Disaster Recovery for Entra Tenant

Guard Entra ID resources from cyberattacks

Safely back up and recover critical Entra ID (Azure AD) resources.

Could you recover your Entra ID data after an attack?

How fast could you recover your critical Entra ID resources—user, group, and role objects and conditional access policies—after a cyber incident that compromised the Entra ID service? Even after Entra ID comes back online, you might discover that you no longer have those critical objects that enable authentication and access control to cloud-hosted apps and services. The security implications of implementing a hybrid AD environment can be easily overlooked:

Entra ID is home to certain objects that exist only in the cloud and can’t be replicated in your on-premises AD environment.
If a ransomware attack strikes, the Entra ID recycle bin is useless if resources such as hard-deleted user objects and conditional access policies are deleted or modified.
Without the ability to quickly recover Entra ID resources—user, group, and role objects and conditional access policies—your business operations will stall, even if Entra ID is back online

Learn More

The Entra ID recycle bin won’t save you

Many organizations mistakenly assume that Entra ID backups conducted by Microsoft are sufficient to protect their business operations. While Microsoft is responsible for Entra ID’s back end, the responsibility for effectively restoring group, role, and user objects falls squarely on the customer.

ENTRA ID IS AN ATTACK TARGET

Entra ID is a common target because it’s the most prevalent cloud identity service.

SECURITY MODEL IS DIFFERENT

The potential attack surface expands in a hybrid AD environment.

SECURITY IS KEY TO RECOVERY

Keeping your Entra ID resources secure is key to recovery after an attack.

Protect your critical resources with Disaster Recovery for Entra Tenant

Fast, secure backup and recovery for Entra ID resources

Disaster Recovery for Entra Tenant (DRET) gives you secure, reliable backup services for critical Entra ID data, eliminating time-consuming storage management processes and ensuring fast post-attack recovery.

Back up and recover user, group, and role objects—and their attributes—and conditional access policies
Restore soft-deleted (still in the Entra ID recycle bin) user, group, and role objects
Restore hard-deleted user objects even if they have been removed from the Entra ID recycle bin—potentially by an attacker
Recover security groups
Recover conditional access policies
Selectively restore individual objects
Bulk restore multiple objects
Retain multiple backup versions
View critical information in a summary dashboard
Easily compare backups
Take advantage of Semperis-hosted secure storage of Entra ID resources with an option to bring your own encryption key
Easily restore multi-tenant service principals
Automatically recover inactive Microsoft 365 mailboxes for hard-restored users

How Semperis helps protect Entra ID resources

Most organizations have adopted a hybrid AD environment, typically with on-premises AD authenticated to Entra ID services and apps. But shifting assets to Entra ID doesn’t solve the security problems. As with on-premises AD, Entra ID has its weaknesses, and the hybrid mix creates additional opportunities for attackers. Disaster Recovery for Entra Tenant protects your critical user, group, and role objects and conditional access policies so you can quickly recover if an attack compromises the Entra ID service.

Challenge

How Semperis helps

Cyberattacks are targeting Entra ID (formerly Azure AD)—putting your critical identity system resources at risk.

Disaster Recovery for Entra Tenant safely backs up your Entra ID data, including user, group, and role objects and conditional access policies—and provides SOC 2 (Type II) certified secure managed storage.

Keeping your Entra ID resources secure is key to recovering after an attack that targets the hybrid identity system.

Semperis-managed storage provides 16 nines of designed durability with geo-replication and flexibility to scale as needed. Plus, you can bring your own encryption key for additional control. You can choose from data centers in the US, EU, or Australia.

Recovering Entra ID data is challenging if an attacker empties the Recycle Bin.

Disaster Recovery for Entra Tenant helps you safely back up Entra ID resources, quickly recover resources after a cyberattack, and maintain control of your data security.

Frequently asked questions about Entra ID (Azure AD) object backup and recovery

What is Disaster Recovery for Entra Tenant?

Disaster Recovery for Entra Tenant (DRET) is a standalone software-as-a-service (SaaS) offering that helps IT and security administrators back up and recover Entra ID resources—user, group, and role objects and conditional access policies—that are critical to providing authentication and access to applications and services across an organization’s environments.

What problem does Disaster Recovery for Entra Tenant solve?

Disaster Recovery for Entra Tenant covers a critical security gap for organizations that operate in a hybrid or cloud-only identity environment—most commonly with on-premises AD synched to Entra ID (formerly Azure AD). Many organizations mistakenly assume that Entra ID backups conducted by Microsoft are sufficient to protect their business operations.

While Microsoft is responsible for Entra ID’s back end, the responsibility for effectively restoring Microsoft 365 groups, directory roles, and other objects falls squarely on the customer. As the authentication service for Microsoft 365 and other cloud applications and services, Entra ID is home to certain objects that only exist in the cloud and cannot be replicated in your on-premises Active Directory environment. As a result, organizations need a recovery strategy that is specific to Entra ID. Without the ability to quickly recover Entra ID resources, business operations will stall—even if Entra ID is back online.

How does Disaster Recovery for Entra Tenant solve this problem?

With Disaster Recovery for Entra Tenant, customers can safely back up critical Entra ID resources, quickly recover resources after a cyberattack, and maintain control of their data security.

What Entra ID data does Disaster Recovery for Entra Tenant recover?

Disaster Recovery for Entra Tenant protect critical identity resources that the Entra ID recycle bin leave behind:

Recovers soft-deleted users
Recovers soft-deleted Microsoft 365 groups
Recovers hard-deleted user objects
Recovers security groups
Recovers conditional access policies
Supports selective restore of individual objects
Supports bulk restore of multiple objects
Retains multiple backup versions

What are the advantages of using Semperis-hosted storage?

Semperis-hosted storage gives you secure, reliable backup services for your Entra ID data, giving IT and security teams peace of mind and eliminating time-consuming storage management processes. As a part of the Disaster Recovery for Entra Tenant (DRET) solution, the backup process calls the Microsoft Azure AD Graph API via a secure session and backs up the customer data. The backup is then encrypted and stored in a customer-dedicated container in the Semperis Azure subscription storage device.

How secure is Semperis managed storage?

The Semperis Azure subscription storage device is protected by multiple security controls, including:

Sixteen nines of designed durability with geo-replication and flexibility to scale as needed
Authentication with Azure Active Directory and role-based access control (RBAC)
Encryption at rest
Advanced threat protection
Policy-based access control
Immutable (WORM) storage
Choice of Microsoft data centers in the US, EU, or Australia
System-managed encryption key provided at onboarding with an option to bring your own encryption key