Entra ID recovery—and identity resilience in general—centers on two types of events: recovering from accidents and recovering from security intrusions.
To understand these events and the tools you need to address the problems they cause, we need to look at how the identity threat landscape has changed over the past 15 years.
Everyday mistakes: A road paved with good intentions
Around 2014, we started to see a new trend in cloud identity problems. These problems didn’t originate from outages or poor quality of Microsoft cloud services but from accidents caused by admins in Azure AD (now Entra ID).
Some real-life incident examples:
- A legitimate admin accidentally deletes several security groups that govern access to a business-critical database. This leads to a two-day outage as the team struggles to manually recreate the groups and their memberships from memory.
- A junior admin is tasked with “stale app cleanup” in a well-intentioned attempt to reduce security exposure for the company. The admin inadvertently deletes thousands of not-stale-at-all business-critical apps, ushering in a 28-day outage and a major initiative to get things back in working order.
- A well-meaning admin “makes available” Office 365 licenses by removing their assignments from legitimate users. This simple problem interrupted business activity for hundreds of users for over a day.
These accidental misconfiguration and deletion stories weren’t new. Similar problems had been a common in Active Directory for over a decade. The cumulative effects are mind-boggling: so many organizational units (OUs) and their contents deleted and restored!
But seeing the misconfigurations in cloud identity—that was new. How do you protect users against their own accidents if the identities are hosted in the cloud?
The shared responsibility model of SaaS makes this your problem.
As the customer using the cloud service, you are solely responsible for the data integrity of the identity store. For many enterprise organizations, this responsibility translates into a clear need for identity resilience against benign but impactful mistakes.
Malicious intrusions: Threat actors don’t hack in…they log in
Meanwhile, another trend was emerging: threat actors were doing their best to gain access to resources in the cloud. The easiest approach was to log in, not hack in. So configuring multi-factor authentication (through something you have/know/are) and other security controls became vital.
It quickly became apparent that social engineering and other techniques would enable threat actors to gain access anyway, despite all best efforts. And in cases involving a malicious insider, the intruders would already be “in the building” with access. Security controls were not going to keep them out; they were truly legitimate admins.
Examples of these “log in, not hack in” stories are myriad and notable. The most widely known are attacks that started with social comprise such as the MGM Grand cyberattack and the evolving techniques used by threat actors such as Storm 0501. I saw all this in real time as a services lead for cloud identity and then as a product manager at Microsoft. I regularly helped organizations resolve similar scenarios and met with them to get feedback on where the pain points were.
Evolving Entra ID protection and recovery
It became obvious to our team at Microsoft that two high-level incident types needed stronger capabilities: recovery from accidents and recovery from malicious changes and deletions.
We needed to address the accident scenarios natively. The strategy we decided on was to strengthen cloud identity resilience against accidental change and deletion with:
- Expanded soft delete capabilities
- Native change rollback
We addressed the malicious change and deletion scenarios by adding security rather than resilience. This became part of the Zero Trust security-oriented drive, in which features like Conditional Access were strengthened and expanded. Restoring the security posture quickly during or after an intrusion was not the priority.
Fast forward to now. Cloud identity accidents continue and guarding against those accidents remains important. At the same time, malicious incidents have increased in frequency and severity.
Seeing “the bad guy logged in” scenario happen more often means accident recovery functionality alone isn’t enough.
Organizations require tools that are designed to recover Entra ID security posture and line-of-business applications even in the face of threat actors. Security-focused identity resilience is needed, including:
- The ability restore security posture quickly and comprehensively
- A forensic view into the prior state
- Long backup retention (so that backup availability exceeds the time bad actors are undetected in the tenant)
- Immutability for backups so they will be there when needed
- Strong content encryption to secure the data
Tools to protect and recover Entra ID from accidents and intrusions
For Entra ID, recovery challenges span two very different problem spaces: security posture and advanced recovery on one side, and everyday accidental change or deletion on the other.
Semperis Disaster Recovery for Entra Tenant (DRET) addresses the first by providing security‑centric, scenario‑driven recovery capabilities. This solution provides more than just point-in-time rollback. DRET can reconstruct complex, interdependent objects and policies (e.g., Conditional Access, Privileged Identity Management (PIM), Intune device management, and other critical controls) in a way that preserves intended security posture and supports investigation of malicious or high‑risk changes. DRET also fulfills the need for prioritizing security- and scenario-driven restore, enabling decision makers to know what must be restored and in what order—a critical aspect of security incident recovery.
Microsoft Entra Backup and Recovery complements these capabilities by focusing on straightforward, high‑frequency issues like accidental deletion or simple misconfiguration of users, groups, and core directory objects. This solution applies in situations where native backup behaviors and restore flows are sufficient and cost‑effective.
Organizations need both DRET and Microsoft Entra Backup and Recovery because modern Entra ID environments face simultaneous risks. You must be able to swiftly correct benign admin and operator mistakes that must be repaired quickly. And you must be empowered to stop targeted or systemic attacks that require rich recovery, comparison, and orchestration capabilities to safely return the tenant to a known‑good, secure state—without re‑introducing the very weaknesses an attacker exploited.
Prepare in advance for both accidents and malicious activities with tools that are built for the jobs: Microsoft Entra Backup and Restore plus Semperis Disaster Recovery for Entra Tenant.
Build your identity resilience strategy by having the best Entra ID recovery tools in the industry in your toolbelt. When you can quickly resolve incidents, they become mere distractions instead of multi-day resume-update-generating affairs.
Further reading
