And 5 reasons why you should back up Azure AD in the cloud 

Imagine a busy city with multiple roads leading to various destinations, such as a hospital, a shopping mall, and a stadium. Just like a traffic light controlling the flow of vehicles to and from these destinations, Active Directory (AD) and Azure Active Directory (AAD) control the flow of and access to information from apps and services such as Microsoft 365, Salesforce, Google Workspace, and others. Organizations rely heavily on AD and AAD to ensure a smooth flow of and access to their data. 

However, just like how a city can experience traffic jams, frustrations, accidents, and general chaos when the traffic light is out, when AD or AAD are not accessible, the flow of and access to control-plane information can cause severe business disruption. This post will explore the importance of data protection for Azure AD.

The evolution of identity management: From Active Directory to Azure AD and the need for different backup solutions

But first, how did we come to rely so heavily on AD and AAD? Active Directory was introduced in 1999 as a solution for on-premises identity management, providing a centralized repository for user and device information and allowing administrators to manage these resources effectively and efficiently.

As the use of cloud-based services grew, the need for an identity management solution that could integrate with cloud-based resources became more important. 

This led to the creation of Azure Active Directory, which was designed to serve as the bridge between on-premises and cloud resources, not only creating a seamless and secure identity management solution for cloud computing, but also offering a range of features and capabilities (including single sign on, multi-factor authentication, and conditional access) to help organizations meet their security and compliance requirements. 

Microsoft Azure Active Directory and Active Directory seem to be a bit shrouded in mystery. For many, the distinction between them is not always clear, and this distinction becomes even more blurred when it comes to the topic of backing up and protecting the data within each. 

Instead of covering all the differences between AD and Azure AD, this post will mainly focus on backup for Azure AD, and it will explore five ways in which AAD requires a different backup solution from the traditional backups used for on-premises AD. Before we can do that though, we need to quickly establish — roughly — what the difference is. 

What’s the difference between AD and AAD?

As Stephen Covey put it, “the main thing is to keep the main thing the main thing.” That quote might make more sense if you consider the key difference between cloud and on-prem AD to be the main thing… and in this case, the main difference between the two is that Active Directory is designed for managing user access and application infrastructure for an on-premises world; Azure Active Directory is for managing user access to cloud applications in a cloud-based environment.

Even more simply? Sure: AD is on prem, AAD is cloud based. 

If you’re interested in exploring the differences further, here’s what Microsoft has to say: Compare Active Directory to Azure Active Directory.

Every object in either AD or Azure AD has one permanent home. That’s the primary copy of the object, and the copy to which changes are applied. If you are on-prem-only, or cloud-only, then there’s only one copy of each object.

In hybrid mode, though, no matter where the object is homed, there will be two copies of it: the primary copy and a synchronized copy on the “other side.”

For organizations using both Active Directory and Azure AD in a hybrid environment, you can think of the cloud copy of an on-prem object as being like a shadow. When you look at a shadow on the pavement, you’re only getting a partial set of information about the real object.

In the same vein, Azure AD only has a partial set of attributes from on-premises AD objects because not every object attribute is replicated to the cloud. However, all the attributes of cloud-based Azure AD objects are stored in full in the cloud. This allows organizations to use Azure AD as an identity provider for on-premises resources and allows for SSO for cloud-based resources.

How does this distinction change backup strategy? 

The distinction of where (which environment) your identity objects are homed is paramount. Active Directory backup via on-premises solutions is exactly that: making a backup of on-prem data by copying it to/from an on-premises solution. Azure Active Directory, as a cloud-based application utilizing cloud-based data (and metadata), creates and manages cloud data in the cloud. 

Why it matters: Comprehensive data coverage requires the ‘right’ backup

“Some” Azure AD data and metadata only exist in the cloud environment. You could copy these objects to an on-prem storage location (which is roughly as useful as putting backup tapes on top of the server they’re made from), but these objects must be restored to the cloud.

Therefore, with clear gaps in coverage, the data and metadata are not covered holistically. This means your data may not be fully protected when you back up your cloud data with an on-premises Active Directory-oriented tool as your Azure AD backup solution. 

