Microsoft Entra ID
The backup service for Microsoft Entra ID supports protecting the app registrations, enterprise applications, administrative units, roles and administrators, groups, users, device – bitLocker recovery keys, audit logs, and sign-in logs.
Microsoft Entra ID data recovery supports restoring the app registrations, enterprise applications, administrative units, and roles and administrators to the original location. It also supports restoring groups and users to the original location or to a new location. Refer to the tables below for supported and unsupported components and attributes of the object types you can protect in the Microsoft Entra ID.
Microsoft Entra ID service supports protecting the Device – BitLocker Recovery Keys. You can copy the BitLocker key from the backup. After December 2023 release, the Microsoft Entra ID service can also protect the extension attributes of the following objects: Users, Groups, Administrative Units, App Registrations, and Devices.
*Note: Due to the API limitation that some properties stored outside of the main data store for the resource are not supported as part of change tracking, the changes of some properties cannot be detected for incremental backup. Only a full backup can cover such changes. For more details on the limitation, refer to the Microsoft article: .
App Registration
Refer to the table below for the data recovery state for app registrations:
- The **Photo** and **Secrets** cannot be kept. The restore job will generate new secrets and key IDs and will record the information in the job report.
- The **Created date** and the **Created on** **behalf of** cannot be restored.
| Component | Details |
|---|
| Branding | Supported |
| Authentication | Supported |
| Certificates | Supported |
| Client secrets | Supported |
| Federated credentials | Supported |
| Token configuration | Supported |
| API permissions | Partially Supported*Note: The API grant status is currently unsupported.*Note: In the data center operated by 21Vianet in China, the existing API permissions are supported. The API permissions that are temporarily or permanently deleted are partially supported. |
| Expose an API | Supported |
| App roles | Supported |
| Owners | Supported |
| Roles and administrators | Unsupported |
| Manifest | Unsupported |
| Extension attributes | Supported*Note: Extensions attributes are unsupported in the data center operated by 21Vianet in China. |
Object Attributes
| Attribute | Status | Comment |
|---|
| publisherDomain | Supported | |
| requiredResourceAccess | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| signInAudience | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| spa | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| tags | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| tokenEncryptionKeyId | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| verifiedPublisher | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| web | Supported | |
| createdOnBehalfOf | Unsupported | |
| publicClient | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| passwordCredentials | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| parentalControlSettings | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| optionalClaims | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| addIns | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| api | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| appId | Partially Supported | The appId can be kept if the app has not yet been permanently deleted from your Microsoft Entra tenant.In 21v environment, the existing attribute is a read-only property. The attribute that is temporarily or permanently deleted is unsupported. |
| applicationTemplateId | Unsupported | |
| createdDateTime | Partially Supported | The createdDateTime can be kept if the app has not yet been permanently deleted from your Microsoft Entra tenant.In 21v environment, the existing attribute is a read-only property. The attribute that is temporarily deleted is supported. The attribute that is permanently deleted is unsupported. |
| description | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| disabledByMicrosoftStatus | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| identifierUris | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| info | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| isDeviceOnlyAuthSupported | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| isFallbackPublicClient | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| keyCredentials | Supported | |
| notes | Supported | |
| groupMembershipClaims | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| Name | Supported | |
| Logo | Supported | |
| Home page URL | Supported | |
| Terms of service URL | Supported | |
| Privacy statement URL | Supported | |
| Service management reference | Unsupported | |
| OAuth 2.0 authorization endpoint (v2) | Unsupported | |
| OAuth 2.0 token endpoint (v2) | Unsupported | |
| OAuth 2.0 authorization endpoint (v1) | Unsupported | |
| OAuth 2.0 token endpoint (v1) | Unsupported | |
| OpenID Connect metadata document | Unsupported | |
| Microsoft Graph API endpoint | Unsupported | |
| Federation metadata document | Unsupported | |
| WS-Federation sign-on endpoint | Unsupported | |
| SAML-P sign-on endpoint | Unsupported | |
| SAML-P sign-out endpoint | Unsupported | |
Enterprise Application
Refer to the table below for the data recovery state for enterprise applications:
Note that the following properties cannot be restored:
- App owner organization ID
- Sign-in audience
- Key credentials
- Oauth2 permission scope
| Component | Details |
|---|
| Properties | Supported |
| Owners | Supported |
| Roles and administrators | Unsupported |
| Users and groups | Supported |
| Single sign-on | Supported |
| Provisioning | Supported*Note: Provisioning is unsupported in the data center operated by 21Vianet in China. |
| Application proxy | Unsupported |
| Self-service | Unsupported |
Object Attributes
| Attribute | Status | Comment |
|---|
| accountEnabled | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| addIns | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| alternativeNames | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| appDescription | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| appId | Supported | The attribute is a read-only property in the data center operated by 21Vianet in China. |
| applicationTemplateId | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| appOwnerOrganizationId | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| appRoleAssignmentRequired | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| description | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| disabledByMicrosoftStatus | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| homepage | Supported | |
| keyCredentials | Partially Supported | The attribute relates to the SSO configuration of the enterprise application. If the enterprise application has not yet been permanently deleted, the setting can be restored. Otherwise, you have to choose to allow AvePoint to generate a certificate for SSO configuration or import the certificate manually while configuring restore settings.The attribute is unsupported in the data center operated by 21Vianet in China. |
