Entra ID Finally Gets an Undo Button: Inside Backup and Recovery
TL;DR
- Entra Backup and Recovery entered public preview in March 2026, requires Entra ID P1 or P2, and runs automatically with zero configuration.
- Backups cover a five-day rolling window and are tamper-proof: no admin can disable or delete them.
- Recovery is property-level, not full-state; each object type has a defined set of recoverable properties, and hard-deleted objects are out of scope.
- Attackers like Scattered Spider and Storm-0501 modify Conditional Access policies for persistence (MITRE T1556.009), and this feature can revert those changes.
- Difference reports can take 25+ minutes on larger tenants in preview, so run them proactively before a live incident.
Until March 2026, deleting the wrong security group in Entra ID was a permanent mistake. No recycle bin, no soft-delete window, no rollback. A misconfigured Conditional Access policy meant a manual rebuild. A corrupted service principal meant starting from scratch. The recovery toolkit was audit logs (which tell you what happened but cannot undo it), screenshots if someone thought to take them, and Graph API export scripts if your team had built them.
That changed when Microsoft quietly dropped Entra Backup and Recovery into public preview in March 2026. Here is what it covers, how a recovery actually runs, and the limits to understand before you depend on it.
What you get, at a glance
| Status | Public Preview |
| License | Entra ID P1 or P2 |
| Retention | 5-day rolling window (previous 5 days) |
| Setup | Zero configuration, runs automatically |
| Security | Tamper-proof, no admin can disable or delete |
Who actually needs this? Two scenarios
The accidental change. The most common recovery scenario for MSPs: a junior admin deletes the wrong group, a bulk user update script runs with bad data, or a CA policy gets modified during a change window and locks out a subset of users. These incidents happen fast and are usually caught within hours, well inside the five-day window. The recovery path is now straightforward: browse to the backup, run a difference report, scope the recovery, restore.
The attacker with a foothold. The more dangerous scenario is not the accident. It is the attacker who has already gained access and is quietly modifying the environment to maintain persistence, such as disabling Conditional Access policies or adding exclusions to them.
This technique is cataloged as MITRE ATT&CK T1556.009, Modify Authentication Process: Conditional Access Policies. Tactics: Persistence (TA0003), Defense Evasion (TA0005), Credential Access (TA0006). Documented actors include Scattered Spider and Storm-0501. Reverting those modifications used to mean reconstructing the policy from memory. Now it can mean restoring it from yesterday's backup.
What the backups actually cover

The following object types are selectable in the recovery portal, matching what is available in the admin center UI:
- Applications
- Authentication Method Policy
- Authentication Strength Policies
- Authorization Policy
- Conditional Access Policies
- Groups
- Named Location Policies
- Organization
- Service Principals, App Role Assignments, and OAuth2 Permission Grants (grouped as one recoverable unit)
- Users
One important precision point: this is property-level recovery, not a complete full-state rollback of every attribute on an object. Each object type has a defined set of recoverable properties. For groups, for example, you can recover DisplayName, Description, SecurityEnabled, and MailEnabled, but group ownership changes and dynamic group membership rules are explicitly out of scope. Review the supported objects and properties reference (opens in new tab) before you rely on this in a recovery scenario.
Running a recovery, start to finish
1. Browse your restore points
In the Entra admin center, navigate to Backup and recovery > Backups. You see up to five restore points representing the previous five days. From here you can select one and create a difference report.

2. Run a difference report (do not skip this)
Before recovering anything, generate a difference report comparing the selected backup against the current state of the tenant. It shows attribute-level changes: exactly what changed, on which objects, and how. This is how you scope a recovery precisely and avoid rolling back legitimate changes alongside the ones you actually want to fix.

Preview caveat: difference report generation can take 25 minutes or more on larger tenants. The first time you access a backup, whether through a report or a recovery, the service loads that backup's data, which takes fixed time regardless of tenant size. Subsequent operations on the same backup are faster. Run reports proactively in your environment so you know the wait time before you are in a live incident.
3. Scope and trigger the recovery
Three recovery scopes are available:
- Recover all objects: full restore of all supported objects in the backup
- Recover by object type: scope to a specific category, e.g. Conditional Access Policies only
- Recover specific objects by Object ID: precision targeting of up to 100 individual objects
The report lists every object changed since the previous backup:

From here you can recover all items, all items of a type (groups, CA policies, and so on), or a specific object. Below is a Conditional Access policy that was disabled and had a new user added to its exclusions. Recovering this object reverts it to its state before the change:

All recovery actions are logged to the audit trail and appear in the Recovery History pane. Recovery history is retained for five days after job completion, so document your actions if you need a longer record for compliance or post-incident reporting.
Who can restore what
Two new roles ship with the feature:
| Role | Permissions |
|---|---|
| Backup Reader | View backups and browse difference reports. Cannot trigger a recovery. |
| Backup Administrator | Full access including initiating recoveries. Global Admin includes this role by default. |
The honest limits list
This is a meaningful feature. It is also a preview, with real constraints worth being upfront about with your team and your clients.
| Limit | Detail |
|---|---|
| Hard-deleted objects | Cannot be recovered. Only soft-deleted or modified objects are in scope. |
| Five-day limit | Changes undetected beyond the window cannot be recovered with this tool. |
| Intune and Defender | Device configurations and Defender for Identity settings are not covered. |
| On-prem / hybrid AD | Synced object changes appear in difference reports but are automatically excluded from recovery. A separate backup strategy is still required for on-prem AD. |
| Property-level only | Recovery applies to supported properties, not a complete full-state object rollback. Review the supported properties list per object type. |
| Preview report timing | Difference report generation can take 25+ minutes on larger tenants. This should improve over time. |
Behavior may change before general availability. For the full technical reference, see the Entra Backup and Recovery documentation (opens in new tab) and the supported objects and properties reference (opens in new tab).
Frequently asked questions
Does Entra Backup and Recovery need to be set up?
No. It runs automatically with zero configuration on tenants with Entra ID P1 or P2, and no administrator can disable or delete the backups.
Can it restore a hard-deleted object?
No. Only soft-deleted or modified objects are in scope. Hard-deleted objects cannot be recovered with this tool.
Does it cover synced on-prem AD objects?
Synced object changes appear in difference reports but are automatically excluded from recovery. A separate backup strategy is still required for on-prem Active Directory.
Who can run a recovery?
The new Backup Administrator role has full access including initiating recoveries, and Global Admin includes it by default. Backup Reader can view backups and browse difference reports but cannot trigger a recovery.
Recovery is the last resort. Catching the change is the first.
A disabled Conditional Access policy or a quiet exclusion is drift, and drift is what CloudCapsule watches for: 250+ controls across every tenant, scanned in about 60 seconds, with the deltas to prove what changed.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


