Why Azure AD Backup is Needed

The Horror of No Backup

In the old days, everyone was doing backups. At least that’s what we all said; there were lots of horror stories about people who didn’t back up important data, or who did backups but neglected to test their restores. The emergence of the cloud promised we wouldn’t have to stress over backups, and many IT pros took that as a cue not to worry about, or perform, backups of any cloud workload. However, as with many of these promises involving the cloud, the fine print took away some of that promise.

Backing Up…the Cloud?

First, when we talk about “backing up the cloud,” what are we really talking about? For the sake of argument, I’m going to assume everyone understands that you still need to back up your on-premises servers. Active Directory domain controllers, Exchange servers, and so on – all must be backed up (and those backups verified!) just as much in 2022 as they did in 2002.

In fact, the demand for good backup hygiene might be greater today than it’s ever been before. This can be attributed to the ongoing tidal wave of ransomware attacks and other assorted crimes that no person, organization, or entity is exempt from. In the cloud, we pretty much have the same division of workloads that we do on-premises.

So, what changed exactly? It’s the degree of vulnerability that each of these workloads now has in the cloud. Whilst an attacker has lots of potential entry points to an on-premises network, with plenty of opportunities to move laterally within the network, the cloud is supposed to provide extra security. It was this underlying promise of “extra security” that allowed many IT pros to get comfortable and decide maybe they didn’t need backups of their cloud workloads after all.

Disaster vs. “Oops”

If you consider the reasons people do backups in the first place, there are two main ones with a host of sub-reasons. First, people need disaster recovery. There are different types of disasters, with various levels of severity – for instance, “total lockout due to ransomware” is probably worse than “fire in the server room” but not as bad as “Russian invasion.” By design, there are ways to mitigate many of these disasters in the cloud besides your own backups, such as Microsoft’s native data protection for Exchange Online which keeps multiple geographically distributed copies of your mail data.

Second, and maybe more importantly, people need “oops recovery.” This is a technical term that essentially means “protection against human mistakes, carelessness, or even malice, but generally below the scale of a disaster.” If you doubt the need for this, consider whether you’ve ever had to use the Recycle Bin in desktop Windows, or Active Directory, or SharePoint, or file versioning in Word, or any of the other myriad of oops-protection features in the software we use daily.  

Microsoft has invested quite a bit of money in providing user-level oops recovery, including versioning in OneDrive and SharePoint, various recycle mechanisms for recovering deleted objects, and various preservation and hold mechanisms. However, one area where the native protection tools are weak is the directory.

Is Backing-up Azure AD Necessary?

Microsoft has been wildly successful at positioning Active Directory and Azure AD as the core of their ecosystem. The more applications and services that have connected to these services, the more entrenched they’ve become— and more critical. Think of the 2020 and 2021 outages that affected Azure AD, and the worldwide irritation and productivity loss that followed when users couldn’t log in to Office 365.

On-premises features such as read-only DCs and credential caching were meant to mitigate problems with directory availability, but the real protection came from the ability to back up, restore, and reconstitute these services.  In the cloud, Microsoft doesn’t provide these same tools, which raises the question of whether you need to back up Azure AD yourself.

The short answer: yes.

The longer answer circles right back to the distinction between disaster recovery and oops recovery (I really need to come up with a more impressive name for that concept!) Is your Azure AD data at risk of complete loss or destruction due to a disaster? Given the amount of effort and treasure that Microsoft invests in preventing that specific scenario, probably not.

If disaster recovery were the only reason to consider backing up Azure AD, I’d suggest prioritizing something else. However, there are several other good reasons why an Azure AD backup might be useful to you.

Reasons to Backup Azure AD Other Than Disaster Recovery

First – Azure AD has a lot of data that an on-premises backup won’t pick up. Obviously, any cloud-only group, role, or user account won’t be preserved if you don’t back it up, and organizations that are running a hybrid AD environment may be all right with this if they have adequate backups of the on-prem environment.

However, Azure AD has lots more than just data: enterprise app registrations, conditional access policies, X.509 certificate assignments, security principals, etc. These are all equally important, as are some of the key user and group attributes that live in the cloud and are associated with on-prem objects.

Second – Microsoft’s recovery features all have an expiration date. If you delete an Azure AD account (accidentally or on purpose), you can recover it for 30 days, but on day 31, it’s gone. Having your own backup extends your ability to recover these objects for as long as your backup exists.

Third – the ability to selectively roll back changes. If you’ve ever accidentally made a change and wished for an undo feature, you’ll know why this is valuable. Being able to see an audit trail of changes to an object such as a conditional access policy – and then being able to revert it to a previously-known state – is incredibly valuable when something important ‘breaks.’

Fourth – for records and state preservation. Being able to review specific points in time and examine what permissions, users, groups, role assignments, etc. existed in your directory during that time, can be extremely useful for forensic purposes but also governance and compliance reasons. The very nature of governance and compliance means you typically don’t know you need an old record until a lawyer asks for it. So having the ability to back up and preserve directory data in advance of these demands may be reassuring to highly regulated companies.

Finally, we come back to disaster recovery. For organizations that aren’t using hybrid AD, having a reliable and easy way to recover a damaged Azure AD environment can be a lifesaver. The risk isn’t that Microsoft will lose all your data – it’s that a rogue administrator, a poorly written script, or a clever attacker will damage enough of it to cause a problem, and a good backup and restore tool helps defend against this risk.

Read more: Planning for Azure AD Conditional Access Policies

…And That’s How the Fight Started

There’s certainly room to debate whether “backup your Azure AD” is a good all-purpose recommendation for every organization in every circumstance. However, I do think this is a smart approach for the majority of enterprises.

If you still aren’t sure about backing up Azure AD for your organization, the best way to figure it out is probably to ask yourself what your exposure might be to an Azure AD data loss and to evaluate whether you’re comfortable with whatever degree of risk that turns out to be. I’d love to hear your feedback about whether or not you think Azure AD protection is important, and why you think that—so please drop a note in the comment section below.