In other words: what’s homed on premises and what’s homed in the cloud are physically separate. You introduce new problems for yourself when you cross the streams, including speed of access, data fidelity and quality, and security. 

Let’s dive into five reasons why on-prem AD backup is not a viable option for comprehensive backup of Azure AD. 

5 things you should consider if you’re backing up AAD on premises

1. Some attributes in Azure Active Directory are not available on premises

If you take an on-prem AD account and sync it to the cloud, the sync process (and Azure AD) adds some attributes to it. Some of these may be synced back to on prem (a process called writeback) but some will not. Backing up Azure AD captures these; backing up the on-prem AD won’t. 

2. Azure AD may have user objects or attributes that do not exist on premises  

You can define your own users, groups, roles, et cetera, that exist only in the cloud. If you do not back these up independently, they will not be preserved nor well protected, and your only recourse is to recreate and define these custom entries every time. 

And yet not everyone sees the value in protecting these objects when their identity management (IdM) anchor is on prem. Even if an organization’s IdM anchor is on premises, objects and attributes like Intune and conditional access policies are important for several reasons, often forming a key part of organizations’ zero trust security, and, as such, need to be protected against loss or damage. (Read our article on the zero trust principle here.)

Still not convinced of the value of protecting control-plane objects? Here are five reasons highlighting the case for securing data protection: 

• Cloud-based management: Intune and Azure AD conditional access are both cloud-based services that can be accessed and managed from anywhere. They cannot be accessed from on-prem systems, so if you lose the copy in the cloud, it’s gone. 
• Security: Azure AD provides additional layers of security, such as multi-factor authentication and identity protection, that can help to protect against potential security threats such as compromised credentials or unauthorized access. 
• Compliance: Intune and conditional access can help organizations meet compliance requirements, such as HIPAA by providing features such as device compliance and role-based access control. 
• Scalability: Azure AD allows organizations to scale their IdM infrastructure as needed, without the need for additional hardware or software. 
• Remote work: Intune and conditional access can help organizations to secure and manage remote workers’ devices, even if they are not connected to the on-premises network. 

Now are these objects and attributes vital to operations? You can decide for yourself. But, considering the impact that could result from losing these in one data loss scenario or another (and the resource investment required to manually recreate and administer them, not to mention the security concerns of not ensuring the right users have the permissions to access company data), adequate data protection of these should be a business imperative. 

3. Azure AD will have configuration/state objects that don’t exist on prem

Enterprise apps, app registrations, Conditional Access (CA) policies, and many other policy- and security-related objects exist only in the cloud. Microsoft’s native protection for these objects is mostly non-existent — delete a conditional access policy, for example, and it’s just gone. Let’s drill down into two important-to-protect Azure AD features: 

• Conditional Access: Azure AD Conditional Access is a feature that allows you to set policies that determine how users are granted access to resources based on conditions such as device compliance, location, and user identity. It allows you to control who can access your resources and under which conditions. This feature can be used to protect against security threats, such as compromised credentials, by requiring multi-factor authentication or other forms of authentication. 
• Intune: Intune is a mobile device management (MDM) and mobile application management (MAM) service that is integrated with Azure AD. This feature allows you to manage and secure mobile devices, desktops, and apps, including those used by remote workers. It allows you to set policies for devices and apps, such as requiring a passcode or encrypting data, and to remotely wipe a device if it is lost or stolen.

What about the Active Directory Recycle Bin? As these AAD-only configurations/state objects only exist in the cloud, there’s no available recycle bin for these policy objects, so there’s no undo. It’s akin to an immediate hard delete, meaning there is no 30-day or 90-day grace period as there is with soft deletions. 

How to recover from hard deletion? Microsoft shares that “hard-deleted items must be re-created and reconfigured. It’s best to avoid unwanted hard deletions.” 

Let that sink in for a moment: “It’s best to avoid unwanted hard deletions.” This advice is nigh impossible to follow as common data loss scenarios, like accidental deletions), are a question of when, not if. It highlights how the Recycle Bin was never intended to be a replacement for dedicated backup. Read our post on why backup is a risk-management imperative here. 

