May 1, 2023
|
12
min read
Josh Wittman
Josh Wittman, co-founder of Simeon Cloud, excels in Microsoft 365 through governance, security, and automation. An expert in SaaS, DevOps, and cybersecurity, he innovates in the digital workplace.
Businessman using a computer to backup storage data

Azure Active Directory (Azure AD) is an identity and access management platform (IAM) that’s responsible for controlling your employees’ ability to log into your organization’s resources and applications. 

Anything that compromises your Azure AD tenant configurations can lead to a sudden loss of access to important data and apps, making it especially important to have a backup plan for it in case something goes wrong.

Unfortunately, Microsoft’s built-in retention mechanisms are not enough to serve most enterprise organizations’ needs, forcing engineering teams to look elsewhere for third-party solutions and workarounds to back up their configurations.

Here’s an overview of every tool, framework, and workaround that you can use to backup Active Directory tenants in Microsoft Azure, including our very own no-code web portal for managing and maintaining tenant configurations.

This article covers:

Do You Really Need to Back Up Your Azure Active Directory Tenants?

The short answer? Yes. Microsoft Azure Active Directory is the primary identity provider for organizations running on Microsoft 365, meaning that it controls access to all your apps, resources, and integrations within the platform. 

If something were to happen to your Azure AD tenant, it’s not excessive to assume that your employees would lose access to all your data and applications for an extended period of time. 

As for the long answer, Microsoft Azure AD stores a collection of configuration files, settings, and policies that are highly critical for business continuity — including custom domains, conditional access policies, app registrations, role-based access control settings, privileged identity management settings, and much more. It also contains a directory of all users and groups within the company, which enables employees to log in and access business data.

All of this needs to be backed up securely in a third-party storage location so that it can be recovered in the event of a cyber attack or human error. For example, even something as simple as an employee making unintended changes to your tenant configurations could have your team locked out of access to crucial resources.

Why Native Azure AD Backup Solutions Aren’t Enough for Businesses

Microsoft offers some native backup and retention mechanisms for Azure AD; however, these features are insufficient for most business users due to their limitations. Here's an overview of these mechanisms and their potential shortcomings:

Recycle Bin and Soft-Delete

Azure AD provides a Recycle Bin that temporarily holds deleted objects, such as users and groups, for thirty days. This is known as soft-delete, allowing you to restore these objects within this timeframe. However, this feature has limitations:

  • It does not cover all objects, like application registrations or conditional access policies.
  • It does not provide versioning or backup of configurations before changes.
  • After 30 days, the deleted objects are permanently removed and cannot be recovered.

Azure AD Connect

Azure AD Connect synchronizes your on-premises Active Directory database with Azure AD. Although not a backup solution, it allows you to recover your Azure AD configuration by resynchronizing with your on-premises AD. However, this approach has limitations:

  • It assumes that you have an on-premises Active Directory infrastructure.
  • It does not cover cloud-only objects, such as guest accounts or cloud-native applications.
  • It is focused on identity data and does not cover other Azure AD configurations, like conditional access policies.

Activity Logs and Audit Logs

Azure AD maintains activity and audit logs that track changes made to various objects and configurations. While these logs can help investigate incidents, they are not a backup solution and cannot restore the previous state of your tenant.

3 Ways to Back Up Your Azure AD Tenants Using Popular Workarounds

While native backup processes are lacking, a limited number of unofficial and third-party workarounds do exist. These techniques and platforms enable Azure AD tenants to be backed up more reliably and consistently, even if there’s often some assembly required.

PowerShell Scripts

Using PowerShell scripts to securely back up your Azure AD tenant configurations involves exporting the data to a file format like CSV or JSON and storing the files in a secure location. The following is a step-by-step process for achieving this:

Prerequisites:

  • Install the AzureAD or Microsoft Graph PowerShell module.
  • Ensure you have the necessary permissions to access and export Azure AD configurations.

