Before you consider investing in a third-party backup tool for Entra (formerly Azure AD), it's important to familiarize yourself with the built-in data retention and configuration backup mechanisms offered within the platform by Microsoft.
Depending on its retention policy, Entra retains your tenant data for anywhere between 14 days to 1 year. While this is not a full-service backup solution, it still provides an opportunity for business users to export their data to a more secure storage system off site.
Today, we'll be taking a detailed look at the different types of data retention and backup options available natively within Entra, so that you can better understand where and when a third-party backup solution might fit in. Want to create a comprehensive retention plan for your business' Entra tenant configurations, but don't know where to start? Keep reading!
This article covers:
Azure Active Directory offers several built-in data retention and backup features to safeguard your tenant configuration against sudden disruptions and external threats. Here's a quick overview of each, with information on their retention period and retention policy:
Unified Audit Log: Entra provides a detailed audit log to track and monitor user activities, sign-in attempts, and configuration changes through Microsoft Purview. The retention period for these audit logs is 30 days by default, but you can extend it to a maximum of 730 days (2 years) if you have a Entra Premium P1 or P2 subscription.
Azure Monitor: Azure Monitor integrates with Entra to collect, analyze, and act on telemetry data. It helps you monitor the performance and availability of your applications and infrastructure. Data retention in Azure Monitor varies based on the type of data. Metrics are retained for 93 days, Activity Logs for 90 days, and Log Analytics for 31 days to 730 days depending on your subscription tier.
Entra Backup and Restore: Entra automatically backs up directory data every few hours and retains these backups for a maximum of 30 days. In case of accidental deletion or corruption of directory data, you can restore objects, users, and groups within this retention period.
Entra Recycle Bin: Recycle Bin is a service that helps administrators recover deleted objects in Azure Active Directory. When an object such as a user, group, or application is deleted, it is moved in a soft-delete state to the Recycle Bin. These deleted items remain there for 30 days, during which they can be restored. Once a period of 30 days has passed, the objects undergo permanent deletion from the system.
Entra Connect: Entra Connect is a tool that synchronizes on-premises Active Directory data with Entra. The retention period for data in Entra Connect depends on the data type and synchronization settings. Deleted objects are retained for 30 days by default and can be configured to extend up to 365 days. Staged objects are retained for 7 days by default and can be configured up to 365 days.
Entra B2C: Entra B2C is a customer identity and access management (CIAM) solution that helps organizations manage customer identities and access to applications. The retention period for B2C data depends on the data type. Logs are retained for 30 days by default, can be extended up to 730 days for Premium customers. User profiles and custom attributes are retained until the customer account is deleted.
Entra's built-in retention policy provides basic protection to business users in the event of a sudden outage. However, it is not a reliable full-service backup solution because it lacks many key features which are often a must have for enterprise security and regulatory compliance. Here are a few examples:
Entra's built-in retention policies have limited recovery windows, ranging from 30 to 730 days, depending on the log type and service tier. For organizations that require long-term data retention due to regulatory or compliance requirements, these policies are far from sufficient.
The built-in retention policies in Entra do not provide point-in-time recovery or version histories. This means that if an object is accidentally modified multiple times, it is challenging to restore the particular object or the system state to a specific point in time before the change occurred.
The built-in retention policies do not provide a comprehensive backup of all the directory data, configurations, and associated services. For example, settings related to Conditional Access Policies and Privileged Identity Management don't have a dedicated recovery solution in Entra.
Microsoft Graph is a RESTful web API that allows external developers to interact with Entra resources programmatically. Using the Graph API allows third-party platforms to access, manage, and manipulate data and objects within Entra.
Once it has authenticated itself using the OAuth 2.0 protocol, a third-party backup solution can retrieve Entra objects such as users, groups, applications, and more by sending HTTP requests to specific endpoints. It can then store that data using an external cloud storage solution so that it can be used to restore an Entra tenant to a previous state on demand.
Of course, Entra backup solutions, even unofficial and third-party ones, that can provide comprehensive storage and recovery for enterprise tenant configurations are still few and far between. For example, you can use PowerShell Desired State Configuration (PowerShell DSC) to call on the Graph API so that you can back up tenant configurations as required using a command-line interface. However, this process is code-intensive and requires engineering skills to even attempt. Microsoft 365 DSC is an open-source tool from Microsoft developers that helps automate the process to some extent, but it still relies heavily on PowerShell cmdlets, preventing it from being a true no-code solution.
CoreView Configuration Manager is an end-to-end platform that uses configuration-as-code technology to automate the management of Microsoft 365 configurations and settings, including Entra. It enables you to schedule automatic backups of all your settings and policies each time there's a change in your tenant configuration in Entra.
Unlike other tools like Microsoft 365 DSC, CoreView is a no-code platform that allows you to manage all your Microsoft 365 and Entra configurations from a single intuitive dashboard without writing a single line of code. It also comes with a detailed audit log of all your configurations so that you can stay up-to-date on any deviations from your tenant baseline.
Want to learn more about how CoreView can help you back up Entra past its initial retention period? Request a free demo, today!