4. Record preservation  

How long does Azure AD store reporting data? That’s a very good question: According to Microsoft, activity reports are stored as follows:

As you can see, there is no point-in-time record preservation. With a backup, you can preserve and review cloud-only Azure AD data at a specific point in time and examine which permissions, users, groups, and role assignments existed in your directory, as well as whether an object has changed within a specified time period and preserve these records for as long as required or needed to comply with company or governmental policies.

Clearly, these benefits are useful for forensic purposes but also for governance and compliance reasons. Learn more in our eDiscovery post (with a customer Office 365 use case). 

5. Microsoft doesn’t provide native protection for many cloud-only objects  

Microsoft doesn’t provide the same recovery tools in Azure AD as they do for Active Directory itself. According to Microsoft recoverability best practices, it’s clearly important to understand the object types that are protected by Microsoft under soft-deletion and hard-deletion scenarios, visualized here: 

The recovery features for soft deletions are typically limited to 30 days retention, so if you want to recover on day 31, it’s too late! The data is gone, as Microsoft shares here in its Azure Active Directory fundamentals:

So, the question is this: Are these objects that are automatically hard deleted important to your business operations? And a natural follow-up question is this: Is the 30-day restore period for soft-deleted objects enough protection for your data? (Often, mandatory minimum data retention periods are determined by governments.)

Note: It’s important to mention that changes are not covered by the recycling bin, such as editing or overwriting, even to objects that would normally be soft deleted . Any change, intentional or otherwise, replaces the previous version with no option of reverting or recovering. When these changes are done accidentally, we euphemistically refer to them as an “oops,” but they are quite serious and actually one of the leading causes of data loss, so this gap in coverage should concern those tasked with ensuring data protection.

The writing on the wall is that native coverage is insufficient for recoverable, comprehensive coverage and that the solution to this coverage gap is having your own third-party backup. This extends your ability to recover these objects for as long as your backup exists. 

Explore this in more depth here: Azure Active Directory recoverability best practices from Microsoft.

What’s next? Choosing a backup solution for Azure Active Directory

Now that we’ve highlighted the need for dedicated cloud data backup for Azure AD, let’s explore what Keepit provides with its Azure AD service offerings (one of which — Azure AD Standard — is offered completely free of charge). 

Leading AAD data protection for your cloud security strategy

Keepit helps you recover business-critical identity and application objects that Microsoft doesn’t protect. Extend your retention period and strengthen security with protection of policies as well as full auditing and traceability of changes. Protect against day-to-day data loss and improve IT efficiencies with the ability to roll back changes and speed up troubleshooting.

Azure Active Directory backup coverage 

The Azure AD connector protects the following Microsoft 365 Azure Active Directory objects: Users, Groups, Administrative Units, and Roles. It also protects Audit logs (and Sign-in logs with audit logs enabled). 

For an exhaustive coverage list, visit our AAD support site here. 

Interested in backing up (and restoring) AAD with Keepit for Azure AD? 

To learn more about how you can protect your business-critical data and ensure disaster recovery resolve with Keepit for Azure AD – the leading protection for your cloud security strategy – click here. 

Data Protection Day – also known as Data Privacy Day – is an annual event observed on January 28 to raise awareness about the importance of protecting data and data privacy (think NIS Directive, NIS2 Directive, and GDPR).

It’s here to make data protection, such as SaaS data backup and recovery, top of mind—and for good reason.

Businesses must take the necessary measures to not only ensure the continuity of their operations and to protect themselves from the potentially catastrophic outcomes of a data loss event like ransomware, but to also comply with the increasingly strict demands from legislation such as the NIS2 Directive and the GDPR.

Why Is Data Protection Relevant?

As businesses increasingly move operations to software-as-a-service (SaaS) applications to streamline their operations, add flexibility (such as enabling remote work), and reduce operational costs, huge amounts of business-critical cloud data are produced every day, and it becomes ever more important to assess and ensure a robust backup and recovery plan is in place.

