> Commvault Cloud > Active Directory > Granular Recovery for Azure Active Directory > Restores

Restoring Azure Active Directory to Its Current Location (In Place)

Restore your backed up objects or attributes to the original location in Azure Active Directory. You can perform in-place restores using the Azure Active Directory application.

Note

  • Users and groups synced from on-prem Active Directory are set as read-only objects in Azure Active Directory. The synced objects are backed up as part of scheduled backups. When performing a restore operation, note the following:

    • The restore operation for synced objects completes successfully but no attributes will be restored from backup as the object is in read-only state.

    • If the user or group has been deleted from on-prem Active Directory, it should be restored in on-prem first. If the object is only restored in Azure AD, then the object is restored with the On-premises sync enabled property set to 'No'.

  • Restore of mail-enabled security groups are not supported due to a limitation with the Microsoft Graph API.

Required Privileges

For additional security, Microsoft requires an elevated privilege in the form of a delegated access token to restore user accounts in Azure AD. This privilege is only required when restoring user accounts. It is not required to restore other object types in Azure AD. There are two ways to acquire the delegated token access before restoring a user.

To acquire the delegated access token only when required to restore a user account

  1. When restoring a user account, on the Restore options dialog, expand the Acquire delegated access token section

  2. Next to the Azure AD app, click the action button action_button, and then click Acquire delegated access token.

    During this process you may be prompted, by Microsoft, to sign in with an account that has the privileges to acquire a delegated access token. A global administrator has these privileges.

  3. Click Proceed to finish.

  4. Click Submit to start the restore job.

Note

If you acquire the delegated access token from the Restore options dialog box, the token is acquired and used for that restore job only. The elevated privilege is not stored by our application, and you will be prompted to acquire a new delegated access token when restoring user accounts in the future. Choose this option if you do not want to store elevated privileges in our application and only want to provide elevated privileges when required, and only for the duration required.

To permanently assign the delegated access token to Commvault Cloud

  1. From the Azure AD client page, go to the Configuration tab.

  2. Next to the Azure app, click the action button action_button, and then click Acquire delegated access token.

    During this process you may be prompted, by Microsoft, to sign in with an account that has the privileges to acquire a delegated access token. A global administrator has these privileges.

  3. Click Proceed to finish.

  4. Click Close.

Note

If you acquire the delegated access token from the Configuration screen, the token is acquired and saved by Commvault for use in future restore operations. Choose this option if you do not want to be challenged to consent to elevated privileges each time you attempt to restore a user account.

Procedure

  1. From the navigation pane, go to Protect > Active Directory.

    The Active Directory page appears with a list of Active Directory and Azure Active Directory apps.

  2. In the row for the Azure Active Directory app, click the action button action_button, and then click Restore.

    The Backup content page appears.

  3. In the upper-left area of the page, from the list of objects in the backed up tenant, select an object type to view the objects.

  4. Optional: To find specific objects, in the Search all box, enter the name of the object type, or you can use the Object ID box to search for objects based on the ID number.

  5. To hide deleted items, click the action button action_button, and then click Hide deleted items.

  6. To show the list of deleted items, click the action button action_button, and then click Show deleted items only.

  7. Select the check boxes for the objects that you want to restore.

    Tip

    When you select an individual object, the attributes of the object appear in the Object properties pane. If you select multiple objects, the object attributes are not displayed.

  8. In the upper-left area of the page, click Restore.

    The Restore dialog box appears.

  9. By default, Overwrite unconditionally is selected to overwrite objects in Azure AD, if the object already exists in the destination location.

    To skip the restore of files in the destination location, click Skip.

  10. To restore the relationships of all objects, attributes, and organizational units, move the Restore Relationship toggle key to the right.

  11. If you have not previously acquired a delegated access token, you will be prompted to do so here.

    Steps to acquire a delegated access token

    1. Expand the Acquire delegated access token section.

    2. Next to the Azure AD app, click the action button action_button, and then click Acquire delegated access token.

      During this process you may be prompted, by Microsoft, to sign in with an account that has the privileges to acquire a delegated access token. A global administrator has these privileges.

    3. Click Proceed to finish

  12. Click Submit.

Loading...