Azure Active Directory (Azure AD) is an identity and access management platform (IAM) that’s responsible for controlling your employees’ ability to log into your organization’s resources and applications.
Anything that compromises your Azure AD tenant configurations can lead to a sudden loss of access to important data and apps, making it especially important to have a backup plan for it in case something goes wrong.
Unfortunately, Microsoft’s built-in retention mechanisms are not enough to serve most enterprise organizations’ needs, forcing engineering teams to look elsewhere for third-party solutions and workarounds to back up their configurations.
Here’s an overview of every tool, framework, and workaround that you can use to backup Active Directory tenants in Microsoft Azure, including our very own no-code web portal for managing and maintaining tenant configurations.
This article covers:
The short answer? Yes. Microsoft Azure Active Directory is the primary identity provider for organizations running on Microsoft 365, meaning that it controls access to all your apps, resources, and integrations within the platform.
If something were to happen to your Azure AD tenant, it’s not excessive to assume that your employees would lose access to all your data and applications for an extended period of time.
As for the long answer, Microsoft Azure AD stores a collection of configuration files, settings, and policies that are highly critical for business continuity — including custom domains, conditional access policies, app registrations, role-based access control settings, privileged identity management settings, and much more. It also contains a directory of all users and groups within the company, which enables employees to log in and access business data.
All of this needs to be backed up securely in a third-party storage location so that it can be recovered in the event of a cyber attack or human error. For example, even something as simple as an employee making unintended changes to your tenant configurations could have your team locked out of access to crucial resources.
Microsoft offers some native backup and retention mechanisms for Azure AD; however, these features are insufficient for most business users due to their limitations. Here's an overview of these mechanisms and their potential shortcomings:
Azure AD provides a Recycle Bin that temporarily holds deleted objects, such as users and groups, for thirty days. This is known as soft-delete, allowing you to restore these objects within this timeframe. However, this feature has limitations:
Azure AD Connect synchronizes your on-premises Active Directory database with Azure AD. Although not a backup solution, it allows you to recover your Azure AD configuration by resynchronizing with your on-premises AD. However, this approach has limitations:
Azure AD maintains activity and audit logs that track changes made to various objects and configurations. While these logs can help investigate incidents, they are not a backup solution and cannot restore the previous state of your tenant.
While native backup processes are lacking, a limited number of unofficial and third-party workarounds do exist. These techniques and platforms enable Azure AD tenants to be backed up more reliably and consistently, even if there’s often some assembly required.
Using PowerShell scripts to securely back up your Azure AD tenant configurations involves exporting the data to a file format like CSV or JSON and storing the files in a secure location. The following is a step-by-step process for achieving this:
Connect to Azure AD using your admin credentials:
For AzureAD module:
Connect-AzureAD
For Microsoft Graph module:
Connect-MgGraph
Export users to a CSV file:
Get-AzureADUser -All $true | Export-Csv -Path "AzureADUsers.csv" -NoTypeInformation
Export groups to a CSV file:
Get-AzureADGroup -All $true | Export-Csv -Path "AzureADGroups.csv" -NoTypeInformation
Export group memberships to a CSV file:
$groups = Get-AzureADGroup -All $true
$groupMemberships = @()
foreach ($group in $groups) {
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true
foreach ($member in $members) {
$groupMembership = New-Object -TypeName PSObject -Property @{
GroupObjectId = $group.ObjectId
GroupDisplayName = $group.DisplayName
MemberObjectId = $member.ObjectId
MemberDisplayName = $member.DisplayName
}
$groupMemberships += $groupMembership
}
}
$groupMemberships | Export-Csv -Path "AzureADGroupMemberships.csv" -NoTypeInformation
Export applications to a CSV file:
Get-AzureADApplication -All $true | Export-Csv -Path "AzureADApplications.csv" -NoTypeInformation
Export service principals to a CSV file:
Get-AzureADServicePrincipal -All $true | Export-Csv -Path "AzureADServicePrincipals.csv" -NoTypeInformation
Export directory roles and their memberships to CSV files:
Get-AzureADDirectoryRole -All $true | Export-Csv -Path "AzureADDirectoryRoles.csv" -NoTypeInformation
$roles = Get-AzureADDirectoryRole -All $true
$roleMemberships = @()
foreach ($role in $roles) {
$members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -All $true
foreach ($member in $members) {
$roleMembership = New-Object -TypeName PSObject -Property @{
RoleObjectId = $role.ObjectId
RoleDisplayName = $role.DisplayName
MemberObjectId = $member.ObjectId
MemberDisplayName = $member.DisplayName
}
$roleMemberships += $roleMembership
}
}
$roleMemberships | Export-Csv -Path "AzureADDirectoryRoleMemberships.csv" -NoTypeInformation
Save the generated CSV files to a secure location, such as an encrypted folder, a secure file server, or a cloud storage service that supports encryption and access controls.
