How to discover cloud-only Azure AD objects with Quest On Demand Recovery

Do you know how many cloud-only users, groups and attributes you have in your Azure Active Directory? When we ask our customers this question, too often they reply “I don’t know” or don’t realize why it’s important.

In most organizations with a hybrid AD environment, the on-prem AD is the primary source of authentication and authorization, and is synchronized to Azure AD using Azure AD Connect. On-prem credentials authenticate users to Office 365 and other cloud applications, and if you have an on-prem backup and recovery solution like Quest Recovery Manager, your data is protected.

Actually, it’s not that simple. The fact is, it’s practically impossible to run Office 365 or Azure without creating some cloud-only objects. Objects and attributes that are created in the cloud are not usually synchronized back to the on-premises AD. That means they are not covered by on-premises backup and recovery solutions.

For example, every Azure AD user has an Office 365 license type that determines which Office 365 features the user is entitled to use. If that user object is deleted, you could recover the on-premises AD user object and use Azure AD Connect to sync it back up to Azure AD — but the license type attribute would be gone, leaving the user unable to work in the cloud until you resolve the problem manually.

That’s just one example. Here’s another common use case. Azure AD offers two special kinds of user accounts to help you support your external customers and partners: B2B and B2C accounts. Organizations often have thousands or even millions of these accounts. By design, however, Azure B2B and B2C accounts are not Microsoft Azure Enterprise accounts, and therefore they are not part of the Azure AD Connect synchronization, either.

Here’s where Quest comes in. You can use On Demand Recovery to run a report that scans your entire environment and clearly differentiates which objects are on-prem and synced to Azure AD vs. which are cloud-only objects not covered.

Here’s a video that shows you how to run this report!

So now that you’ve seen how easy it is to run the cloud-only objects report, we invite you to run this report in your tenant today! You can sign up for a free 30-day trial of On Demand. It’s all SaaS – so you don’t have to install anything to run this report. Just sign up, connect to your tenant and go!

Simply to go!

Leave a Reply