Share via

ENTRA ID Recovery feature- Require information

SAGA 45 Reputation points
2026-03-27T07:45:35.0966667+00:00

Hi Team,

We noticed Entra ID recovery feature in the preview state, would like to know about this more and what are the things it can help to restore? If you have any link to ms blog please share it and also from when this feature will be moved to live state from preview ?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 11,380 Reputation points Microsoft External Staff Moderator
    2026-03-27T08:21:17.2766667+00:00

    Hello SAGA,

    Microsoft Entra Backup and Recovery is currently available in Preview and is designed to help administrators restore critical Entra ID directory objects to a previously known good state after accidental changes or security-related incidents.

    What this feature helps with:

    Microsoft Entra Backup and Recovery is a built‑in admin recovery capability for tenant configuration and directory objects. It is not related to end‑user sign‑in recovery.

    The feature currently supports restoring the following Entra ID objects (Preview scope):

    • Users
    • Groups
    • Applications
    • Service principals
    • Conditional Access policies
    • Named locations
    • Authentication method policy
    • Partial authorization policy
    • Agent ID (as it consists of user and service principal objects)

    This helps address scenarios such as accidental deletions, misconfiguration, or configuration drift.

    How backups work:

    • Backups are created automatically once per day by Microsoft
    • Up to five days of backup history is retained
    • Backups are Microsoft‑managed
      • No user, admin, or application (including Global Administrator) can disable, delete, or modify backups
      • Backup data is stored in the same geo‑location as the Entra tenant

    Microsoft continues to expand supported objects and attributes while the feature is in preview.

    Key capabilities available:

    Using Entra Backup and Recovery, administrators can:

    • View available backups from the last five days
    • Create difference reports to compare the current tenant state with a selected backup
    • Recover objects, either:
      • All supported objects, or
        • Selected objects by object type or object ID
        • Review recovery history for completed and in‑progress recovery operations

    Best practice: Always generate and review a difference report before starting a recovery. The recovery duration mainly depends on the number of changes being restored.

     Where to access this in the portal

    In the Microsoft Entra admin center, go to Backup and recovery, which includes:

    • Overview (Preview)
    • Backups (Preview)
    • Difference Reports (Preview)

    Recovery History (Preview)

    Prerequisites and permissions:

    To use Microsoft Entra Backup and Recovery:

    • Tenant type:
      • Supported: Workforce tenants
      • Not supported: External ID and Azure AD B2C tenants
    • Licensing:
      • Microsoft Entra ID P1 or P2

    Required roles:

    • Microsoft Entra Backup Reader – view backups, reports, and recovery history
    • Microsoft Entra Backup Administrator – create difference reports and trigger recoveries

    Global Administrator includes all Backup Administrator permissions

    Hybrid identity considerations:

    • In hybrid environments, difference reports can identify changes to objects synchronized from AD DS
    • For certain objects (such as groups), moving the source of authority to cloud enables full recovery support

    Objects still managed in on‑prem AD DS must be protected using separate AD backup solutions

    Important limitations

    • Hard‑deleted objects cannot be recovered or re‑created
    • Feature is currently Preview, and behavior or scope may change
    • Microsoft has not announced a General Availability (GA) date yet

    For your reference official document: https://learn.microsoft.com/en-in/entra/backup/overview

  2. Q&A Assist
    2026-03-27T07:46:03.1766667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Microsoft Entra Backup and Recovery and Microsoft Entra Account Recovery are currently in preview and provide different but complementary recovery capabilities.

    What Entra Backup and Recovery can restore

    Microsoft Entra Backup and Recovery is a built-in backup and recovery solution for Microsoft Entra ID that automatically backs up supported directory objects once per day and keeps up to five days of backup history. It helps recover critical objects to a previously known-good state after accidental changes or security compromise.

    Key capabilities:

    1. Automatic backups
      • Backups of supported objects are taken automatically once a day.
      • Up to five days of backup history are retained.
      • Backups are created and stored by Microsoft in the same geo-location as the tenant and cannot be disabled, deleted, or modified by any signed-in user or app.
    2. Supported objects and scenarios
      • Users
      • Groups
      • Applications and service principals
      • Conditional Access policies
      • Named locations
      • Authentication method policy
      • Partial authorization policy
      • Agent ID (because it is composed of user and service principal objects)
      Backup and Recovery lets administrators:
      • View available backups.
      • Create difference reports to compare a backup with the current tenant state.
      • Recover objects (all, by object type, or by object ID) to a previous state.
      • Review recovery history for completed and in-progress recovery jobs.
      Note:
      • Hard-deleted objects cannot be recovered or re-created by Microsoft Entra Backup and Recovery.
      • For hybrid identity, objects whose source of authority is Active Directory Domain Services (AD DS) may require alternative backup/recovery solutions unless converted to cloud-managed.
    3. Recovery operations
      • Recovery jobs are identified by a recovery ID.
      • Only one recovery or difference report job can run at a time.
      • Recovery History is retained for five days after completion.
      • All recovery actions are recorded in audit logs.
      • To perform recovery, the Microsoft Entra Backup Administrator role is required (its permissions are also included in Global Administrator).
    4. User authentication method (“user secrets”) recovery
      • Backup and Recovery can restore user objects and their associated authentication methods to a previous state when methods or accounts are accidentally or maliciously changed or deleted.
      • If a user was soft-deleted, restoring the user brings back attributes, group memberships, licenses, and assignments so MFA/SSPR/authentication policies continue to apply.
      • If a user was hard-deleted and no longer available in Backup and Recovery, the user must be recreated and authentication methods re-registered from scratch.
      • Individual authentication methods cannot be restored independently; restoring the user object is required to recover prior methods.
      Recommended flow for accidental changes:
      • Review audit logs to identify what changed and when.
      • Recover the user to a point in time before the change.
      • Validate recovered authentication methods via Entra admin center or Microsoft Graph.

    What Entra Account Recovery / Identity Verification provides

    Microsoft Entra Account Recovery (preview) focuses on securely re-establishing user access when strong authentication methods are lost or compromised.

    Key elements:

    1. Identity verification and Verified ID
      • Users complete an identity verification process.
      • Upon successful verification, they receive a verifiable credential (Verified ID) stored in Microsoft Authenticator.
      • Users present this Verified ID back to Microsoft Entra ID, which validates the credential and correlates its attributes with the user profile.
    2. Access restoration
      • After successful verification, users can receive temporary access credentials (for example, Temporary Access Pass) with limited validity.
      • Users are guided through re-enrolling new authentication methods.
    3. Usage with Backup and Recovery
      • In recovery scenarios where authentication methods should not be trusted (for example, malicious changes), guidance recommends:
        • Using Identity Verification (account recovery) as the preferred, higher-assurance way to re-establish trust before enrolling new methods.
        • If Identity Verification is not available, using Temporary Access Pass to allow secure initial sign-in and method setup.

    Preview status and GA timeline

    The provided documentation explicitly states that both Microsoft Entra Backup and Recovery and the user/authentication-method recovery capabilities are in preview and refers to the Supplemental Terms of Use for Microsoft Azure Previews. The context does not provide any date or timeline for when these features will move from preview to general availability.

    To get started and explore capabilities in a tenant that meets the prerequisites (workforce tenant, Entra ID P1 or P2, and appropriate roles), use the Microsoft Entra admin center and the Backup and recovery blade to view backups, run difference reports, and perform recovery.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.