October 6, 2023
|
5
min read
Josh Wittman
Josh Wittman, co-founder of Simeon Cloud, excels in Microsoft 365 through governance, security, and automation. An expert in SaaS, DevOps, and cybersecurity, he innovates in the digital workplace.
Male working from home office

Entra (formerly Azure Active Directory, Azure AD) is the default identity and access management platform for Microsoft Office. That means if something were to compromise your data and configurations inside Entra, it could potentially lock your organization out of all its applications and resources in Microsoft 365.

Given how important it is to ensuring business continuity, it's important to know the fail safe measures Microsoft has in place in the event that your Microsoft Entra data is ever compromised.

Entra Recycle Bin is a feature that enables administrators to recover any deleted object, such as users, groups, and application registrations within a 30-day retention period in Entra, offering an additional layer of data protection from internal errors and external threats.

Today, let's take a look at everything you need to about Azure AD Recycle Bin, including its advantages and limitations, to understand how to create a comprehensive backup plan for your configurations and data.

This article covers:

What Is Entra/Azure AD Recycle Bin?

Azure AD Recycle Bin is a feature in Microsoft's Azure Active Directory (Azure AD), which provides a temporary storage location for any deleted object such as users, groups, and application registrations.

After an object is deleted in Azure AD, Recycle Bin holds it objects in a "soft-delete" state for 30 days before that object is permanently deleted. Soft-deleted objects are not visible in the regular directory listing but can still be accessed and restored using Azure AD PowerShell cmdlets or the Azure Portal. When an object is restored, all of its attributes and relationships with other objects are also restored, ensuring the object returns to its original state.

After the retention period of 30 days has passed, the object is permanently deleted, with recovery no longer an option. If an object is no longer needed, you can opt to permanently delete it from the Recycle Bin even before the 30-day retention period has expired.

Only users with administrative privileges, such as Global Administrators or User Administrators, can access and manage the Azure AD Recycle Bin. They can perform tasks such as listing, restoring, and permanently deleting soft-deleted objects.

Features of Entra/Azure AD Recycle Bin

Recycle Bin cannot recover every type of object, setting, or configuration stored in Azure Active Directory. It's coverage is limited to the following types of objects only:

  • Users: Both cloud-only and synced users (from on-premise AD) can be recovered using the Azure AD Recycle Bin. When a deleted user is restored, their associated attributes and credentials are also recovered.
  • Groups: Both security and Office 365 groups can be restored using the Recycle Bin. When a group is recovered, its attributes and settings are retained. However, restoring a group does not automatically restore its memberships or role assignments, which must be managed separately.
  • Application Registrations: Azure AD application registrations, also known as service principals, can be recovered using the Recycle Bin. Restoring an application registration retains its associated settings, credentials, and permissions.
  • Directory Roles: Deleted directory roles, such as custom roles created within Azure AD, can also be recovered using the Recycle Bin. Restoring a directory role recovers its attributes and settings but does not automatically reinstate role assignments to users or groups.

Limitations of Entra/Azure AD Recycle Bin

While it provides a useful layer of protection for recovering deleted objects, Recycle Bin has certain limitations that may not fully satisfy enterprise security and compliance requirements. These limitations include:

  • Retention Period: Azure AD Recycle Bin retains deleted objects for a fixed period of 30 days. Extending this period is not possible even with an Azure AD Premium subscription. Enterprises requiring longer retention periods for compliance or business continuity purposes may find this insufficient.
  • Backup Granularity: Recycle Bin is designed to recover individual objects rather than providing full-scale backups of the entire Azure AD environment. Enterprises seeking a comprehensive backup and disaster recovery solution may need to look for third-party tools or additional services to meet their requirements.
  • No Versioning: Azure AD Recycle Bin does not maintain multiple versions of objects, making it impossible to recover an object's previous state if it has been modified before deletion. This limitation may be problematic for organizations that require versioning for auditing or troubleshooting purposes.
  • Linked Objects: When restoring a deleted object, the Recycle Bin does not automatically restore linked objects, such as group memberships or role assignments. Administrators must manually restore these relationships, which can be a complex and time-consuming process in large-scale environments.
  • Limited scope: Azure AD Recycle Bin only covers Azure AD objects, such as users, groups, and application registrations. It does not extend to other Azure AD configurations and policies (e.g., Conditional Access Policies or Privileged Identity Management), which may also be critical for business continuity.

How to Enable Entra/Azure AD Recycle Bin?

Azure AD Recycle Bin is enabled by default in all Azure Active Directory environments, so there is no need to manually enable it. Microsoft provides this functionality automatically to ensure a base level of protection and recovery for your Azure AD objects, such as users, groups, and application registrations.

However, it is important to be familiar with how to access and use the Azure AD Recycle Bin to recover deleted objects when needed. To access and manage the Microsoft Azure AD Recycle Bin, follow these steps:

  • Sign in to the Azure portal using your administrative credentials.
  • Navigate to the Azure Active Directory service by clicking on "Azure Active Directory" in the left-hand menu, or searching for it in the search bar.
  • In the Azure Active Directory pane, scroll down to the "Manage" section, and click on "Deleted objects."
  • The "Deleted objects" pane will display a list of all soft-deleted objects within the 30-day retention period. Here, you can restore or permanently delete objects as needed.

To restore a deleted object:

  • In the "Deleted objects" pane, select the object you want to restore by clicking on it.
  • Click on the "Restore" button that appears at the top of the pane.
  • A confirmation prompt will appear. Click "Yes" to confirm and restore the selected object.

To permanently delete directory objects:

  • In the "Deleted objects" pane, select the object you want to permanently delete by clicking on it.
  • Click on the "Delete permanently" button that appears at the top of the pane.
  • A confirmation prompt will appear, warning you that the action is irreversible. Click "Yes" to confirm and permanently delete the selected object.

Alternative to Entra (Azure AD) Recycle Bin

The Entra ID Recycle Bin, while useful for recovering deleted objects, may not fulfill critical security requirement. For more robust Entra (Azure) backup and restoration, consider CoreView and CoreView Configuration Manager.

With our end-to-end Microsoft 365 solution, you can:

  • Backup your Entra, Intune, Defender, Purview, and M365 configurations
  • Maintain a version history of configuration changes to comply with NIST, CIS, and more
  • Roll back to a previous state on demand with point-in-time restoration
  • Restore your configurations in a disaster scenario

Learn more about CoreView’s configuration backup and restoration tool for Microsoft 365 today.

Get a personalized demo today

Created by M365 experts, for M365 experts.