The Azure AD connector protects Microsoft 365 Azure Active Directory objects: users, groups, administrative units, and roles. 

The connector also protects Azure Active Directory activity logs.

Supported Object Metadata


  • Ownerships
  • Memberships
  • Manager
  • Role assignments
  • Licenses
  • Photo


  • Owners
  • Members
  • Memberships
  • Role assignments
  • Licenses
  • Photo

Administrative Units

  • Members
  • Scoped-role assignments


  • Role assignments

: Ownerships, owners, memberships, members, managers, role assignments, or scoped-role assignments are relationships (links) an object has to other objects. 

Supported Activity Logs 

Activity Logs

  • Audit logs
  • Sign-in logs

Note: Sign-in logs cannot be backed up without audit logs.

Supported Object Attributes 

Object attributes are its properties such as its name or description.


accountEnabledDefines if account is enabled or not.
ageGroupAge group of the user: minor, notAdult, adult
businessPhonesThe telephone numbers for the user.
cityThe city in which the user is located.
companyNameThe company name which the user is associated.
consentProvidedForMinorSets whether consent has been obtained for minors: granted, denied, notRequired
countryThe country/region in which the user is located.
createdDateTimeThe date the user object was created.
creationTypeIf the user account was created as a local account for an Azure Active Directory B2C tenant, the value is LocalAccount or nameCoexistence
deletedDateTimeFor some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
departmentThe name for the department in which the user works.
employeeHireDateThe date and time when the user was hired or will start work in case of a future hire.
employeeIdThe employee identifier assigned to the user by the organization.
employeeOrgDataRepresents organization data (e.g. division and costCenter) associated with a user.
employeeTypeCaptures enterprise worker type (e.g. Contractor, Consultant, Employee)
externalUserStateFor an external user invited to the tenant this property represents the invited user's invitation status.
Shows the timestamp for the latest change to the invitation status (externalUserState) property.
faxNumberThe fax number of the user.
givenNameThe given name (first name) of the user.
identitiesRepresents the identities that can be used to sign in to this user account. An identity can be provided by Microsoft (also known as a local account), by organizations, or by social identity providers such as Facebook, Google, and Microsoft, and tied to a user account.
jobTitleThe user's job title.
lastPasswordChangeDateTimeThe date the the user last changed their password.
mailThe SMTP address for the user.
mailNickname The mail alias for the user.
mobilephoneThe primary cellular telephone number for the user.
officeLocationThe office location in the user's place of business.
onPremisesImmutableIdThis property is used to associate an on-premises Active Directory user account to their Azure AD user object.
onPremisesProvisioningErrorsErrors when using Microsoft synchronization product during provisioning.
otherMailsA list of additional email addresses for the user
passwordPoliciesSpecifies password policies for the user.
postalCodeThe postal code for the user's postal address.
preferredDataLocationThe preferred data location for the user.
preferredLanguageThe preferred language for the user.
showInAddressListIf the Outlook global address list should contain this user.
stateThe state or province in the user's address.
streetAddressThe street address of the user's place of business.
surnameThe user's surname (family name or last name).
usageLocationA two letter country code (ISO standard 3166). Required for users that will be assigned licenses due to legal requirement to check for availability of services in countries.
userPrincipalName The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. By convention, this should map to the user's email name. The general format is alias@domain, where domain must be present in the tenant's collection of verified domains.
userTypeA string value that can be used to classify user types in your directory, such as "Member" and "Guest."


classificationDescribes a classification for the group (such as low, medium or high business impact).
deletedDateTimeFor some Azure Active Directory objects (user, group, application), if the object is deleted, it is first logically deleted, and this property is updated with the date and time when the object was deleted. Otherwise this property is null. If the object is restored, this property is updated to null.
descriptionAn optional description for the group.
groupTypesSpecifies the group type and its membership.
deducedGroupTypeKeepit's property which helps us to deduce the exact type of the group based on several properties (mailEnabled, securityEnabled, groupTypes).
mailEnabledSpecifies whether the group is mail-enabled.
mailNicknameThe mail alias for the group, unique in the organization. Maximum length is 64 characters. 
mailThe SMTP address for the group, for example, "".
membershipRuleThe rule that determines members for this group if the group is a dynamic group.
Indicates whether the dynamic membership processing is on or paused.
preferredDataLocationThe preferred data location for the group.
preferredLanguageThe preferred language for a Microsoft 365 group.
resourceBehaviorOptionsSpecifies the group behaviors that can be set for a Microsoft 365 group during creation.
resourceProvisioningOptionsSpecifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation.
securityEnabledSpecifies whether the group is a security group.
securityIdentifierSecurity identifier of the group, used in Windows scenarios.
themeSpecifies a Microsoft 365 group's color theme.
visibilitySpecifies the group join policy and group content visibility for groups.
isAssignableToRoleIndicates whether this group can be assigned to an Azure Active Directory role or not.

Administrative Unit

description     An optional description for the administrative unit.
visibilityControls whether the administrative unit and its members are hidden or public.


descriptionRole description.
isBuiltInFlag indicating if the role is part of the default set included with the product or custom.
isEnabledFlag indicating if the role is enabled for assignment.
rolePermissionsList of permissions included in the role.
templateIdCustom template identifier that can be set when isBuiltIn is false.
versionIndicates version of the role.
visibilityControls whether the role is hidden or public.