Disaster Recovery for Entra Tenant

Guard Entra ID resources from cyberattacks

Safely back up and recover critical Entra ID (Azure AD) resources.

Could you recover your Entra ID data after an attack?

How fast could you recover your critical Entra ID resources—user, group, and role objects and conditional access policies—after a cyber incident that compromised the Entra ID service? Even after Entra ID comes back online, you might discover that you no longer have those critical objects that enable authentication and access control to cloud-hosted apps and services. The security implications of implementing a hybrid AD environment can be easily overlooked:

Entra ID is home to certain objects that exist only in the cloud and can’t be replicated in your on-premises AD environment.
If a ransomware attack strikes, the Entra ID recycle bin is useless if resources such as hard-deleted user objects and conditional access policies are deleted or modified.
Without the ability to quickly recover Entra ID resources—user, group, and role objects and conditional access policies—your business operations will stall, even if Entra ID is back online

Learn More

The Entra ID recycle bin won’t save you

Many organizations mistakenly assume that Entra ID backups conducted by Microsoft are sufficient to protect their business operations. While Microsoft is responsible for Entra ID’s back end, the responsibility for effectively restoring group, role, and user objects falls squarely on the customer.

ENTRA ID IS AN ATTACK TARGET

Entra ID is a common target because it’s the most prevalent cloud identity service.

SECURITY MODEL IS DIFFERENT

The potential attack surface expands in a hybrid AD environment.

SECURITY IS KEY TO RECOVERY

Keeping your Entra ID resources secure is key to recovery after an attack.

Protect your critical resources with Disaster Recovery for Entra Tenant

Comprehensive identity recovery

Back up and recover users, groups, roles, and their attributes.
Restore soft-deleted objects from the Entra ID recycle bin and hard-deleted users removed from the recycle bin.
Recover security groups, cloud relationships for hybrid groups, group owners, service principal owners, application owners, Privilege Identity Manager configurations, and built-in and custom roles with their assignments.

Policy and access protection

Back up and recover Conditional Access policies, named locations, external identities policies, authentication flow policies, and authorization policies.
Restore with Conditional Access policies and all of their dependent objects with a single click.

Application and service continuity

Back up and recover multi-tenant and single-tenant service principals, app registrations and their associations.

Flexible restore options

Flexible recovery restores single objects or bulk restore of thousands. Automatically recover inactive Microsoft 365 mailboxes for hard-restored users.
Restore users in an active or inactive state.
Restore Conditional Access policies and all associated configurations.

Backup visibility and control

Review backup contents and compare backup data to live Entra ID for compliance, reporting or discovery of restore targets.
View summary dashboards and download detailed restore reports with object-level information.

Secure and customizable storage

Use Semperis-hosted secure storage for Entra ID backups with in-region failover for availability.
Triple encrypted backup contents using FIPS 140-3 Level 3 Hardware Security Module-based data encryption.
Use service-provided key encryption keys or bring your own.

How Semperis helps protect Entra ID resources

Most organizations have adopted a hybrid AD environment, typically with on-premises AD authenticated to Entra ID services and apps. But shifting assets to Entra ID doesn’t solve the security problems. As with on-premises AD, Entra ID has its weaknesses, and the hybrid mix creates additional opportunities for attackers. Disaster Recovery for Entra Tenant protects your critical user, group, and role objects and conditional access policies so you can quickly recover if an attack compromises the Entra ID service.

Challenge

How Semperis helps

Cyberattacks are targeting Entra ID (formerly Azure AD)—putting your critical identity system resources at risk.

Disaster Recovery for Entra Tenant safely backs up your Entra ID data, including user, group, and role objects and conditional access policies—and provides SOC 2 (Type II) certified secure managed storage.

Keeping your Entra ID resources secure is key to recovering after an attack that targets the hybrid identity system.

Semperis-managed storage provides 16 nines of designed durability with geo-replication and flexibility to scale as needed. Plus, you can bring your own encryption key for additional control. You can choose from data centers in the US, Canada, EU, or Australia.

