Restoring an object restores its attributes and reestablishes its relationships to other objects.

If an object still exists in Azure AD, existing metadata will be updated, missing metadata will be created, and metadata not present in the snapshot will be removed.

If an object has been deleted from Azure AD, it will be recreated.

Jump to a section

Restoring an object together with subobjects

Groups, roles, and administrative units can be restored together with subobjects: missing subobjects will be recreated and, if selected, existing subobjects will be updated. 

Subobjects are objects located in the hierarchy under the selected object. Accordingly, subobjects can be only other users or groups — objects that are part of a group or an administrative unit, or that are assigned a role.  

For example, a group's subobjects are its members and owners, not its parent groups, the administrative units it is part of, or the roles it is assigned.

Only groups, administrative units, and roles — not users can have subobjects. 

Restored attributes

Restoring an object restores its attributes. Attributes cannot be restored separately.

Restored relationships

Relationships are the links an object has to other objects by way of ownerships, owners, memberships, members, managers, role assignments, or scoped-role assignments.

Relationships can be reestablished only if the linked object still exists.

Example
Let's say you have a group with 20 members. One member user is then deleted from Azure AD.

If you restore the group from a historical snapshot when the group still had 20 members (i.e., when the deleted user still existed), the following will happen:

  • If you select restore only this object, the restored group will have only 19 members. We will not recreate the member user that was deleted and so we cannot reestablish the link to the member. The restore job will skip the user and the job will be marked as incomplete.  
  • If you select also restore subobjects, the restored group will have 20 members. We will recreate the member user and reestablish its link to this group. The restore job will be marked as successful. The user will receive a new object ID and new creation time.

Important: If the deleted user was a member of a distribution group or mail-enabled security group, we cannot reestablish this link due to an API limitation. In this case, the restore job will be marked as incomplete, and these relationships will skipped.

What happens when I restore a user?


Restoring a user will restore its attributes and licenses, and reestablish the following relationships:

  • Memberships - links to groups and admin units that the user is a member of  
  • Ownerships - links to groups that the user is an owner of
  • Role assignments - links to roles that are assigned to this user
  • Manager - the link to the user's manager


A relationship can be reestablished only if the linked object still exists in Azure AD.

If the user was deleted from Azure AD, metadata and relationships will be recreated. The user will receive a new object ID and new creation time.

A diagram showing the relationships that are restored:

Restore limitations

  • If the user was a member of a distribution group or mail-enabled security group, we cannot reestablish the links to these groups due to an API limitation. In this case, the restore job will be marked as incomplete, and these relationships will skipped.
  • Authentication methods are not restored.

Note: A user's group-inherited roles are not displayed in the user interface, but they are backed up and restored.


What happens when I restore a group?


Restoring a group will restore its attributes and licenses, and reestablish the following relationships:

  • Members - links to users and groups that are members of this group
  • Memberships - links to groups and admin units that the group is a member of
  • Owners - links to users who are owners of this group
  • Role assignments - links to roles that are assigned to this group


A relationship can be reestablished only if the linked object still exists in Azure AD.

If the group has been deleted from Azure AD, metadata and relationships will be recreated. The group will receive a new object ID and new creation date.

A diagram showing the relationships that are restored:


Restoring dynamic groups

If you restore a dynamic group, we will restore the rule that determines members for this group. Microsoft will then add these members to the group.

Restore limitations

  • Distribution groups and mail-enabled security groups are not restored
  • Group photos are not restored 


Restoring a group together with subobjects

A group's subobjects are its member users, member groups, and group owners. 

Enabling the subobjects restore will create missing subobjects. This means for each missing user and group we will restore attributes and relationships (and if applicable, licenses). All recreated users and groups will receive new IDs.

Groups or users that exist in Azure AD but are not present in the snapshot will have their links to the group removed, but the objects themselves will not be deleted from Azure AD.

If you select create missing and update existing subobjects:

  • We will create users and groups that have been deleted. 
  • For each existing user, we will update its attributes, link to manager, role assignments, group ownerships, group and unit memberships, and licenses.
  • For each existing group, we will update its attributes, links to members and owners, group and unit memberships, role assignments, and licenses.


If you select only create missing subobjects:

  • We will create users and groups that have been deleted.
  • We will not update the attributes, relationships, licenses, and authentication methods of existing users and groups.


Note: We cannot reestablish deleted users' memberships to distribution and mail-enabled groups. In this case, the restore job will be marked as incomplete, and these relationships will skipped.

What happens when I restore an administrative unit?


Restoring an administrative unit will restore its attributes and reestablish the following relationships:

  • Members - links to all users and groups that are members of this unit
  • Scoped-role assignments - links to all roles that are assigned to this unit


A relationship can be reestablished only if the linked object still exists in Azure AD.

If the unit has been deleted from Azure AD, attributes and relationships will be recreated. The unit will receive a new object ID.

A diagram showing the relationships that are restored:

Restoring an admin unit together with subobjects

An administrative unit's subobjects are users and groups that are members of the unit. 

Enabling the subobjects restore will create missing subobjects. This means for each missing user and group we will restore attributes, licenses, and relationships. All recreated users and groups will receive new IDs.

Groups or users that exist in Azure AD but are not present in the snapshot will have their links to the unit removed, but the objects themselves will not be deleted from Azure AD.

If you select create missing and update existing subobjects:

  • We will create users and groups that have been deleted.
  • For each existing user, we will update its attributes, link to manager, role assignments, group ownerships, group and unit memberships, and licenses.
  • For each existing group, we will update its attributes, links to members and owners, group and unit memberships, role assignments, and licenses.


If you select only create missing subobjects:

  • We will create users and groups have been deleted.
  • The attributes, relationships, and licenses of existing users and groups will not be updated.

Note: We cannot reestablish deleted users' memberships to distribution and mail-enabled groups. In this case, the restore job will be marked as incomplete, and these relationships will skipped.

What happens when I restore a role?

Restoring a role will restore its attributes and reestablish the following relationships: 

  • Role assignments - links to all users and groups that are assigned this role (all users and group will be assigned this role)


Assignments to users and groups will be restored only if these objects still exist in Azure AD. 

Only custom roles can be deleted from Azure AD. If the role has been deleted from Azure AD, all attributes and relationships will be recreated. The original template ID will be restored.

A diagram showing the relationships that are restored.

Restoring a role together with subobjects

A role's subobjects are users and groups assigned with the role. 

Enabling the subobjects restore will create missing subobjects. This means for each missing user and group we will restore attributes and relationships. All recreated users and groups will receive new IDs.

If you select create missing and update existing subobjects:

  • We will create users and groups with this role that have been deleted and reassign the role to them.
  • For each existing user, we will update its attributes, link to manager, role assignments, group ownerships, group and unit memberships, and licenses.
  • For each existing group, we will update its attributes, links to members and owners, group and unit memberships, role assignments, and licenses.


If you select only create missing subobjects:

  • We will create users and groups that have been deleted and reassign the role to them.
  • We will not be update the attributes, relationships, and licenses of existing users and groups.


Note: We cannot reestablish deleted users' memberships to distribution and mail-enabled groups. In this case, the restore job will be marked as incomplete, and these relationships will skipped.