Could Your Organization Recover Critical Azure AD Resources After a Cyberattack?

This guest blog was contributed by Greg Jones at Semperis.

Digital transformation has pushed more organizations to the cloud, making Azure Active Directory an attractive option for supporting single sign-on across their cloud and on-premises environments. As organizations have embraced hybrid AD, securing and managing that infrastructure from the data center to the cloud has become critical. Equally important is preparing for the worst-case scenario—a cyberattack or human error that forces you to recover your on-premises AD and Azure AD environments.

As with on-premises AD implementations, having a backup and recovery strategy for Azure AD is an important aspect of protecting your organization against manual errors and malicious activity. However, a sound backup and recovery strategy for Azure AD has unique requirements that warrant focused consideration.

Planning for malicious or accidental Azure AD resource deletions

When planning for disaster recovery of cloud services, many organizations focus on availability and the prospect of outages disrupting operations. However, the need to address the possibility of accidental deletions and malicious activity cannot be overlooked. While Microsoft is responsible for Azure AD’s back end, the responsibility for effectively restoring Microsoft 365 groups, directory roles, and other objects falls squarely on the customer. As the authentication service for Microsoft 365 and other cloud applications and services, Azure AD is home to certain objects that only exist in the cloud and cannot be replicated in your on-premises Active Directory environment. As a result, you need a recovery strategy that is specific to Azure AD.

While it is tempting to rely on Azure AD’s Recycle Bin feature or Azure AD Connect sync, neither option offers a complete solution. In the case of the Recycle Bin, only certain objects and applications can be recovered, and only for a limited time period. After 30 days, the Recycle Bin is of no use in this regard, and the same is true if the object has been hard-deleted. In addition, Azure AD groups do not appear in the Recycle Bin upon deletion at all, and the feature cannot be used to recover modified object attributes—whether they were changed accidentally or by attackers.

On-premises AD and Azure AD should be considered two separate directories and even with Azure AD Connect in place there is not full, bi-directional, synchronization. As a result, backup and recovery solutions for on-premises AD will not impact the cloud environment. A deleted Azure AD user could be partially recovered from the on-premises AD, but any cloud-specific attributes, such as conditional access policies, would be missing. A similar challenge accompanies cloud accounts created from a partner’s external directory, such as Azure AD’s B2C and B2B accounts. Again, these accounts would not be recoverable via an on-premises backup solution.

Challenges of recovering Azure AD resources

One of the key challenges with successfully securing and recovering the Azure AD environment is that an administrator might not be able to tell easily what was added or changed. For example, if someone removes multifactor authentication for a particular account, determining what, who, when, and where may be difficult to ascertain. Addressing these issues requires that organizations extend the same level of monitoring and security to the cloud as they have in their on-premises AD. For that, enterprises might need to turn to third-party tools that can identify suspicious activity and help them keep tabs on the hygiene of their Azure AD environment. These solutions can provide insight into Azure AD events that can ultimately reduce downtime if an attack or a manual error causes disruption.

When deciding what to back up from a strategic perspective, the focus should be on users, groups, and roles, as those entities control access to other resources. It’s also critical for IT leaders to understand what can and cannot be recovered via the Recycle Bin and that enabling Azure AD Connect sync will not meet their needs when it comes to recovery in the cloud. While both these features serve an important purpose, they are not comprehensive solutions for backup and recovery in the cloud.

Bridging the gap between the need for recovery following an incident that wipes out Azure AD resources and Azure AD’s native capabilities will be critical as organizations adopt more cloud services and increase their efforts to control user access. From the permission model to its native capabilities, Azure AD is its own animal, and businesses need to adjust their focus to account for the unique characteristics of their cloud environments and how identity is managed.