| loginUrl | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| logoutUrl | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| notificationEmailAddresses | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| oauth2PermissionScopes | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| passwordCredentials | Partially Supported | The passwordCredentials can be kept if the app has not yet been permanently deleted from your Microsoft Entra tenant.The attribute is unsupported in the data center operated by 21Vianet in China. |
| preferredSingleSignOnMode | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| preferredTokenSigningKeyThumbprint | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| replyUrls | Supported | |
| samlSingleSignOnSettings | Supported | |
| servicePrincipalNames | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| servicePrincipalType | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| signInAudience | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| tags | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| tokenEncryptionKeyId | Supported | |
| Name | Supported | |
| Object ID | Partially Supported | The object ID can be kept if the app has not yet been permanently deleted from your Microsoft Entra tenant.In the data center operated by 21Vianet in China, the object ID is a read-only property. The object IDs that are temporarily deleted can be restored. The object IDs that are permanently deleted cannot be restored. |
| Enabled for users to sign-in | Supported | |
| Logo | Supported | |
| Assignment required | Supported | |
| Visible to users | Supported | |
| Notes | Supported | |
| Permission | Partially Supported | The admin consented permissions can be kept if the app has not yet been permanently deleted from your Microsoft Entra tenant. |
Administrative Units
| Data Type | Status |
|---|
| Properties | Supported |
| Users | Supported |
| Groups | Supported |
| Devices | Supported |
| Roles and administrators | Unsupported |
| Extension attributes | Supported*Note: Extension attributes are unsupported in the data center operated by 21Vianet in China. |
| membershipRule | Supported*Note: The membershipRule is unsupported in the data center operated by 21Vianet in China. |
| membershipType | Supported*Note: The membershipType is unsupported in the data center operated by 21Vianet in China. |
| membershipRuleProcessingState | Supported*Note: The membershipRuleProcessingState is unsupported in the data center operated by 21Vianet in China. |
Object Attribute
| Attribute | Status |
|---|
| Description | Supported |
| Visibility | Supported*Note: The attribute is unsupported in the data center operated by 21Vianet in China. |
Roles and Administrators
| Object Type | Status |
|---|
| Assignment | Supported*Note: Currently, only the eligible assignments and active assignments are supported. The expired assignments are unsupported. |
| Description | Supported |
| Role settings | Supported |
Object Attributes
| Attributes | Status |
|---|
| description | Supported |
| isBuiltIn | Supported |
| isEnabled | Supported |
| rolePermissions | Supported |
| templateId | Partially Supported*Note: The templateId can be kept if the roles and administrators have not yet been permanently deleted from your Microsoft Entra tenant. |
| version | Supported |
| visibility | Supported |
Groups
Refer to the table below for the data recovery state for groups:
- The backup service for Microsoft Entra ID can protect the following types of Microsoft Entra groups: **Microsoft 365 Group**, **Distribution List**, **Security Group**, and **Mail-Enabled Security Group**.
- The Microsoft 365 Groups with dynamic users are supported, but the **Dynamic distribution** group type is not supported.
- The Phone, Mail, and Sensitivity Label cannot be restored.
- The assigned labels cannot be restored.
- The created time and expiration time cannot be kept.
- If the group is synchronized from the on-premises active directory, the synchronization information cannot be restored. It will be restored as the cloud only group.
- The assigned licenses can be restored if there are enough available licenses.
| Data Type | Status |
|---|
| Properties | Supported |
| Photo | Supported*Note: The photo is unsupported in the data center operated by 21Vianet in China. |
| Members | Supported |
| Owners | Supported |
| Roles and administrators | Unsupported |
| Administrative units | Supported |
| Group memberships | Supported |
| Applications | Supported |
| Azure role assignments | Supported*Note: To protect the Azure role assignments, you must grant the service app the User Access Administrator role in the corresponding subscription.*Note: The Azure role assignments are unsupported in the data center operated by 21Vianet in China. |
| Extension attributes | Supported |
Object Attributes
| Attribute | Status | Comment |
|---|
| classification | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| deletedDateTime | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| description | Supported | |
| groupTypes | Supported | |
| deducedGroupType | Unsupported | |
| mailEnabled | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| mailNickname | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| mail | Supported | |
| membershipRule | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| membershipRuleProcessingState | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| preferredDataLocation | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| preferredLanguage | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| resourceBehaviorOptions | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| resourceProvisioningOptions | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| securityEnabled | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| securityIdentifier | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| theme | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| visibility | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| isAssignableToRole | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| Membership type | Supported | |
| Source | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| Type | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
| Object ID | Partially Supported | The object ID can be kept if the group has not yet been permanently deleted from your Microsoft Entra ID.In the data center operated by 21Vianet in China, the object ID is partially supported. The object IDs that are temporarily deleted can be restored. The object IDs that are permanently deleted cannot be restored. |
| Created at | Unsupported | Read-only property in Microsoft Entra ID. |
| Email | Supported | |
| Direct members | Supported | |
| Group memberships | Supported | |
| Group name | Supported | |
| Group description | Supported | |
| Group writeback state | Supported | The attribute is unsupported in the data center operated by 21Vianet in China. |
Users
Refer to the table below for the data recovery state for users:
- The guest users can also be protected in the Microsoft Entra Users category.
