Why On-premises Backup for Microsoft Entra ID Isn't Enough: 5 Reasons to Back Up In the Cloud

Imagine a busy city with multiple roads leading to various destinations, such as a hospital, a shopping mall, and a stadium. Like a traffic light controlling the flow of vehicles to and from these destinations, Microsoft Entra ID (formerly Microsoft Azure Active Directory or AD) manages user identities and controls access to information from apps and services such as Microsoft 365, Salesforce, Google Workspace, and others. Organizations rely on it heavily to ensure a smooth flow and access to their data. 

However, when Entra ID is not accessible, the flow of and access to control-plane information can cause severe business disruption, much like a city that experiences traffic jams, frustrations, accidents, and general chaos when traffic lights go out. This post will explore the importance of data protection for Entra ID.

Read on to learn more about how AD and Entra ID work and why you need cloud backup for your SaaS data.

The Evolution of Identity Management: From Active Directory to Azure AD to Entra ID and the Need for Different Backup Solutions

How did we come to rely so heavily on Entra ID? Microsoft AD was introduced with Windows 2000 Server as a solution for on-premises identity management. It provides a centralized and standardized system for efficient network administration and security by managing user accounts, groups, and resources such as computers and printers. 

As the use of cloud-based services grew, the need for an identity management solution to integrate with cloud-based resources became more important. 

This led to the creation of Azure Active Directory, designed to bridge on-premises and cloud resources. In March, Microsoft announced that Azure Active Directory is now Microsoft Entra ID. Entra ID not only creates a seamless and secure identity management solution for cloud computing but also offers a range of features and capabilities (including single sign-on (SSO), multi-factor authentication (MFA), and role-based access controls (RBAC) to help organizations meet their security and compliance requirements.

What’s the difference between AD and Entra ID?

The critical difference between the two is that Active Directory is designed to manage user access and application infrastructure for an on-premises world; Entra ID is designed to manage user access to cloud applications in a cloud-based environment.

Put simply, AD is on-prem, while Entra ID is cloud-based. 

If you’re interested in exploring the differences further, here’s what Microsoft has to say: Compare Active Directory to Entra ID.

Every object in either AD or Entra ID has one permanent home. That’s the primary copy of the object and the copy to which changes are applied. If you only use on-prem or cloud, only one copy of each object exists.

In hybrid mode, though, no matter where the object is kept, there will be two copies: the primary and synchronized copies (one on-premises, one in the cloud).

For organizations using both Active Directory and Entra ID in a hybrid environment, you can think of the cloud copy of an on-prem object as being like a shadow. When you look at a shadow on the pavement, you only get partial information about the real object.

Similarly, Entra ID only has a partial set of attributes from on-premises AD objects because not every attribute is replicated to the cloud. However, all the characteristics of cloud-based Entra ID objects are stored entirely in the cloud. This allows organizations to use Entra ID as an identity provider for on-premises resources and provides SSO for cloud-based resources.

How does this distinction change your backup strategy? 

It is paramount to distinguish which environment you home your identity objects. Active Directory backup via on-premises solutions is precisely that: making a backup of on-prem data by copying it to/from an on-premises solution. Entra ID, as a cloud-based application utilizing cloud-based data (and metadata), creates and manages cloud data in the cloud. 

Why it matters: Comprehensive data coverage requires the ‘right’ backup 

“Some” Entra ID data and metadata only exist in the cloud environment. You could copy these objects to an on-prem storage location, but these objects must be restored to the cloud.

Therefore, with apparent gaps in coverage, the data and metadata are not covered holistically. When you back up your cloud data with an on-premises Active Directory-oriented tool as your Entra ID backup solution, your data may not be fully protected. 

In other words, what’s homed on-premises and homed in the cloud are physically separate. You introduce new problems for yourself when you cross the streams, including access speed, data fidelity, quality, and security. 

Let’s examine five reasons why on-prem AD backup is not a viable option for a comprehensive backup of Entra ID. 

One Thing You Should Know and Five Things You Should Consider If You’re Backing up Entra ID On Premises

The number one fact you should know if your organization uses Entra ID is that, according to Alex Weinert, VP of Identity Security at Microsoft, in the 2023 Identity Security Trends and Solutions from Microsoft, Entra ID accounts are 50 times more likely to be compromised than consumer Microsoft accounts. 

1. Some attributes in Entra ID are not available on premises

If you take an on-prem AD account and sync it to the cloud, the sync process (and Entra ID) adds some attributes. Some of these may be synced back to on-prem (a process called writeback), but some will not. Backing up Entra ID captures these; backing up the on-prem AD won’t. 

2. Entra ID may have user objects or attributes that do not exist on-premises  

You can define your users, groups, roles, and so on that exist only in the cloud. If you do not back these up independently, they will not be preserved nor well protected, and your only recourse is to recreate and define these custom entries every time. 

And yet, not everyone sees the value in protecting these objects when their identity management (IdM) anchor is on-prem. Even if an organization's IdM anchor is on-premises, objects and attributes like Intune and conditional access policies are essential for several reasons, often forming a crucial part of organizations’ zero trust security, and, as such, must be protected against loss or damage. (Read our article on the zero trust principle here.)

Still not convinced of the value of protecting control-plane objects? Here are five reasons highlighting the case for securing data protection: 

Cloud-based management: Intune and Entra ID conditional access are both cloud-based services that can be accessed and managed from anywhere. They cannot be accessed from on-prem systems, so if you lose the copy in the cloud, it’s gone. 