Export conditional access policies to a JSON file (requires Microsoft Graph module):
$policies = Get-MgConditionalAccessPolicy -All
$policies | ConvertTo-Json -Depth 5 | Set-Content -Path "AzureADConditionalAccessPolicies.json"
To automate the backup process, create a PowerShell script file that contains the steps described above. Save the script with a ".ps1" extension, for example, "AzureADBackup.ps1".
To schedule regular backups, use Windows Task Scheduler or an alternative scheduling tool:
Microsoft 365 Desired State Configuration (DSC) is a powerful solution that uses PowerShell DSC to manage the configuration of Microsoft 365 services, including Azure AD. Using Microsoft 365 DSC, you can extract your Azure AD tenant configurations and save them in a configuration file.
Here's a step-by-step process for using Microsoft 365 DSC to back up your Azure AD tenant configurations:
Install-Module -Name Microsoft365DSC
Connect to Azure AD using your admin credentials:
Connect-M365DSCConfiguration
Run the following command to extract the Azure AD tenant configurations:
Export-M365DSCConfiguration -Quiet -ComponentsToExtract @("AADApplication", "AADGroup", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADMSGroup", "AADPolicy", "AADServicePrincipal", "AADTenantDetails", "AADUser")
This command exports the specified components, such as users, groups, applications, service principals, and tenant details, to a DSC configuration script. You can tailor the components list to your organization's requirements.
After running the Export-M365DSCConfiguration command, it will generate a DSC configuration script that contains your Azure AD tenant configurations. Save this script to a secure location, such as an encrypted folder, a secure file server, or a cloud storage service that supports encryption and access controls.
To automate the backup process, create a PowerShell script file that contains the steps described above. Save the script with a ".ps1" extension, for example, "AzureADBackupM365DSC.ps1".
To schedule regular backups, use Windows Task Scheduler or an alternative scheduling tool:
Regularly monitor the backup process to ensure it is running as expected and that the backup files are securely stored. Periodically test the restoration process to ensure the data can be successfully imported back into Azure AD when needed.
Third-party platforms for backing up Azure AD tenant configurations offer several advantages over native methods like Azure AD Connect and code-intensive workarounds like PowerShell. These advantages include:
Simeon Cloud is a dedicated end-to-end automation platform that helps you back up your Microsoft 365 tenant configurations, including Azure AD. We’re the one of the only no-code platforms that does this while specializing exclusively in M365, making us the premium solution of choice for businesses like Aegis Innovators, GCM Grosvenor, and Deskflix.
How does it work? It’s simple: Simeon stores a backup of all your Azure AD settings and policies each time someone from your team makes a change to your tenant via Admin Center. These backups are stored securely for you to retrieve on-demand should you need them.
But it doesn’t stop there. Simeon Cloud also provides ongoing drift detection and compliance monitoring features for Azure AD. With us, you can rest assured knowing that your organization is compliant with security standards and industry regulations at all times.
Moreover, Simeon does this while allowing you to manage multiple tenants through a single interface, a feature that’s especially useful for managed service providers and enterprises with more than one tenant. You can even copy-paste your configurations from one tenant to another!
Want to learn more about how Simeon can help your organization streamline your Azure AD backup strategy? Request a demo here!