- The creation time of the user profile and the creation type cannot be kept.
- If the user is synchronized from the on-premises active directory, the synchronization information cannot be restored. It will be restored as the cloud only user.
- For the users who have not yet been permanently deleted, the restore job will fail if any role assignments are not supported for restore.
| Component | Status |
|---|
| Profiles | Supported |
| Photo | Supported*Note: Due to the API limitation, the photo cannot be reverted to empty. Therefore, the restore job will skip the photo if the photo in the backup is empty. |
| Assigned roles | Supported*Note: Currently, only the eligible assignments and active assignments are supported. The expired assignments are unsupported. |
| Administrative units | Supported |
| Groups | Supported |
| Applications | Supported |
| License | Supported |
| Devices | Unsupported |
| Azure role assignments | Supported*Note: To protect the Azure role assignments, you must grant the service app the User Access Administrator role in the corresponding subscription.*Note: The Azure role assignments are unsupported in the data center operated by 21Vianet in China. |
| Authentication methods | Partially Supported*Note: The Alternative Phone belongs to MFA. The backup and restore of MFA properties are not supported.*Note: The authentication methods are fully supported in the data center operated by 21Vianet in China. |
| Extension attributes | Supported |
Object Attributes
| Attributes | Status | Comment |
|---|
| accountEnabled | Supported | |
| ageGroup | Supported | |
| businessPhones | Supported | |
| city | Supported | |
| companyName | Supported | |
| consentProvidedForMinor | Supported | |
| country | Supported | |
| createdDateTime | Unsupported | Read-only property in Microsoft Entra ID. |
| creationType | Unsupported | Read-only property in Microsoft Entra ID.If the user account was created as a local account for an Azure Active Directory B2C tenant, the value is LocalAccount or nameCoexistence. |
| deletedDateTime | Unsupported | |
| department | Supported | |
| employeeHireDate | Unsupported | Read-only property in Microsoft Entra ID. |
| employeeId | Supported | |
| employeeOrgData | Supported | |
| employeeType | Supported | |
| externalUserState | Unsupported | Read-only property in Microsoft Entra ID. |
| externalUserStateChangeDateTime | Unsupported | Read-only property in Microsoft Entra ID. |
| faxNumber | Supported | |
| givenName | Supported | |
| identities | Supported | |
| jobTitle | Supported | |
| lastPasswordChangeDateTime | Unsupported | Read-only property in Microsoft Entra ID. |
| mail | Supported | |
| mailNickname | Supported | |
| mobilephone | Supported | |
| officeLocation | Supported | |
| onPremisesImmutableId | Supported | *Note: The attribute is unsupported in the data center operated by 21Vianet in China. |
| onPremisesProvisioningErrors | Unsupported | |
| otherMails | Supported | |
| passwordPolicies | Supported | *Note: The attribute is unsupported in the data center operated by 21Vianet in China. |
| postalCode | Supported | |
| preferredDataLocation | Supported | *Note: The attribute is unsupported in the data center operated by 21Vianet in China. |
| preferredLanguage | Supported | *Note: The attribute is unsupported in the data center operated by 21Vianet in China. |
| showInAddressList | Unsupported | |
| state | Supported | |
| streetAddress | Supported | |
| surname | Supported | |
| usageLocation | Supported | |
| userPrincipalName | Supported | |
| userType | Supported | *Note: The attribute is unsupported in the data center operated by 21Vianet in China. |
| Manager | Supported | Read-only property in Microsoft Entra ID. |
| Display name | Supported | |
| Object ID | Partially Supported | The object ID can be kept if the user has not yet been permanently deleted from your Microsoft Entra tenant.In the data center operated by 21Vianet in China, the object ID is partially supported. The object IDs that are temporarily deleted can be restored. The object IDs that are permanently deleted cannot be restored. |
| Sign in sessions valid from date and time | Unsupported | Read-only property in Microsoft Entra ID. |
| Authorization info | Supported | |
| Legal age group classification | Supported | |
