Microsoft Entra ID Backup and Recovery: Native Tenant Backup Is Finally Here

Why Microsoft Entra ID Needed a Native Backup Solution

If you've spent any time managing an Entra ID tenant at scale, you already know the sinking feeling: someone modifies a Conditional Access policy at 2 AM, a bulk user import goes sideways, or worst case an attacker with compromised admin credentials starts methodically Named Locations or Service Principals. Until now, your options for recovery ranged from "hope you exported a config backup recently" to "call Microsoft Support and pray."

Third-party identity backup products exist and they're excellent, but they add licensing cost, integration overhead, have limited in-place recovery and are another vendor to manage. Many smaller organisations simply never adopted one, leaving their identity plane completely reliant on Microsoft Support recovery processes.

That gap is exactly what Microsoft Entra ID Backup and Recovery targets. It's built directly into the portal, it's automatic, it requires zero initial configuration, and it works out of the box. For quick, in-place recovery scenarios think "undo" for your tenant this is a massive quality-of-life improvement.

How Microsoft Entra ID Backup and Recovery Works

Entra now takes a full snapshot of your tenant every day at 9:00 AM, capturing the state of all supported core objects. There's no toggle to flip, no agent to deploy, no storage account to wire up. It simply starts happening.

The system retains the last five days of snapshots. That gives you a rolling window of recovery points to work with. The supported object types cover the most critical identity and access configuration in your tenant:

1. Users 

2. Groups 

3. Applications 

4. Service Principals 

5. Conditional Access Policies 

6. Named Locations 

7. Authentication Method Policy 

8. Authorization Policy 

9. Organisation 

10. OAuth2 Permission Grants

These are many of the object types that Entra Admins like you and me can accidently miss-configure, delete or script into the abyss.

Entra Difference Reports: Compare Tenant State Before Restoring a Backup

This is where the feature gets really interesting. Rather than forcing you to blindly restore a snapshot and hope for the best, Entra lets you generate a difference report that compares the current live state of your tenant against a chosen backup point.

The report shows you exactly what changed, which objects were modified, which attributes differ, and which group memberships were added or removed. This can enable you to make an informed decision about whether to recover and what to target.

When generating a difference report, you have three scoping options to control what gets compared:

All objects: compares every supported object in the tenant against the snapshot. The broadest view.

Specific object types: narrow the report to only the types you care about: Applications, Conditional Access Policies, Service Principals, Users, Groups, Named Locations, Organisation, OAuth2 Permission Grants, Authorization Policies, or Authentication Method Policy.

Individual objects by ID: pinpoint a single object using its object ID. Available for Applications, Conditional Access Policies, Named Locations, Users, and Groups.

This is great design. If you already know that a specific Conditional Access policy was the thing that got mangled, you don't need to run a full-tenant comparison. Target it by ID, get your delta, and move on.

What's Inside an Entra Backup Difference Report: Attribute-Level Change Tracking

Once a difference report completes, you get a table of every object that has changed since the backup was taken. For each object you can see the display name, object type, recovery action, how many attributes changed, how many link changes (e.g. group membership deltas) occurred, and whether the object is synced from on-premises.

You can drill into each object to see exactly which properties changed and what the before-and-after values look like. For example, in our testing we saw a Conditional Access policy where the grant controls had been changed from compliantApplication to mfa - exactly the kind of subtle policy drift that can easily go unnoticed until something breaks.

Group membership changes also surface clearly. If a user was removed from a security group, the report shows the specific member delta so you know precisely who was affected.

Entra Tenant Recovery: Restore Individual Objects or Full-Scope Rollback

Once you've reviewed the difference report and confirmed you're looking at the right point-in-time snapshot, you have two recovery paths. You can recover individual objects directly from the report perfect when one specific policy or user record was impacted or you can trigger a full recovery of the entire difference report scope.

Recovery reverts the selected objects to their state at the time the backup snapshot was taken. This is an irreversible operation, which is exactly why the difference report workflow exists: inspect first, recover second.