Security: Entra ID provides additional layers of security, such as MFA and identity protection, that can help to protect against potential security threats such as compromised credentials or unauthorized access. 

Compliance: Intune and conditional access can help you meet compliance requirements like GDPR by providing device compliance and RBAC features. 

Scalability: Entra ID lets you scale your IdM infrastructure as needed without additional hardware or software. 

Remote work: Intune and conditional access can help you secure and manage remote workers' devices, even if they are not connected to the on-premises network. 

These objects and attributes are vital to operations when considering the resource investment required to recreate and administer them manually if they are lost. Then there are the security concerns of not ensuring the right users have the permissions they need to access company data; adequate data protection of these should be a business imperative. 

3. Entra ID will have configuration/state objects that don’t exist on-prem

Enterprise apps, app registrations, Conditional Access (CA) policies, and many other policy- and security-related objects exist only in the cloud. Microsoft's native protection for these objects is mostly non-existent—delete a conditional access policy, for example, and it’s just gone. Let’s drill down into two important-to-protect Entra ID features: 

Conditional Access: Entra ID Conditional Access is a feature that allows you to set policies that determine how users are granted access to resources based on conditions such as device compliance, location, and user identity. It lets you control who can access your resources and under which conditions. This feature can protect against security threats, such as compromised credentials, by requiring MFA or other forms of authentication. 

Intune: Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service that is integrated with Entra ID. This feature allows you to manage and secure mobile devices, desktops, and apps, including those used by remote workers. It lets you set policies for devices and apps, such as requiring a passcode or encrypting data and remotely wiping a device if it is lost or stolen.

What about the Active Directory Recycle Bin? As these Entra ID-only configurations/state objects only exist in the cloud, there’s no available recycle bin for these policy objects, so there’s no undo. It’s akin to an immediate hard delete, meaning there is no 30-day or 90-day grace period as there is with soft deletions. 

How can you recover from a hard deletion? Microsoft states that “hard-deleted items must be re-created and reconfigured. It’s best to avoid unwanted hard deletions.” 

Let that sink in momentarily: “It’s best to avoid unwanted hard deletions.” This advice is nigh impossible to follow, as common data loss scenarios (like accidental deletions) are a question of when not if. It highlights how the Recycle Bin was never intended to replace dedicated backup. Read our post on why SaaS Backup for your Microsoft 365 Data is crucial here. 

4. Record preservation  

How long does Entra ID store reporting data? That’s an excellent question. According to Microsoft, activity reports are stored as follows: 

 As you can see, there is no point-in-time record preservation. With a backup, you can preserve and review cloud-only Entra ID data at a specific point in time and examine which permissions, users, groups, and role assignments existed in your directory, as well as whether an object has changed within a specified period and preserve these records for as long as required or needed to comply with company or governmental policies.

These benefits are helpful for forensic purposes and governance and compliance reasons.

5. Microsoft doesn’t provide native protection for many cloud-only objects  

Microsoft doesn't provide the same recovery tools in Entra ID as for Active Directory. According to Microsoft recoverability best practices, it’s essential to understand the object types that Microsoft protects under soft-deletion and hard-deletion scenarios, visualized here:

The recovery features for soft deletions are typically limited to 30 days of retention, so if you want to recover on day 31, it’s too late! The data is gone, as Microsoft shares on its Entra ID recover from deletions page.

Soft-deleted objects are hard deleted after a deletion time of 30 days. The only object types that support a soft delete are Users, Microsoft 365 Groups, application registration, service principal, and administrative unit.

So, the question is this: Are these automatically hard-deleted objects critical to your business operations? A natural follow-up question is this: Is the 30-day restore period for soft-deleted objects enough protection for your data? (Often, mandatory minimum data retention periods are required for compliance with regulatory requirements like GDPR and CCPA.)

It’s important to mention that changes—even to objects that would normally be soft deleted, such as editing or overwriting—are not covered by the recycling bin. Any change, intentional or otherwise, replaces the previous version, and there is no option to revert or recover. 

When these changes are made accidentally, we may call them an “oops.” Still, they are serious and one of the leading causes of data loss. So, this coverage gap should greatly concern those tasked with ensuring data protection.

The writing on the wall is that native coverage is insufficient for recoverable, comprehensive coverage. The solution to this coverage gap is having your own third-party backup, which extends your ability to recover these objects for as long as your backup exists. 

Explore this more deeply here: Azure Active Directory recoverability best practices from Microsoft.

What’s next? Choosing a backup solution for Azure Active Directory

Now that we’ve highlighted the need for dedicated cloud data backup for Entra ID let’s explore what Arcserve SaaS Backup offers regarding protections. 

Leading Entra ID Data Protection for Your Cloud Security Strategy

Arcserve SaaS Backup helps you recover business-critical identity and application objects that Microsoft doesn't protect. It extends your retention period and strengthens security with policy protection, full auditing, and traceability of changes. It also protects against day-to-day data loss and improves IT efficiencies with the ability to roll back changes and speed up troubleshooting.

The Entra ID connector protects the following Microsoft 365 Entra ID objects: Users, Groups, Administrative Units, and Roles. It also protects Audit logs (and Sign-in logs with audit logs enabled). 

For an exhaustive coverage list, visit the Arcserve SaaS Backup page. 

Interested in backing up (and restoring) Microsoft Entra ID with Arcserve SaaS Backup? 

To learn more about how you can protect your business-critical data and ensure disaster recovery, request a demo or contact us.