and provides APIs and admin tools to restore them to a known good state.
This article explores how IT pros and security architects can leverage these new capabilities to build true identity resilience. We will break down the recoverability landscape, provide step-by-step guides for using the new APIs and PowerShell modules, and offer actionable best practices to ensure your Entra tenant can bounce back from any disaster.
Learning Objectives
- Understand how Microsoft Entra Backup and Recovery automatically protects critical objects like users, groups, and Conditional Access policies.
- Learn to use the Microsoft Graph API to list available backups, preview restoration changes, and execute recovery operations.
- Implement recoverability best practices, including monitoring audit logs for deletions and documenting your tenant’s “known good state.”
You Should Know
- Decoding Entra’s Backup & Recovery API: A Step‑by‑Step Guide
The Microsoft Entra Backup and Recovery API (part of Microsoft Graph) provides a programmatic safety net. Unlike the Recycle Bin, this feature automatically creates daily snapshots and retains up to five days of backup history. These snapshots are immutable—no administrator, even with Global Admin rights, can delete or modify them.
What This Does: This API allows you to list available backups, generate a “difference report” to see what has changed, and restore all or selected objects to a previous state. It handles objects such as users, groups, apps, service principals, and Conditional Access policies.
How to Use It (API Walkthrough):
Step 1: List Available Backups (Snapshots)
First, authenticate against Microsoft Graph and query the available snapshots for your tenant.
GET https://graph.microsoft.com/beta/entraRecoveryServices/backupSnapshots
Authorization: Bearer {access-token}
This returns a list of snapshot IDs (base64‑encoded timestamps) with metadata like the creation time and change counts.
Step 2: Create a Difference Report (Preview Job)
Before restoring, always run a dry‑run. Create a `recoveryPreviewJob` to see exactly what will change.
POST https://graph.microsoft.com/beta/entraRecoveryServices/recoveryPreviewJobs
Content-Type: application/json
{
"snapshotId": "{{snapshot-id}}",
"scope": { "objectTypes": ["user", "conditionalAccessPolicy"] }
}
This job runs asynchronously. Poll the `Location` header URL to check its status. Once completed, call `getChanges` to enumerate all affected objects and their specific attribute changes.
Step 3: Execute the Recovery
If the preview looks good, create a `recoveryJob` using the same snapshot and scope.
POST https://graph.microsoft.com/beta/entraRecoveryServices/recoveryJobs
{
"snapshotId": "{{snapshot-id}}",
"scope": { "objectTypes": ["conditionalAccessPolicy"] }
}
After the job completes, verify the restoration. Note that only one recovery job can run at a time per tenant.
- Mastering Soft Deletes and the Entra ID Recycle Bin
Many objects (users, groups, applications, service principals) support soft deletion. When soft‑deleted, the object is moved to the Entra ID recycle bin for 30 days, retaining all its properties. After 30 days, or if manually purged, the object is hard‑deleted and cannot be recovered except via backup snapshot.
What This Does: The recycle bin provides a quick, self‑service way to undo accidental deletions without having to restore from a full backup. It is ideal for recovering objects deleted within the last 30 days.
How to Use It (PowerShell & Graph):
Restore a Deleted User via PowerShell:
Connect with required scope Connect-Entra -Scopes 'User.ReadWrite.All' Restore a user by ID (soft-deleted users only) Restore-EntraDeletedDirectoryObject -Id 'dddddddd-3333-4444-5555-eeeeeeeeeeee' If the restored user has conflicting proxy addresses, auto‑resolve them Restore-EntraDeletedDirectoryObject -Id 'dddddddd-3333-4444-5555-eeeeeeeeeeee' -AutoReconcileProxyConflict
Note: Restoring an application does not automatically restore its associated service principal. You must explicitly restore the service principal using the same cmdlet.
Permanently Delete (Hard Delete) an Object via Graph API:
DELETE https://graph.microsoft.com/v1.0/directory/deletedItems/{object-id}
Caution: After a hard delete, the item cannot be restored. Administrative units cannot be permanently deleted via this API; they will be automatically hard‑deleted after 30 days.
- Tenant Configuration Management: Treat Your Entra Setup as Code
Prevention is better than cure. Tenant Configuration Management (preview) allows you to define your desired Entra configuration as a JSON baseline, continuously monitor for drift, and generate snapshots of current settings.
What This Does: It enables configuration‑as‑code for your Entra tenant. You can create a baseline JSON file that defines your ideal state for hundreds of resources (e.g., Conditional Access policies, authentication methods, tenant-wide settings). Monitors then check your tenant against this baseline and alert you to any discrepancies.