Step 1: Connect to Azure AD

Connect to Azure AD using your admin credentials:

For AzureAD module:

Connect-AzureAD

For Microsoft Graph module:

Connect-MgGraph

Step 2: Export Users

Export users to a CSV file:

Get-AzureADUser -All $true | Export-Csv -Path "AzureADUsers.csv" -NoTypeInformation

Step 3: Export Groups

Export groups to a CSV file:

Get-AzureADGroup -All $true | Export-Csv -Path "AzureADGroups.csv" -NoTypeInformation

Step 4: Export Group Memberships

Export group memberships to a CSV file:

$groups = Get-AzureADGroup -All $true

$groupMemberships = @()

foreach ($group in $groups) {

    $members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true

    foreach ($member in $members) {

        $groupMembership = New-Object -TypeName PSObject -Property @{

            GroupObjectId   = $group.ObjectId

            GroupDisplayName = $group.DisplayName

            MemberObjectId  = $member.ObjectId

            MemberDisplayName = $member.DisplayName

        }

        $groupMemberships += $groupMembership

    }

}

$groupMemberships | Export-Csv -Path "AzureADGroupMemberships.csv" -NoTypeInformation

Step 5: Export Applications

Export applications to a CSV file:

Get-AzureADApplication -All $true | Export-Csv -Path "AzureADApplications.csv" -NoTypeInformation

Step 6: Export Service Principals

Export service principals to a CSV file:

Get-AzureADServicePrincipal -All $true | Export-Csv -Path "AzureADServicePrincipals.csv" -NoTypeInformation

Step 7: Export Directory Roles and Memberships

Export directory roles and their memberships to CSV files:

Get-AzureADDirectoryRole -All $true | Export-Csv -Path "AzureADDirectoryRoles.csv" -NoTypeInformation

$roles = Get-AzureADDirectoryRole -All $true

$roleMemberships = @()

foreach ($role in $roles) {

    $members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -All $true

    foreach ($member in $members) {

        $roleMembership = New-Object -TypeName PSObject -Property @{

            RoleObjectId   = $role.ObjectId

            RoleDisplayName = $role.DisplayName

            MemberObjectId  = $member.ObjectId

            MemberDisplayName = $member.DisplayName

        }

        $roleMemberships += $roleMembership

    }

}

$roleMemberships | Export-Csv -Path "AzureADDirectoryRoleMemberships.csv" -NoTypeInformation

Step 8: Save Backup Files

Save the generated CSV files to a secure location, such as an encrypted folder, a secure file server, or a cloud storage service that supports encryption and access controls.

Step 9: Export Conditional Access Policies

Export conditional access policies to a JSON file (requires Microsoft Graph module):

$policies = Get-MgConditionalAccessPolicy -All

$policies | ConvertTo-Json -Depth 5 | Set-Content -Path "AzureADConditionalAccessPolicies.json"

Step 10: Automate and Schedule Backups

To automate the backup process, create a PowerShell script file that contains the steps described above. Save the script with a ".ps1" extension, for example, "AzureADBackup.ps1".

To schedule regular backups, use Windows Task Scheduler or an alternative scheduling tool:

  1. Open Windows Task Scheduler and create a new task.
  2. Set a name and description for the task.
  3. In the "Triggers" tab, create a new trigger and define the schedule (e.g., daily, weekly, or monthly).
  4. In the "Actions" tab, create a new action with the following settings:
  1. Action: Start a program
  2. Program/script: PowerShell.exe
  3. Add arguments (optional): -ExecutionPolicy Bypass -File "C:\Path\to\your\AzureADBackup.ps1"
  4. Start in (optional): 
  1. Configure any additional settings, such as security options or conditions, as needed.
  2. Save the task and ensure it runs as expected.

Microsoft 365 DSC

Microsoft 365 Desired State Configuration (DSC) is a powerful solution that uses PowerShell DSC to manage the configuration of Microsoft 365 services, including Azure AD. Using Microsoft 365 DSC, you can extract your Azure AD tenant configurations and save them in a configuration file.

Here's a step-by-step process for using Microsoft 365 DSC to back up your Azure AD tenant configurations:

Prerequisites:

  • Install the Microsoft365DSC module from the PowerShell Gallery:

Install-Module -Name Microsoft365DSC

  • Ensure you have the necessary permissions to access and export Azure AD configurations.

Step 1: Connect to Azure AD

Connect to Azure AD using your admin credentials:

Connect-M365DSCConfiguration

Step 2: Extract Azure AD configurations

Run the following command to extract the Azure AD tenant configurations:

Export-M365DSCConfiguration -Quiet -ComponentsToExtract @("AADApplication", "AADGroup", "AADGroupLifecyclePolicy", "AADGroupsNamingPolicy", "AADGroupsSettings", "AADMSGroup", "AADPolicy", "AADServicePrincipal", "AADTenantDetails", "AADUser")

This command exports the specified components, such as users, groups, applications, service principals, and tenant details, to a DSC configuration script. You can tailor the components list to your organization's requirements.

