Skip to content

Entra ID (Azure Active Directory)

Afi provides comprehensive support for Entra ID (Azure Active Directory) covering key object types listed below and including all the related metadata fields as well as ownership, membership, and assignments backup and recovery:

Notice

If you have installed the Afi application before September 5, 2024, please re-grant the application access to your Microsoft 365 tenant as described here. This will allow the Afi service to access all Entra ID objects supported by Afi and ensure the completeness of the Entra ID backup.

You can protect Entra ID for a Microsoft 365 tenant on the Service → Protection → Entra ID (Azure AD) tab:

Entra ID backup is included with all Microsoft 365 Afi service subscriptions and require no additional licenses.

Browse

The Entra ID backup browse view is structured into sections, with objects grouped by type, enabling users to view their properties and relationships.

Entra ID object kinds

Users

Entra ID users are split into the following categories based on their Microsoft 365 mailbox kind:

  • User Mailboxes
  • Shared Mailboxes
  • Rooms
  • Equipment

For each Entra ID user Afi shows its properties as well as its Microsoft 365 licenses and role assignments:

Groups

Entra ID groups are split into the following categories based on their Microsoft 365 kind:

  • Microsoft 365 groups
  • Distribution groups
  • Mail-enabled security groups
  • Security groups

For each Entra ID group Afi shows its properties, owners, and members. If the member count exceeds 100, Afi will display only the first 100 members. You can download the full member list by clicking the Download all members button.

Roles

For each Entra ID role Afi shows its description, type (custom/built-in), and the corresponding privileges:

Conditional access policies

Conditional access policies backed up by Afi are listed under the Security tab in the Entra ID backup browse view together with the configured authentication contexts, authentication strengths, and named locations.

Sign-in and audit logs

Entra ID audit and sign-in log events are displayed in a table format and sorted in descending order from newest to oldest. You can click on any audit event in the table to view its details.

Sign-in log events synchronized by Afi include events generated by the following actors:

  • Interactive users
  • Non-interactive users
  • Service principals
  • Managed identities

Afi keeps audit and sign-in events synchronized from Entra ID indefinitely, providing full event history for the entire period when your Entra directory is being protected (by default, Entra ID keeps events on the Microsoft 365 side only for 30 days). For convenient navigation across the event history, Afi allows to search for events occured during the specified time interval and export such events for review.

Enterprise applications and application registrations

Enterprise application and application registration objects are listed under the Applications tab inside the Entra ID backup browse view together with the corresponding properties and permissions:

Device objects backed up by Afi are listed under the Devices tab in the Entra ID backup browse view together with the configured compliance policies and configuration profiles:

BitLocker keys

Bitlocker recovery keys for Intune-enrolled devices backed up by Afi can be found on the device card for the corresponding device in the backup browse view. Under the BitLocker Keys section Afi shows the recovery key identifiers together with the dates when the corresponding keys were backed up to Intune.

To download the recovery keys for a device, please click on the Download all Bitlocker Keys button:

Administrative units

For each Entra ID administrative unit Afi shows its properties and members list. If the member count exceeds 100, Afi will display only the first 100 members. You can download the full member list by clicking the Download all members button.

View object versions

To view all versions kept by the service for an Entra ID object, click on the three-dot icon in the corresponding object tile and then on Show backup versions. The service will prompt a dialog with a list of all object versions together with the backup snapshot times where each version has been added. You can download details for selected object versions locally or restore any of them.

Afi allows to search across Entra ID objects of each kind by name, email (in case of users or groups), description, as well as by other searchable fields.

This example shows a basic search query to find all Entra ID groups that contain the term Sales in their names or emails:

For Entra ID audit and sign-in log events, Afi allows searching across an extended range of fields and limiting the search scope by the specified time period:

Event typeSearchable fields
Audit events Category, Initiated By, Operation Type, Target Type, Target, Details
Sign-in events User, Resource, Risk Level, Risk Reason, App, Conditional Access details

Export

All Entra ID objects backed up by Afi can be exported in JSON format together with all related metadata properties. Entra ID users and groups can also be exported in CSV format similar to the one provided by Microsoft 365 in the Entra ID panel.

At the moment Entra ID objects of different kinds (users, groups, etc.) should be exported separately. To export objects that belong to the Security, Audit, or Devices categories, please go to the corresponding tab inside the backup browse view and select an object kind to be exported (for example, Devices, Compliance Policies, or Configuration Profiles for the Devices category).

Recovery

Afi allows to recover Entra ID users, groups, roles, conditional access policies, and administrative units, as well as the corresponding relationships (group/administrative unit membership, role and policy assignments, etc.). The rest of the objects can be exported locally in JSON format together with all their properties.

For recovery you can select individual Entra ID objects as well as entire object kinds (for example, all roles), although the latter option should be used with caution due to tenant-wide impact.

Upon a recovery, Afi firstly tries to locate the objects selected for recovery on the Entra ID side following the logic described below and creates new objects only if they can't be located in Entra ID. Otherwise, the existing objects are kept and their properties and relationships are updated.

Entra ID object matching logic:

  1. Lookup the object by ID;
  2. If the object is not found by ID, lookup the object by name (or UPN in case of Entra ID users). If several matching objects found, create a new one.
  3. If the object is not found by ID or name (UPN), create a new one.

Users

Upon a user recovery, the Afi service performs the following actions:

  • Update properties for the existing user object or create a new user if such user is not found in the tenant;
  • Update the group owners and members for the existing groups where the user is present as an owner or a member;
  • Update the custom and built-in role assignments related to the user. If any custom role related to the user is deleted, a new custom role is created and the corresponding role assignments added.

Notice

Shared/room/equipment mailboxes are restored as user mailboxes if they are not found in the tenant upon a recovery. Otherwise, the mailbox kind is preserved.

Groups

Upon a group recovery, the Afi service performs the following actions:

  • Update the owners and members for the existing group, or create a new group with the corresponding properties, owners, and members if such group is not found in the tenant;
  • Update the custom and built-in role assignments related to the group. If any custom role related to the group is deleted, a new custom role is created and the corresponding role assignments added.

For distribution lists and mail-enabled security groups, recovery has the following limitations:

  • Such groups are restored as Microsoft 365 groups with an empty owner list;
  • Original user members of the group and user members of its recursively expanded child groups are added as new group members;
  • Group, device, and enterprise application group members are not restored.

Notice

When a group is selected for a recovery, its users are not restored together with the group. Only the ownership and membership relationships for the existing users are recovered.

Roles

Upon a role recovery, the Afi service performs the following actions:

  • (For custom roles) Update the role's properties, or create a new role the corresponding properties if such role is not found in the tenant;
  • Update user and group role assignments for the selected role.

Conditional access policies

Upon a policy recovery, the Afi service performs the following actions:

  • Update properties for the existing policy, or create a new policy if such policy is not found in the tenant;
  • Update policy assignments for the existing users, groups, roles;
  • Create authentication contexts, authentication strengths, and locations for the policy if they are not found in the tenant. Keep the existing configuration for authentication contexts, authentication strengths, and locations present in the tenant upon the recovery.

Upon an authentication context, authentication strength, or location recovery, the Afi service performs the following actions:

  • Update properties for the existing object, or create a new object if it is not found in the tenant. The object's assignments to conditional access policies are not restored.

Administrative units

Upon an administrative unit recovery, the Afi service performs the following actions:

  • Create a new administrative unit if it is not found in the tenant;
  • Update the unit's owners and members (users/groups/devices);