Why Microsoft Azure Active Directory Backup Is Needed
The Nightmare of No Backup
Today’s CIOs, CISOs, and other IT leaders wear many hats. With the global surge in cybercrime—particularly ransomware attacks—and occasional outages of cloud services, enterprise risk management is just the latest initiative that needs attention.
What would happen to your organization’s day-to-day operations if your Microsoft Azure Active Directory (Azure AD) stopped working? How long would it take to recover—and would you even be able to recover, fully? If the Active Directory Domain Controller (AD DC) becomes unavailable, then related users cannot log in and systems cannot function properly, which can cause troubles in your environment. That’s why backing up your Active Directory is important.
Increasingly, IT professionals recognize that, under the shared responsibility model, protecting SaaS data in cloud services is the customer’s job, not the cloud provider’s. However, comparatively few realize that failing to create backups of the data associated with identity and access management (IAM) services introduces business risk.
Too many organizations will find out the hard way that not having a backup of Azure AD can have costly consequences—and we don’t want you to be one of them!
Is Backup for Azure AD Necessary?
Managing more than 1.2 billion identities and processing over 8 billion authentications every day, Azure AD is a foundational piece of infrastructure in countless organizations—from small businesses all the way up to the world’s largest organizations.
Serving as a universal platform to manage and secure identities, Azure AD helps team members sign in and access:
- External resources: Microsoft 365—including SharePoint, Teams, OneDrive, and Exchange—the Azure portal
- Internal resources: apps on your corporate network and intranet, along with any cloud apps developed by your own organization
Behind the scenes, IT administrators use Azure AD to control access to your apps and your app resources based on the specifics of each user’s role and your business requirements. In Microsoft’s words, “You can use Azure AD to require multi-factor authentication when accessing important organizational resources.”
“Additionally, you can use Azure AD to automate user provisioning between your existing Windows Server AD and your cloud apps, including Microsoft 365. Finally, Azure AD gives you powerful tools to automatically help protect user identities and credentials and to meet your access governance requirements.”
In short: Azure AD is part of the infrastructure of modern organizations—and as is the case with any piece of infrastructure, very bad things happen very quickly if it stops working.
Disaster vs. “Oops” Recovery
When identity and access management (IAM) services work as intended, you barely notice them—especially with modern conveniences like single sign-on (SSO). Maybe you encounter the occasional multi-factor authentication (MFA) requirement, but, for the most part, all the real-time, behind-the-scenes magic is not transparent to the end user.
If you consider the reasons people do backups in the first place, there are two main ones with a host of sub-reasons. First, people need disaster recovery. There are different types of disasters, with various levels of severity—for instance, “total lockout due to ransomware” is probably worse than “fire in the server room” but not as bad as “Russian invasion.” By design, there are ways to mitigate many of these disasters in the cloud besides your own backups, such as Microsoft’s native data protection for Exchange Online which keeps multiple geographically distributed copies of your mail data.
Second, and maybe more importantly, people need “oops recovery.” This is a technical term that essentially means “protection against human mistakes, carelessness, or even malice, but generally below the scale of a disaster.” If you doubt the need for this, consider whether you’ve ever had to use the Recycle Bin in desktop Windows, or Active Directory, or SharePoint, or file versioning in Word, or any of the other myriad of oops-protection features in the software we use daily.
Microsoft has invested quite a bit of money in providing user-level oops recovery, including versioning in OneDrive and SharePoint, various recycle mechanisms for recovering deleted objects, and various preservation and hold mechanisms. However, one area where the native protection tools are weak is the directory.
Real-Life Example: Sabotaged Microsoft 365 User Accounts Result in Shutdown and Months of Recovery
We don’t need to speculate, because the U.S. Department of Justice recounts the experience of a California-based company that was the victim of a retributive attack in which a former IT consultant sabotaged the organization’s Microsoft 365 user accounts.
The attack affected the bulk of the company’s employees and completely shut down the company for two days. As the company’s Vice President of Information Technology (IT) explained, the impact was felt inside and outside the company. Employees’ accounts were deleted—they could not access their email, their contacts list, their meeting calendars, their documents, corporate directories, video and audio conferences, and virtual Teams environment necessary for them to perform their jobs. Outside the company, customers, vendors, and consumers were unable to reach company employees (and the employees were unable to reach them). No one could inform these buyers what was going on or when the company would be operational again.
Unfortunately, even after those two days, the problems remained. Employees were not receiving meeting invites or cancellations, employees’ contacts lists could not be completely rebuilt, and affected employees could no longer access folders to which they previously had access. The Carlsbad, CA company repeatedly handled multitudes of IT problems for three months.
- The company was effectively shut down—completely—for two days.
- Customers, as well as internal team members, were severely impacted.
- The ripple effects lasted 4400% longer than the outage itself.
And keep in mind that these outcomes were the result of one angry contractor. It’s not hard to envision a scenario—say, a sophisticated ransomware attack or a prolonged infrastructure outage—with even larger consequences.
Microsoft Azure Active Directory Backups Are Essential
First, it’s important for IT leaders to recognize that the M365 Recycle Bin was never intended to be an enterprise-level recovery solution, and your idea of disaster “recovery” may be vastly different from Microsoft’s.
To be resilient in the face of Azure AD outages, compromises, and misconfigurations, your organization needs to be able to search and access Active Directory data quickly and easily, both to use while recovery is underway and to speed up the recovery itself.
That is why truly managing risk requires a third-party backup solution that:
- Protects users and groups by providing snapshot-based restoration and timeline-based comparative analysis
- Preserves roles and permissions, with change tracking and straightforward comparisons
- Enables compliance and eDiscovery by, for instance, capturing audit and sign-in logs, supporting log analysis, ensuring long-term retention, and enabling restoration to another site
- Accommodates growth into policies and devices by preserving device information and conditional access policies
Again, these requirements extend well beyond the functionality of Microsoft’s backup capabilities because they have a much broader and deeper intent.
Make the Right Choice to Safeguard Your Azure AD Infrastructure
Zerto Backup for Azure AD from Zerto, a Hewlett Packard Enterprise company, provides full protection for the core of your business. This backup solution is a simple yet powerful service to help you take control by safeguarding your Azure AD infrastructure from accidental deletions, ransomware, and other potentially devastating Active Directory outages.
Providing the most complete Azure AD backup coverage in the market, Zerto:
- Helps you avoid disruption due to lost or inaccessible data by enabling instant search and comprehensive recovery across Users, Groups, Roles, Administrative Units, Audit Logs, and Sign-In Logs
- Simplifies data compliance by allowing you to view Azure AD at points in the past to quickly see what changes have occurred and—if necessary—correct them
- Provides security, using Blockchain-based encryption technology to ensure backups are immutable to modification (e.g., by ransomware) and data loss
- Is cost-effective, removing expensive costs associated with long-term on-premises or cloud-based storage
Too many organizations will learn from experience that an Active Directory disruption can have costly consequences. Zerto Backup for Microsoft Azure Active Directory helps you avoid that same fate.
To learn more, visit our Zerto Backup for SaaS page and see what other SaaS applications can also be protected.
For more specific questions, simply get in touch or request a demo.