Step 3: Save the Configuration Script

After running the Export-M365DSCConfiguration command, it will generate a DSC configuration script that contains your Azure AD tenant configurations. Save this script to a secure location, such as an encrypted folder, a secure file server, or a cloud storage service that supports encryption and access controls.

Step 4: Automate and Schedule Backups

To automate the backup process, create a PowerShell script file that contains the steps described above. Save the script with a ".ps1" extension, for example, "AzureADBackupM365DSC.ps1".

To schedule regular backups, use Windows Task Scheduler or an alternative scheduling tool:

  1. Open Windows Task Scheduler and create a new task.
  2. Set a name and description for the task.
  3. In the "Triggers" tab, create a new trigger and define the schedule (e.g., daily, weekly, or monthly).
  4. In the "Actions" tab, create a new action with the following settings:
  1. Action: Start a program
  2. Program/script: PowerShell.exe
  3. Add arguments (optional): -ExecutionPolicy Bypass -File "C:\Path\to\your\AzureADBackupM365DSC.ps1"
  4. Start in (optional): 
  1. Configure any additional settings, such as security options or conditions, as needed.
  2. Save the task and ensure it runs as expected.

Step 5: Monitor and Maintain Backups

Regularly monitor the backup process to ensure it is running as expected and that the backup files are securely stored. Periodically test the restoration process to ensure the data can be successfully imported back into Azure AD when needed.

Third-Party Tools

Third-party platforms for backing up Azure AD tenant configurations offer several advantages over native methods like Azure AD Connect and code-intensive workarounds like PowerShell. These advantages include:

  • Comprehensive Coverage: Third-party backup solutions typically cover a broader range of Azure AD objects, configurations, and associated Microsoft 365 services, providing more complete protection for your organization's data.
  • Workflow Automation: Many third-party platforms automate the backup process, allowing you to schedule regular backups without manual intervention. This helps ensure consistent and up-to-date backups, reducing the risk of data loss.
  • Granular Recovery: Third-party solutions often provide granular recovery options, enabling you to restore specific items or configurations rather than entire data sets. This makes it easier to recover from accidental deletions or changes without affecting other configurations.
  • User Interface: Third-party tools typically come with a user-friendly interface that simplifies backup management and restoration processes, making it easier for IT administrators and non-technical users to perform tasks without extensive knowledge of PowerShell or other scripting languages.
  • Data Retention: Third-party platforms often allow you to define custom data retention policies that meet your organization's requirements for data storage, compliance, and long-term retention.
  • Secure Storage: These solutions often provide secure storage options, such as encryption and access controls, to help protect your backups from unauthorized access or data breaches.
  • Enhanced Support: Vendors of third-party backup tools usually offer dedicated support, documentation, and updates to their products, ensuring you have access to the assistance and resources you need to keep your backups running smoothly.
  • Cross Platform: Third-party backup platforms often support multiple platforms and environments, making it easier to integrate with your existing IT infrastructure.
  • Reporting Capabilities: Many third-party backup solutions include built-in reporting and monitoring features that provide insights into your backup process, helping you identify potential issues and ensure your data is protected.
  • Reduced Complexity: By using a dedicated third-party backup solution, you can reduce the complexity and potential for errors associated with manual processes or custom scripts, making it more likely that your backups are successful and reliable.

Simeon Cloud: The Best Way to Back Up Azure AD Tenant Configurations

Simeon Cloud is a dedicated end-to-end automation platform that helps you back up your Microsoft 365 tenant configurations, including Azure AD. We’re the one of the only no-code platforms that does this while specializing exclusively in M365, making us the premium solution of choice for businesses like Aegis Innovators, GCM Grosvenor, and Deskflix.

How does it work? It’s simple: Simeon stores a backup of all your Azure AD settings and policies each time someone from your team makes a change to your tenant via Admin Center. These backups are stored securely for you to retrieve on-demand should you need them. 

But it doesn’t stop there. Simeon Cloud also provides ongoing drift detection and compliance monitoring features for Azure AD. With us, you can rest assured knowing that your organization is compliant with security standards and industry regulations at all times.

Moreover, Simeon does this while allowing you to manage multiple tenants through a single interface, a feature that’s especially useful for managed service providers and enterprises with more than one tenant. You can even copy-paste your configurations from one tenant to another!

Want to learn more about how Simeon can help your organization streamline your Azure AD backup strategy? Request a demo here!

Get a personalized demo today

Created by M365 experts, for M365 experts.