![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 57.00000000000001%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
@Concerned citizen welcome to the Microsoft Q&A community.
Airgapping Entra ID (formerly Azure AD) user and security group (SG) backups is critical for protecting against ransomware, malicious deletions, and tenant-wide disasters. However, you're absolutely right: restoring an entire tenant from scratch—including users and groups—is not natively supported in full fidelity by Microsoft or by most third-party tools due to how Entra ID is designed as a cloud-native identity provider.
The Core Problem
Entra ID does not provide:
A native backup/restore capability that covers users, groups, roles, and configurations in a fully restorable format.
A way to export and re-import all users/SGs/roles/configs in a way that fully preserves original metadata (e.g., object IDs, group memberships, conditional access policies, app assignments).
Thus, airgapping Entra ID backups and ensuring disaster recovery (DR) is a layered approach.
Best Practices for Airgapping Entra ID Backups
-
- Periodic Offline Export of Directory Data
- Users and their attributes
- Security and M365 groups (including members)
- Conditional Access policies
- Role assignments (e.g., Global Admins)
- Application registrations and Service Principals
- PowerShell + Graph API scripts
- Azure Automation jobs to export regularly
- Store results as JSON/CSV in secure, immutable storage (e.g., AWS Glacier, on-prem tape, or encrypted drives)
Example script source: Microsoft Graph PowerShell SDK
- Use of Third-Party SaaS Backup Solutions
While most third-party tools don't support full tenant rehydration, some provide partial protection:
| Vendor | Notes |
|---|---|
| HYCU for M365 | Backs up Entra ID users and M365 groups |
| HYCU for M365 | Backs up Entra ID users and M365 groups |
| AvePoint | Can export user data, configs, policies; partial restore possible |
| Quest On Demand Recovery | One of the best for granular AD object backup/restore |
| SkyKick | Focuses more on mailboxes, less on Entra ID itself |
| Veeam Backup for M365 | No full Entra ID restore, but good for Exchange/OneDrive/Teams content |
⚠️ Most vendors do not support complete re-creation of a deleted Entra ID tenant. Object IDs change on restore, causing downstream issues with app and role bindings.
- Immutable, Versioned Storage
Exported backup files (from Graph or third-party tools) should be stored:
- In immutable blob storage (e.g., Azure Immutable Blob, S3 Object Lock)
- In airgapped, offline, or physically separate vaults
- With versioning and tamper detection enabled
- Documentation and Terraform/Bicep for Reprovisioning
Use Infrastructure as Code (IaC) to document and recreate:
Entra ID custom domain config
Conditional Access Policies
Enterprise Applications
Permissions and role assignments
You can't fully export/import Entra ID, but you can script its structure for rebuild.
- DR Playbooks and Manual Reconstruction Planning
Since no solution offers full restore:
Maintain a disaster recovery runbook that includes:
Recreating the tenant (new domain, domain validation)
Redeploying exported users/groups via script
Reapplying roles, policies, and apps
Rebinding services to the new Entra ID tenant
Run periodic tabletop exercises simulating a full tenant loss to assess readiness.
Airgapping Strategy Summary
| Strategy | Purpose | Airgap Level |
|---|---|---|
| Scheduled Graph API exports | Backup users/groups/config | Medium (requires secure storage) |
| Scheduled Graph API exports | Backup users/groups/config | Medium (requires secure storage) |
| Immutable blob storage | Protect against ransomware | High |
| IaC templates (Terraform/Bicep) | Recreate policy structure | Medium |
| DR Playbooks | Human recovery aid | High |
| Third-party tools | Partial restore automation | Low to Medium |
What You Cannot Do Today
Fully restore an Entra ID tenant to a previous state
Preserve object IDs on restore (which affects apps and access)
Offline cold backup of the entire Entra ID tenant with built-in Microsoft tools
Final Thoughts
The "airgap" for Entra ID backups is largely manual and hybrid: automation to export, security to store safely, and documentation to rebuild. Unfortunately, Microsoft does not currently provide a tenant-level snapshot/restore capability, and no third party offers full restore at that level.
If you're protecting high-value assets, combining secure exports with comprehensive DR plans and immutable storage is your best line of defense.
N/B: I have generated the above answer using co-pilot as an AI tool. Also I have validated and updated the AI output.
I hope these helps. Let me know if you have any further questions or need additional assistance.
Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.