Recovering Entra ID data is challenging if an attacker empties the Recycle Bin.

Disaster Recovery for Entra Tenant helps you safely back up Entra ID resources, quickly recover resources after a cyberattack, and maintain control of your data security.

Unmatched scale of protection for Your Entra Tenant

Disaster Recovery for Entra Tenant delivers enterprise-grade resilience with staggering coverage.

1.29B+

Entra ID link relationships preserved

450M+

Entra ID objects backed up

260M+

Entra ID users protected

175M+

Entra ID groups secured

Frequently asked questions about Entra ID (Azure AD) object backup and recovery

What is Disaster Recovery for Entra Tenant?

Disaster Recovery for Entra Tenant (DRET) is a standalone software-as-a-service (SaaS) offering that helps IT and security administrators back up and recover Entra ID resources—user, group, and role objects and conditional access policies—that are critical to providing authentication and access to applications and services across an organization’s environments.

What problem does Disaster Recovery for Entra Tenant solve?

Disaster Recovery for Entra Tenant covers a critical security gap for organizations that operate in a hybrid or cloud-only identity environment—most commonly with on-premises AD synched to Entra ID (formerly Azure AD). Many organizations mistakenly assume that Entra ID backups conducted by Microsoft are sufficient to protect their business operations.

While Microsoft is responsible for Entra ID’s back end, the responsibility for effectively restoring Microsoft 365 groups, directory roles, and other objects falls squarely on the customer. As the authentication service for Microsoft 365 and other cloud applications and services, Entra ID is home to certain objects that only exist in the cloud and cannot be replicated in your on-premises Active Directory environment. As a result, organizations need a recovery strategy that is specific to Entra ID. Without the ability to quickly recover Entra ID resources, business operations will stall—even if Entra ID is back online.

How does Disaster Recovery for Entra Tenant solve this problem?

With Disaster Recovery for Entra Tenant, customers can safely back up critical Entra ID resources, quickly recover resources after a cyberattack, and maintain control of their data security.

What Entra ID data does Disaster Recovery for Entra Tenant recover?

Disaster Recovery for Entra Tenant protect critical identity resources that the Entra ID recycle bin leave behind:

Recovers soft-deleted users
Recovers soft-deleted Microsoft 365 groups
Recovers hard-deleted user objects
Recovers security groups
Recovers conditional access policies
Supports selective restore of individual objects
Supports bulk restore of multiple objects
Retains multiple backup versions
Provides a restore report with details on the restore job, including object-level reporting
Automatically recovers inactive Microsoft 365 mailboxes for hard-restored users
Recovers owners for groups, applications, and service principals
Recovers Privileged Identity Management (PIM) active role assignments
Recovers owners for groups, applications, and service principals
Backs up and restores custom roles and role assignments
Supports ability to compare administrative units
Recovers hybrid groups
Backs up and restores external identities policies
Backs up and restores authentication flow policies
Backs up and restores authorization policies

What are the advantages of using Semperis-hosted storage?

Semperis-hosted storage gives you secure, reliable backup services for your Entra ID data, giving IT and security teams peace of mind and eliminating time-consuming storage management processes. As a part of the Disaster Recovery for Entra Tenant (DRET) solution, the backup process calls the Microsoft Azure AD Graph API via a secure session and backs up the customer data. The backup is then encrypted and stored in a customer-dedicated container in the Semperis Azure subscription storage device.

How secure is Semperis managed storage?

The Semperis Azure subscription storage device is protected by multiple security controls, including:

Sixteen nines of designed durability with geo-replication and flexibility to scale as needed
Authentication with Azure Active Directory and role-based access control (RBAC)
Encryption at rest
Advanced threat protection
Policy-based access control
Immutable (WORM) storage
Choice of Microsoft data centers in the US, EU, Canada, or Australia
System-managed encryption key provided at onboarding with an option to bring your own encryption key