How to Use It (Conceptual Step‑by‑Step):
Step 1: Define a Baseline
A baseline is a JSON object containing an array of resources and their desired property values. For example, to enforce a specific Conditional Access policy:
{
"resources": [
{
"resourceType": "microsoft.entra.conditionalaccesspolicy",
"properties": {
"displayName": "Require MFA for Admins",
"state": "enabled",
"conditions": { ... }
}
}
]
}
Step 2: Create a Monitor
Using the Graph API (beta), create a `configurationMonitor` that references your baseline and sets a schedule (e.g., daily) and a configuration mode (e.g., “alertOnly” or “autoRemediate”).
Step 3: Review Drifts
When the monitor runs, it produces a configurationMonitoringResult. If drift is detected, query the associated `configurationDrift` objects to get detailed information about which settings have deviated from the baseline. This gives you a clear audit trail and helps you take corrective action.
4. Backing Up Entra Configurations with Open‑Source Tools
While Microsoft Entra Backup and Recovery protects directory objects, it does not replace a full configuration backup. For that, you can use community tools like the Entra Exporter PowerShell module, which exports your entire Entra ID and Azure AD B2C configuration as JSON files.
What This Does: This module allows you to schedule nightly exports of your Entra configuration, version‑control them in Git, or replicate settings across multiple tenants.
How to Use It (Installation & Basic Usage):
Install the module (PowerShell 7+ recommended) Install-Module -1ame EntraExporter Connect to Entra ID Connect-Entra Export all configuration settings to JSON files Export-EntraConfiguration -Path "C:\EntraBackups\$(Get-Date -Format 'yyyy-MM-dd')" Optional: Schedule with Task Scheduler $action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-Command "Export-EntraConfiguration -Path C:\EntraBackups\Daily"' Register-ScheduledTask -TaskName "Entra Nightly Backup" -Action $action -Trigger (New-ScheduledTaskTrigger -Daily -At 2am)
This creates a local, human‑readable backup of your tenant’s configuration, which can be critical for disaster recovery if your tenant is completely compromised.
5. Building a Recoverability Dashboard with Audit Logs
Monitoring deletions and misconfigurations in real time is essential for quick recovery. Every delete operation in Entra ID is recorded in the audit log. Soft deletes appear as “Delete <object>” events, while hard deletes appear as “Hard Delete <object>” events.
What This Does: By exporting audit logs to a SIEM (e.g., Microsoft Sentinel), you can build a custom dashboard to track deletions, alert on high‑value object deletions, and even trigger automated recovery workflows.
How to Use It (Graph API Query for Deleted Items):
List all soft-deleted items in your tenant GET https://graph.microsoft.com/v1.0/directory/deletedItems
You can filter by object type (e.g., users, groups, applications). To get a historical view of deletions, query the audit log via Graph:
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDisplayName eq 'Delete user' or activityDisplayName eq 'Hard delete user'
Export this data to a monitoring tool and set up alerts for any hard delete events on critical objects like Conditional Access policies or administrative units.
What Undercode Say:
- Key Takeaway 1: Microsoft Entra’s new Backup and Recovery APIs shift identity resilience from reactive “bin‑searching” to proactive, immutable, daily‑snapshot protection. The ability to preview changes before restoration is a game‑changer for busy IT admins.
- Key Takeaway 2: Recoverability is a shared responsibility. While Microsoft protects the backup data itself, you must actively monitor audit logs, define configuration baselines, and rehearse your restoration procedures. Hard‑deleted objects and certain misconfigurations can only be recovered from your own backups or recreated manually.
Analysis (approx. 10 lines):
The demo on the Microsoft Security 425 show highlighted how the `Copilot CLI` can interact with these APIs, hinting at a future where natural language commands can trigger complex recovery operations. The separation between the 30‑day recycle bin (for soft deletes) and the 5‑day immutable backup snapshots is crucial: the recycle bin is for quick oops‑fixes, while the backup solution is your last line of defense against a compromised admin or a catastrophic misconfiguration. Organizations should immediately start documenting their “known good state” using Tenant Configuration Management and automate configuration backups with tools like Entra Exporter. Without these measures, a hard‑deleted Conditional Access policy could bring down your entire MFA strategy in seconds.
Prediction:
- +1 By 2027, identity backup and recovery will become a standard pillar of every Zero Trust architecture, leading to built‑in “undo” capabilities for all major IdP changes.
- +1 The integration of AI and natural language into backup APIs (as seen with Copilot CLI) will dramatically reduce recovery times, allowing helpdesk staff to perform complex restores without deep Graph API knowledge.
- -1 As Entra backups become immutable, attackers will shift focus to compromising the restoration process itself—for example, by poisoning the “known good state” before a disaster, forcing admins to restore a compromised configuration.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Tarekdawoud Ben – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
