.png)
There are two settings available when restoring Entra ID relationships: restore relationships and restore sub-objects.
Restore relationships (default: On)
This setting allows you to restore specific supported relationships for that object type. Using this setting means restoring and updates the link to a related object as at the time of the selected backup, but not the related object itself. As this setting restores the relationship to the state at the time of the selected backup, it will result in the relationships being created, removed or updated in the restored version.
- A relationship can only be restored if the related object is still present. If it does exist, the primary object will still be restored, but the restore will complete with warnings and you will be notified via an in-app notification.
- When this setting is set to Off, the object will be restored without restoring or updating the links to related objects, i.e. only the selected object and its attributes will be restored.
- Setting restore relationships to Off may:
- affect the core functionality of policies such as assignments or settings configuration, and should be used with caution, taking note of the specific relationships affected for that object
- be useful in cases where a restore is failing or generating a warning due to a relationship.
Restore sub-objects
This setting restores the related sub-objects for specific object types and relationships. Using this setting means restoring the related sub-objects, their attributes, their relationships and their state to what they were at the time of the selected backup.
This setting can only be set to On if the restore relationships setting (above) is set to On. If restore relationships is set to Off, this will automatically disable restore sub-objects (except in the case of enterprise applications, where the settings are independent).
- Only the objects directly related to the primary object are restored, i.e. sub-objects not directly related to the primary object will not be restored.
- For enterprise applications, the originating app registration will be restored if the app registration is on the local tenant. The option for the restore sub-objects setting will not be visible if the app registration is not on the local tenant. If the app registration has been deleted from the local tenant, the restore sub-objects setting will be forced to On. You will not be able to disable it, as this will cause the restore to fail.
- If a related sub-object has been deleted in the current live version on the tenant, the following applies:
- if hard-deleted, the sub-object will be re-created as a new object with a new id.
- it soft-deleted (in the recycle bin), the sub-object will be restored with the current id where relevant.
- in either case, the sub-object’s relationships will be recreated and linked with its related objects for the specific relationships we support.
- If a related sub-object is present in the current live version of the object on the tenant and in the selected backup, the related sub-object’s attributes and relationships will be updated to those in the selected backup.
- If a related sub-object is present in the current live version of the object on the tenant but is NOT present in the selected backup (i.e. it has been deleted from the selected backup), the relationship to the related sub-object will be removed when the object is restored. The sub-object itself will not be deleted and will be left as is.
- If the related sub-objects contain deleted users, the passwords for those users will be reset as per our current functionality. The password will be displayed on the restore dialog.
The following objects and relationships are included:
Object | Restore relationships | Restore sub-objects |
| Users | Yes | No |
| Licenses (licences) | ||
| Memberships (groups and admin units) | ||
| Owners (groups) | ||
| Role assignments (roles) | ||
| Scoped role members (admin units) | ||
| Manager (users) | ||
| Groups | Yes | Yes |
| Owners (users) | Member users, member groups, group owners | |
| Members (users and groups) | ||
| Membership (groups and admin units) | ||
| Owners (users) | ||
| Role assignments (roles) | ||
| Licences (licences) | ||
| Admin units | Yes | Yes |
| Members (users and groups) | Member users, member groups | |
| Scoped role assignments (roles) | ||
| Roles | Yes | Yes |
| Role assignments (users, groups and enterprise apps) | Role assignment users, role assignment groups | |
| App registrations | Yes | No |
| Owners (users and service principals) | ||
| Federated indentity credentials (identities) | ||
| Enterprise apps | Yes | Yes |
| App role assignments (appRoles to users, groups and service principals) | Restore app registrations (Note: Restoring a related app registration from a different tenant is not possible) | |
| appRolesAssignedTo (appRole and app) | ||
| memberOf (roles) | ||
| Owners (users and service principals) | ||
| Conditonal access policies | Yes | No |
| grantControls (authentication strengths) | ||
| Named locations | No | No |
| Authentication strengths | Yes | No |
| combinationConfigurations (authentication methods) are required and part of the policy | ||
| Authentication contexts | No | No |
| Intune device compliance policies | Yes | No |
| Assignments (groups) | ||
| Scheduled actions | ||
| Authentication methods | Yes | No |
| includeTargets (users or groups) or assignTo | ||
| Intune device configuration | Yes | No |
| Assignments | ||
| Group assignments | ||
| Settings instances | ||
| Definition values |
What happens when an Entra ID object is restored?
Restoring an object restores its attributes and re-establishes its supported relationships to other objects. If an object still exists in Entra ID, its existing attributes will be updated. Missing attributes will be created, and attributes that are empty or null in the selected backup will be cleared. If an object has been deleted from Entra ID, it will be recreated as a new object or restored from the recycle bin.
Restoring an object with its sub-objects
Sub-objects are objects located in the hierarchy under the selected object for specific relationships. For example, a group's sub-objects are its members and owners. Its sub-objects do NOT include its parent groups, the administrative units it is part of, or the roles it is assigned.
Sub-objects can be only be other users, groups, or an app registration for enterprise apps. For enterprise apps, this is the related app registration on the local tenant - if the app registration is not on the local tenant, it cannot be restored.
Only groups, roles, administrative units and enterprise apps have sub-objects. In the RedApp, you have the option to restore these objects with their sub-objects. Missing sub-objects will be recreated and existing sub-objects will be updated.
Restoring attributes
Restoring an object restores its attributes to their values in the selected backup.
Restoring relationships
Relationships are the links an object has to other objects. Relationships can only be re-established as part of restoring if the linked object still exists.
 1.png)