There is a widely shared assumption that data stored in a SaaS cloud is automatically backed up and secure since it’s in the cloud. However, that is not always the case as what is offered may not provide the protection necessary for business continuity, data restoration, or compliance: Read more about the M365 shared responsibility model.

Cloud Data Concerns

It should come as no surprise that working with cloud services can come with risks. Ransomware and disaster recovery are more and more frequently in the headlines and serve as cautionary tales. (Read our post about the disruptive power of ransomware attacks here.)

The rapid adoption of SaaS applications has also come with new and increased instances of data loss and breaches—especially in cases where there is a lag between adoption of SaaS apps and adoption of the necessary data protection. Companies may be left vulnerable to costly disruptions, downtime, and devastating fines without an adequate data security plan in place to safeguard mission-critical cloud data.

What Needs to Be Backed Up?

Data protection not only involves “just” backing up cloud SaaS data, but it should also focus on ensuring control of and continuous access to it (and the right access for the correct users at that). As with Microsoft 365 and Azure AD (Active Directory), there is a data plane and a control plane – and both need to be protected.

One way to achieve this is to adopt a solution that can not only protect the data plane but can also preserve and protect the control plane, e.g., the admin center. Coverage of identity and application objects businesses rely on to remain operational is vital. For those using Microsoft 365, it’s important to learn about why you also need Azure AD data protection: Find out why in our AAD blog here.

How Do Businesses Protect Their Data?

The best way to mitigate the risks of SaaS is to implement a data protection and management plan. This can involve using cloud-based data backup and recovery solutions which allow businesses to store their data in an independent cloud and access it from anywhere, at any time.

Data protection is especially important for businesses that rely on SaaS data for their operations, which is many, many businesses (Microsoft 365 alone has over 345 million users), as it can help ensure that data is always available, even if there is a disruption with the SaaS provider.

While cloud services can (and do) provide many benefits for businesses, they also present their own set of risks. For example, there is a very real risk that data stored in the cloud could be accessed by unauthorized parties (read our blog about the Zero Trust Principle here), or that data could be lost due to any number of issues, from technical glitches and issues to human error. Therefore, it’s important for companies to follow cloud data protection best practices. Read about backup strategy here.

Data Risks and Responsibility

But why is backing up SaaS data so important? Because it allows companies to mitigate the effects of ransomware and other data loss events. Many SaaS providers (e.g., Google, Microsoft, Salesforce) have shared responsibility models that state you, the customer, are responsible for the data created and processed.

Here are a few reasons why backup is vital:

1. Data breaches can happen to anyone.
   
   While no company is immune to data breaches, having a backup solution in place can help minimize (or even nullify) the impact of a breach, helping businesses get up and running again quickly.
2. Data loss can be costly.
   
   Losing data can lead to lost productivity and lost revenue within the company, and it can even result in substantial legal penalties. (Read our NIS2 post here.) According to the World Economic Forum, “historically severe fines for data loss are also helping change the cost-benefit assessment around investment in cybersecurity measures.” By implementing a backup solution, businesses can minimize the impact of data loss, avoid fines, and get back to business as usual faster, and more comprehensively, than without.
3. The future is uncertain.
   
   A bit cliché, but it’s impossible to predict the future and that includes the risks to your data. According to the ESG (Enterprise Strategy Group) ransomware e-Book, “79% of respondent organizations report having experienced a ransomware attack within the last year.” By implementing a backup solution now, businesses can protect themselves against potential risks down the road – which stand to only increase.

Where to Go from Here?

Data Protection Day reminds us that SaaS data (and the protection of it) is essential to many daily operations. Not only that, with the scope and penalties of NIS2 and GDPR, enterprises are obligated to ensure a dedicated data protection solution is in place.

Researching a third-party backup solution like Keepit can simplify the complexity of the current SaaS data protection environment. Businesses can maintain control of their data always and protect themselves against data loss events and mitigate the impacts of breaches and ransomware – all while remaining compliant.

Don’t wait until it’s too late — what better way to celebrate Data Protection Day than to start backing up your SaaS data. Continue your journey by exploring our