Microsoft Entra ID Backup and Recovery: A Deep Dive
Microsoft has quietly released a preview of Entra ID Backup and Recovery, a feature accessible through the Entra admin center as of March 19, 2026. Although the initial rollout has been understated, this capability represents a significant step forward in protecting critical identity infrastructure. This article examines the functionality, limitations, and implications of this fresh feature for organizations relying on Microsoft Entra ID.
Understanding Entra ID Backup and Recovery
The Entra ID Backup and Recovery feature provides a state-based backup solution for the core components of Microsoft Entra ID. Access to this functionality requires at least the Entra Backup Reader administrative role. Currently, the feature is available to tenants with Entra P1 or P2 licenses, although some users have reported access without these licenses.
What’s Backed Up?
Backups, taken once daily (currently at 10 PM nightly, with no user-configurable options in the preview), cover “core tenant objects,” including:
- Users
- Groups
- Applications
- Conditional Access policies
- Service principals
- Organization settings
- Authentication methods
- Authorization policy
- Named locations
Unlike backups for workloads like Exchange Online or SharePoint Online, Entra ID backups focus on directory objects rather than both objects and associated data. This difference reduces storage requirements.
Recovery Capabilities and Limitations
Entra ID retains five backups on a rolling basis, providing a maximum recovery period of five days. The recovery process allows filtering by object type or specific object identifier. Recovery performance scales with the number of changes. Microsoft estimates that processing 500,000 changes can capture up to 30 hours.
Currently, objects that are hard-deleted (permanently removed) from Entra ID cannot be recovered using this feature. Microsoft recommends utilizing protected actions to prevent accidental or malicious hard deletions. Recovery operations soft-delete objects where possible, avoiding hard deletions.
Difference Reports for Informed Recovery
The system generates difference reports to highlight changes between the current state of objects and those in a selected backup. These reports aid in determining which backup to restore from. Generating these reports can be time-consuming; a small tenant may require at least 75 minutes for report generation. Currently, these reports cannot be exported for external analysis.
Building on Existing Recovery Mechanisms
This new feature complements the existing object-level recovery from deletion for users, groups, service principals, administrative units, applications, and conditional access policies, which utilizes a soft-deleted state and recycle bin with a 30-day recovery window. Support for soft deletion for devices is planned but not yet implemented, despite the presence of related cmdlets in the Microsoft Graph PowerShell SDK. Learn more about managing device identities.
Implications for Tenants and ISVs
The introduction of Entra ID Backup and Recovery provides tenants with a native backup and recovery solution, while also presenting both opportunities and challenges for Independent Software Vendors (ISVs) in the backup space. It sets a new baseline for backup products and warrants attention from tenant administrators.
Key Takeaways
- Entra ID Backup and Recovery offers a native, state-based backup solution for core directory objects.
- Backups are automated, daily, and retained for five days.
- Recovery is possible by object type or identifier, but hard-deleted objects cannot be recovered.
- Difference reports assist in informed recovery decisions, but export functionality is currently missing.
- The feature complements existing object-level recovery mechanisms.