Entra Backup & Recovery

Identity systems now have a built-in rollback button in Microsoft Entra, with a new preview service that restores directory data after bad changes or tampering. (learn.microsoft.com) Microsoft disclosed Microsoft Entra Backup and Recovery in a March 24, 2026 blog post and lists it as a public preview in Entra release notes. The service is always on by default and is designed to recover a tenant to a previously known good state after accidental updates or security compromises. (techcommunity.microsoft.com) (learn.microsoft.com) The product automatically backs up supported objects once a day and keeps up to five days of backup history, according to Microsoft’s overview. Supported objects include users, groups, applications, service principals, Conditional Access policies, named locations, authentication method policy, and partial authorization policy. (learn.microsoft.com) Identity backup is different from file backup: it captures the settings that decide who can sign in, what apps they can use, and which admins can change security controls. Microsoft says the service can restore, soft-delete, or update supported objects and attributes during recovery. (learn.microsoft.com) That fills a gap left by soft delete, which helps when an object is removed but not when it is still there in the wrong state. Microsoft’s documentation and partner writeups both point to cases like altered Conditional Access rules or bulk attribute corruption, where the object survives but the security posture does not. (learn.microsoft.com) (techcommunity.microsoft.com) Microsoft also built a “difference report” workflow so administrators can compare a backup with the current tenant before they restore anything. The company says customers can recover an entire object class, a specific object type, or individual object IDs for more targeted fixes. (learn.microsoft.com) (azurefeeds.com) The service is native to Entra rather than a separate backup product, and Microsoft is also exposing backup and recovery functions through Microsoft Graph beta APIs. That gives security and identity teams a way to pull recovery status and backup data into existing automation and monitoring tools. (learn.microsoft.com) Recovery has limits. Microsoft says only one recovery can run at a time, and preview features are covered by Azure preview terms rather than general availability commitments. (learn.microsoft.com 1) (learn.microsoft.com 2) For authentication methods, Microsoft says administrators can restore trusted data to an earlier state or remove untrusted entries and require users to register again. That puts identity recovery closer to the incident-response playbooks that companies already use for endpoints, servers, and cloud workloads. (learn.microsoft.com) Microsoft’s pitch is straightforward: if identity is the control plane for Microsoft 365 and Azure, it also needs its own recovery plan. Entra Backup and Recovery turns that plan into a product feature instead of a manual scramble. (techcommunity.microsoft.com)