Table of Contents
Microsoft Launches Preview of Entra ID Backup and Recovery
It’s hard to know what to make of the preview of the Entra ID Backup and Recovery feature that is available to tenants through the Entra admin center (Figure 1). The preview feature showed up on 19 March 2026.
Access to data in the Entra ID Backup and Recovery section of the Entra admin center requires at least the (new) Entra Backup Reader administrative role.
A Very Quiet Preview
Despite lots of chatter about the new feature in the technical community, Microsoft say anything until late on March 20 when a brief reference to Entra ID Backup and Recovery was included in a set of announcements for this week’s RSA conference (the formal name is Microsoft Entra Backup and Recovery). The documentation linked to in the Entra admin center is for Microsoft 365 Backup for SharePoint Online and Exchange Online. In addition, a notification has not yet appeared in the Microsoft 365 message center. For such an important capability, Microsoft is being very quiet.
The product documentation says that Backup and Recovery is available to tenants with Entra P1 or P2 licenses. Some have reported that they have the feature without these licenses.
What We Know About Entra ID Backup and Recovery
Equipped with the documentation and a day or so of hands-on experience, here’s what we can say about the highlights of Entra ID Backup and Recovery.
Backups are taken once daily (in the case of my tenant, at 10pm nightly). The preview does not give tenants the chance to vary the time, nor can you disable backups. Everything happens automatically. According to the admin center, backups cover “core tenant objects” such as “users, groups, applications, conditional access policies, service principals, organization, authentication methods, authorization policy, and named locations.” In other words, the core directory objects.
Entra ID isn’t like other workloads like Exchange Online or SharePoint Online where the need for backup spans both objects and data (email, folders, files, etc.). Noting changes made to core directory objects and being able to restore to a point in time doesn’t require the same amount of storage.
Entra ID keeps five backups on a rolling basis. In other words, the maximum recovery period is five days. You can’t change how long backups remain valid for. At least, not in the preview (I’m sure some tenants will look for at least ten days).
Difference reports can be generated to highlight the differences between the current state of object properties and the values from a selected backup. The idea is to use the difference reports to decide which backup to recover from. When requested, background jobs generate the reports. Report generation can take a long time. My small tenant requires at least 75 minutes. Reducing the time required for report generation is the kind of improvement made for general availability, and because a difference report is an important source of information for a recovery operation, it makes sense to reduce the time needed to create the report.
Figure 2 shows the kind of information you can expect to see in a difference report. Remember, the items in the report represent changes between the current state and the selected backup. The first item is for the creation of an enterprise app (service principal) and we’re told that the recovery action will be to soft-delete the app (just in case, recovery never hard deletes objects). The second item is also for a service principal, but in this instance, it reports the assignment of a delegated OAuth2 permission, so the recovery action is to update the service principal to remove the permission. At the end of the list are entries for dynamic groups where Entra ID has updated the group memberships by adding links to objects.
Interestingly, objects that are hard-deleted (permanently removed) from Entra ID cannot be recovered. Microsoft suggests that tenants use protected actions to stop unexpected hard deletions.
One thing I miss is the ability to export a difference report for analysis. Nice as it is to see a list of differences on screen, a busy tenant can easily generate thousands of changes daily, and going through each item on screen is no fun. Being able to extract the report items and feed the data to AI for analysis (or doing the job manually) would be better.
Recovery is done by selecting a valid backup and choosing the Recover backup option, or by using the Recover option when viewing a difference report. A user must hold the (new) Entra Backup Administrator role to initiate a recovery. Filters allow recovery by object type (for example, user accounts), specific object identifier, or all changes. After selecting the type of recovery to perform (Figure 3), Entra starts a background job to recover the objects.
Recovery means that the Entra ID objects selected from the backup are recovered to the point in time for the backup. As Microsoft notes, recovery performance depends on how many changes Entra ID must process. Apparently, processing 500,000 changes can take up to 30 hours! Everything worked in the tests that I did, which is exactly what you want from a Backup and Recovery solution.
The Recovery History section lists recovery jobs, including the number of affected objects. However, no further details are available. This seems like an area that could be improved by making a list of the recovered objects easily accessible to administrators.
Building an Entra Recovery Story
Microsoft deserves commendation for providing a state-based backup and recovery solution for Entra ID at the tenant level. The new capability builds on the object-level recovery from deletion for users, groups, service principals, administrative units, applications, and conditional access policies. Recovery from deletion is accomplished by putting objects into a soft-deleted state and holding them in a recycle bin from where the objects can be recovered for up to 30 days following deletion. The two mechanisms mitigate the effects of accidental or deliberate (malicious) deletions.
Devices are due to support soft deletion, but the capability hasn’t yet been delivered (the Microsoft Graph PowerShell SDK includes a Get-MgDirectoryDeletedItemAsDevice cmdlet that calls the https://graph.microsoft.com/beta/directory/deletedItems/microsoft.graph.device endpoint, but no results are returned). See this article for details about how to create a report of soft-deleted Entra ID objects.
An Interesting Development
There’s no doubt that the advent of Entra ID Backup and Recovery is interesting for both tenants and ISVs who are active in the backup space. Tenants will be delighted to get a native backup and recovery feature while ISVs will pick the new feature apart to discover advantages and disadvantages for their products. Entra ID Backup and Recovery sets a new (entry-level) bar for backup products. As such, it’s a topic that deserves attention from tenant administrators.
Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.
That’s nice. I have one observation though that restoring deleted account with global administrator role is not “full”. I run into various issues accessing services and usually creating one from scratch works better. I am talking about regular user restoration, not using this new feature.