Microsoft quietly rolled out one of the most requested enterprise features in the history of Azure Active Directory / Microsoft Entra ID: native Backup & Recovery. The preview was released to tenants on March 19, 2026, and lets administrators back up and restore critical identity configuration directly from the Entra admin center — without needing third-party tools or complex scripting workarounds.

Note on Documentation: As of late March 2026, Microsoft has not yet published official documentation for this feature on Microsoft Learn. The guidance in this post is based on hands-on experience with the preview. Treat it as a practical field guide and verify behavior in your own tenant.

If you've ever lost a Conditional Access policy, accidentally deleted a group that controlled access to a production app, or experienced a configuration drift that took hours to untangle, this feature is for you.

Preview Notice: Microsoft Entra ID Backup & Recovery is currently in public preview. Features, behavior, and licensing requirements may change before general availability. Do not rely on this feature as your sole recovery mechanism in production environments.

What Is Microsoft Entra ID Backup & Recovery?

Microsoft Entra ID Backup & Recovery is a built-in capability that allows organizations to:

  • Create scheduled or on-demand backups of their Entra ID tenant configuration
  • Restore individual objects (users, groups, applications, service principals) or entire configuration sets
  • Review backup history and compare configuration states across time
  • Protect against accidental deletions, misconfiguration, and insider threat scenarios

This is a significant shift from the previous model, where recovery depended on the Recycle Bin (30-day soft delete), audit logs, or expensive third-party identity backup solutions like AvePoint, Veeam, or Quest.

Why This Feature Matters

The Identity Recovery Gap

Until now, Microsoft Entra ID had no native, point-in-time recovery for tenant configuration objects. Consider these common scenarios:

Scenario Previous Recovery Option With Backup & Recovery
Conditional Access policy deleted Manual recreation from audit logs Restore from backup in minutes
Group membership wiped Audit log review + manual re-add Point-in-time restore
App registration misconfigured Manually roll back settings Restore previous configuration
Service principal permissions changed Audit trail only Restore prior permission state
Named location deleted No recovery — recreate manually Restore from backup

Compliance and Governance

For organizations under ISO 27001, SOC 2, NIST 800-53, or NIS2, demonstrating that identity configuration can be reliably recovered is increasingly a hard audit requirement. Native backup dramatically simplifies this compliance evidence.

Key Features of the Preview

1. Automated Daily Backups

Entra ID Backup & Recovery automatically creates one backup per day on a fixed schedule managed by Microsoft. The schedule and frequency are not configurable — there is no option to set custom intervals or weekly archival snapshots. Backups are retained for 5 days, meaning you have access to the last 5 daily snapshots at any given time.

The backup captures a broad set of identity objects and settings, including:

  • Users and user attributes
  • Security groups and Microsoft 365 groups (membership included)
  • Conditional Access policies
  • Named locations
  • Authentication methods and policies
  • App registrations and enterprise applications
  • Service principals and their permission grants
  • Administrative Units
  • Custom roles and role assignments
  • Directory settings and tenant-wide policies

2. On-Demand Backup (Pre-Change Snapshot)

Before making major changes — such as a Conditional Access policy overhaul or a large group restructure — administrators can now trigger a manual on-demand backup. This gives you a known-good restore point before the change window.

This is a best practice I'd strongly recommend building into your change management process:

  1. Open a change request
  2. Trigger an on-demand Entra backup
  3. Apply the change
  4. Validate in a test scenario
  5. Keep the backup for the rollback window

3. Granular Object Restore

One of the most powerful aspects of this feature is granular restore. Rather than performing a full tenant rollback (which would be destructive), you can restore individual objects:

  • Restore a single deleted user with all their attributes
  • Recover a Conditional Access policy to a previous version
  • Reinstate a group's membership to a point in time
  • Restore an app registration's redirect URIs or API permissions

This granularity makes the feature safe to use in production — you're not restoring everything, just what broke.

4. Backup Comparison and Drift Detection

The preview includes a configuration comparison view that lets you diff two backup snapshots. This is extremely useful for:

  • Security audits — detecting unauthorized changes to Conditional Access
  • Configuration drift — identifying when policies diverged from your baseline
  • Post-incident analysis — understanding exactly what changed and when

How to Enable Entra ID Backup & Recovery (Preview)

Prerequisites

  • Microsoft Entra ID P1 or P2 license (check Microsoft's latest licensing page as requirements may change at GA)
  • Global Administrator or Privileged Role Administrator role in the tenant
  • Tenant must be enrolled in the Microsoft Entra preview program

Step 1: Enable the Preview Feature

  1. Sign in to the Microsoft Entra admin center
  2. Navigate to Identity > Overview > Preview features
  3. Locate Backup and restore and toggle it On
  4. Confirm the opt-in prompt

Step 2: Verify the Automatic Backup Schedule

There is no schedule to configure. Once the feature is enabled, Microsoft automatically runs one backup per day. The backup schedule and retention window (currently 5 days) are fixed and managed by Microsoft — no further admin action is required here.

You can verify backups are running by navigating to Identity > Backup and restore > Backups and confirming daily entries are present.

Step 3: Create an On-Demand Backup

  1. Navigate to Identity > Backup and restore > Backups
  2. Click + Create backup
  3. Add an optional description (e.g., "Pre-CA-policy-change 2026-03-23")
  4. Click Create and wait for the backup job to complete

Backup jobs typically complete within a few minutes for small-to-medium tenants. Large tenants with thousands of objects may take longer.

