Restoring a role will update its attributes and assignments to users and groups.
Restore an Azure AD role
Before you restore, ensure the Azure AD service account that was used to create the connector is assigned the global admin role.
1. Locate the role in your connector.
2. Optional: If you want to restore an older version of the object, click the Snapshots Viewer icon, and then select an earlier snapshot. You will now be viewing data from that particular time.
3. Select ••• > Restore.
Tip: To preview the attributes and relationships and to compare them to older versions, select ••• > Object metadata. You can also restore directly from the previewer.
4. Select whether to restore subobjects.
Subobjects can be users and groups with this role.
- If you select Restore only this object, click Next.
- If you select Also restore subobjects, click Next. Then select the restore method and click Next.
5. Review the summary and click Restore.
Note: Roles can be restored in bulk, but the option to restore related items will be disabled.
What happens when I restore a role
Restoring a role will restore its attributes and reestablish the following relationships:
- Role assignments - links to all users and groups that are assigned this role (all users and groups will be assigned this role)
Assignments to users and groups will be restored only if these objects still exist in Azure AD.
Only custom roles can be deleted from Azure AD. If the role has been deleted from Azure AD, all attributes and relationships will be recreated. The original template ID will be restored.
This diagram shows the relationships that are restored:
Restoring a role together with subobjects
A role's subobjects are users and groups assigned with the role.
Enabling subobjects restore will create missing subobjects. This means for each missing user and group we will restore attributes and relationships. All recreated users and groups will receive new IDs.
If you select create missing and update existing subobjects:
- We will create users and groups with this role that have been deleted and reassign the role to them.
- For each existing user, we will update its attributes, link to manager, role assignments, group ownerships, group and unit memberships, and licenses.
- For each existing group, we will update its attributes, links to members and owners, group and unit memberships, role assignments, and licenses.
If you select only create missing subobjects:
- We will create users and groups that have been deleted and reassign the role to them.
- We will not be update the attributes, relationships, and licenses of existing users and groups.
Note: We cannot reestablish deleted users' memberships to distribution and mail-enabled groups. In this case, the restore job will be marked as incomplete, and these relationships will be skipped.