Entra Backup and Recovery Microsoft Graph API Endpoints

Everything available in the portal is also accessible via the Microsoft Graph API, which opens the door to scripts and some careful automation. The key endpoints sit under the https://graph.microsoft.com/directory/recovery/ namespace:

# List all backup snapshots
GET /directory/recovery/snapshots

# List difference report jobs
GET /directory/recovery/jobs?$filter=isof('microsoft.graph.entraRecoveryServices.recoveryPreviewJob')

# Get a specific job's details
GET /directory/recovery/jobs/{jobId}

# Get the changed objects from a difference report
GET /directory/recovery/snapshots/{snapshotId}/recoveryPreviewJobs/{jobId}/getChanges

The response payloads are well structured. Each changed object includes its currentState and deltaFromCurrent, giving you the full before-and-after picture programmatically. You could absolutely build automated alerting or Break Glass procedures (when it goes General Availability).

New Entra ID RBAC Roles: Backup Administrator and Backup Reader

Microsoft has introduced two new Entra roles to govern access to this feature, which is exactly what you'd want to see from a least-privilege perspective:

Both roles also grant a broad set of directory read permissions they need to be able to read users, groups, service principals, applications, and so on in order to generate and display the diff data. The critical difference is that only the Backup Administrator can actually pull the trigger on a recovery. The Reader role is ideal for your security operations team to monitor and investigate without the risk of an accidental restore.

Entra Backup Limitations: 5-Day Retention, Report Locking, and Other Caveats

This is a fantastic addition to the platform, but it's important to frame it accurately. There are some real limitations to be aware of before you rely on this as your sole backup strategy.

🕐 Five-day retention only

You get five daily snapshots — that's it. If an attacker makes a subtle change and it isn't detected within five days, or if you need to compare against a known-good state from weeks ago, this won't help. For long-term configuration baselines, you'll still need a third-party solution or your own export pipeline.

🔒 One difference report at a time

Generating a difference report locks the entire backup and recovery subsystem. You cannot create a new report, and you cannot initiate recovery from an existing completed report, while another report is in progress. In a fast-moving incident, this serialisation could slow you down.

⚠️ Recovery is irreversible

There's no "undo the undo." Once you recover objects to a previous state, the current state is gone. The difference report workflow mitigates this risk, but it underscores the importance of careful inspection.

💰 Licensing at GA is unknown

This is currently in public preview and available in the portal. Microsoft hasn't confirmed what the licensing requirements will be when it reaches general availability. It could land in Entra ID P1, P2, Entra Suite or become part of a separate backup SKU.

🔄 On-premises synced objects are excluded from recovery. 

They'll show up in reports but can't be restored through this mechanism.

Where Entra Native Backup Fits in Your Identity Protection Strategy

Think of Entra Backup and Recovery as your first responder the tool you reach for in the first five minutes of an incident when you need to quickly revert a known bad change. Someone accidentally disabled a critical Conditional Access policy? Restore it in a couple of clicks. A service principal's properties got modified during a compromised admin session? Pull up the diff, confirm the damage, and roll it back.

It is not a full replacement for a comprehensive identity backup strategy. The five-day retention window is too short for compliance, long-term audit, or disaster recovery scenarios where the time-to-detection might be weeks or months. If you're in a regulated industry or managing a large, complex tenant, you should still be running a dedicated third-party backup solution alongside this.

But for the vast majority of day-to-day "oops" moments and rapid-response incident scenarios, this is going to save organisations enormous amounts of time, stress, and support tickets. The fact that it's native, automatic, and requires no setup makes it incredibly accessible even smaller organisations that never had any identity backup now have a safety net.

Final Thoughts: Entra Backup and Recovery Public Preview Is a Strong Foundation

We're genuinely excited about this one. Microsoft has been quietly building out Entra's operational resilience story, and native backup is a feature the community has been asking for, for years. The implementation is thoughtful the difference report workflow is the standout and the Graph API support means there's real potential for automation.

The five-day window is the main limitation, and we'd love to see Microsoft extend it (even if it requires a premium licence) as the feature matures. But as a v1 in public preview? This is a strong foundation. Go enable it in your test tenant today, run a difference report, and see what's changed. You might be surprised what you find.