Step 4: Restore an Object

  1. Go to Identity > Backup and restore > Backups
  2. Select the backup version you want to restore from
  3. Browse to the object type (e.g., Conditional Access > Policies)
  4. Select the specific object to restore
  5. Click Restore and review the impact summary
  6. Confirm the restore operation

Limitations in the Current Preview

As with any preview feature, there are important limitations to be aware of:

  • Password hashes are not backed up — user passwords cannot be restored from this feature
  • Privileged Identity Management (PIM) assignments may have partial coverage
  • External identities (guest users) have limited restore capability
  • Soft-deleted objects already in the Recycle Bin behave differently than active objects
  • Cross-tenant restore is not supported — backups are tenant-bound
  • Retention is fixed at 5 days — only the last 5 daily snapshots are available; there is no option to extend this in the current preview
  • Backup storage is managed by Microsoft — you cannot export backups to your own storage yet
  • Intune policies are not included — Microsoft Intune configuration is outside the scope of this backup feature
  • Official documentation is not yet published — Microsoft Learn does not have a formal reference page for this feature as of late March 2026

These limitations are expected to be addressed before general availability.

Backup & Recovery vs. Existing Recovery Options

It's worth understanding how this new feature fits alongside existing Entra ID recovery mechanisms:

Recovery Method Use Case Limitations
Entra Recycle Bin Recover soft-deleted users, groups, apps 30-day window, configuration attributes not fully preserved
Audit Logs Understand what changed and who did it Read-only, must manually recreate objects
Microsoft Graph API scripts Automated exports via scripting Requires custom tooling, no native restore
Third-party tools (AvePoint, Quest) Full tenant backup & restore Costly, requires separate licensing
Entra Backup & Recovery (Preview) Native point-in-time restore Preview limitations, licensing TBD

The new native feature covers the most common day-to-day recovery scenarios, but it does not replace third-party tools entirely. Solutions like AvePoint, Veeam, Arcserve, and Keepit remain relevant for:

  • Long-term retention — the native backup keeps only 5 days; third-party tools can retain months or years of history
  • Intune policy backup — Intune configuration is not covered by the native feature
  • Cross-tenant restore — not supported natively
  • Organizations with strict recovery SLAs that require more granular or auditable restore processes

Best Practices for Entra ID Backup & Recovery

Based on my experience managing enterprise Entra ID tenants, here are the practices I recommend building around this feature:

1. Establish a Backup Baseline Before Any Change

Make on-demand backup creation a mandatory step in your change management tickets for any Entra ID configuration change. This is cheap insurance.

2. Use Backup Comparison for Security Audits

Schedule a weekly diff between your current configuration and a known-good baseline backup. Unexpected changes to Conditional Access policies or admin role assignments should trigger immediate investigation.

3. Document Your Recovery Runbooks

Create a documented recovery runbook for the most likely failure scenarios:

  • Accidental deletion of a Conditional Access policy
  • Bulk user attribute corruption
  • App registration misconfiguration causing auth failures

Test these runbooks in a dev/test tenant before you need them in production.

4. Do Not Rely on Backup Alone

Until this feature reaches GA with full coverage, maintain your existing recovery processes:

  • Keep audit log exports to a SIEM or Log Analytics Workspace
  • Continue using the Recycle Bin for immediate soft-delete recovery
  • For critical objects (break-glass accounts, core CA policies), maintain documented configuration exports

5. Monitor Preview Updates Closely

Microsoft is actively developing this feature. Subscribe to the Microsoft Entra blog and Message Center in the Microsoft 365 admin portal to track updates, especially around GA timelines and licensing changes.

What to Expect at General Availability

Based on Microsoft's preview progression patterns, the GA release of Entra ID Backup & Recovery is expected to bring:

  • Extended retention periods beyond the current 5-day window
  • Export to Azure Storage for customer-managed backup storage
  • Full PIM assignment backup and restore
  • Expanded external identity coverage
  • API support via Microsoft Graph for programmatic backup management
  • RBAC-scoped restore — allowing helpdesk staff to restore within their scope without Global Admin rights

Frequently Asked Questions

Q: Is Entra ID Backup & Recovery included in my existing license?

During preview, Microsoft has not finalized the licensing requirements. Check the official Microsoft Entra pricing page for the latest information. It is expected to require at minimum Entra ID P1.

Q: Can I back up and restore across tenants?

No. Backups are scoped to a single tenant and cannot be restored to a different tenant.

Q: Does this replace the need for third-party Entra backup tools?

Not fully — at least not in the current preview. The native feature covers short-term recovery (within 5 days) for core Entra objects. Third-party solutions remain necessary if you need retention beyond 5 days, Intune policy backup, cross-tenant restore, or enterprise-grade recovery SLAs. Evaluate your requirements before decommissioning existing tooling.

Q: Are user passwords included in the backup?

No. Password hashes are never included in Entra ID backups for security reasons.

Q: Can I schedule automatic restores?

Not in the current preview. Restores are manual, with an admin reviewing and confirming the operation.

Summary

Microsoft Entra ID Backup & Recovery is a long-overdue, genuinely useful addition to the identity management toolkit. Even in preview, it provides meaningful protection against the most common and painful Entra ID incidents: accidental deletions and configuration drift.

For enterprises running business-critical workloads on Microsoft identity infrastructure, I strongly recommend:

  1. Enabling the preview in a non-production tenant first
  2. Evaluating coverage against your specific recovery requirements
  3. Building backup steps into your change management process now, so the habit is established before GA

The days of rebuilding Conditional Access policies from audit logs at 2 AM may finally be behind us.