COMMENTARY: Organizations have increasingly adopted cloud services, making identity management a cornerstone of IT security strategies.
At the heart of this shift lies Microsoft’s Entra ID, a platform connecting over 610 million users across 800,000 organizations to essential business applications.
However, despite its widespread adoption, managing and securing cloud identities, especially in hybrid environments—where both on-premises Active Directory (AD) and Entra ID coexist—remains a complex and often underestimated challenge.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
According to our latest telemetry data, Entra ID customers collectively backed-up around 37 billion objects over the past year. This includes 13 billion groups, 13 billion devices, and 10 billion users, along with service principals and applications. These figures highlight the critical role that identity data plays in supporting secure access, device management, and application integration across diverse environments.
Automation’s role in backup and recovery
To minimize human error and ensure data reliability, nearly 99.74% of organizations have automated their Entra ID backups. This approach reduces risks and guarantees identity data consistency, especially as hybrid identity environments grow more complex. The volume of backed-up objects has increased by 30% over the past year, with device backups growing even faster at 44%, underscoring the expanding role of cloud-managed devices in modern IT ecosystems.
When it comes to recovery, the vast majority (75%) of organizations prefer a full restore. However, more than a quarter of enterprises are increasingly adopting a differential recovery approach that targets and restores only the changes made since the last backup. This reduces downtime, optimizes resource use, and minimizes operational disruptions, marking a shift toward more efficient recovery processes.
What are the gaps in Entra ID protection?
While organizations have expanded the use of Entra ID because of the inherent security benefits, they still must assess where Microsoft’s responsibilities for backup and restore ends and what does or does not get covered. For example, soft-deleted items can be restored from Microsoft’s Recycle Bin only within 30 days, and then they are permanently hard-deleted. Moreover, hard-deleted, misconfigured, or modified objects are beyond the reach of native tools.
Additionally, Entra ID’s Recycle Bin does not restore vital relationships, such as group memberships and role assignments, nor does it cover Conditional Access Policies. These limitations can disrupt security configurations and productivity, leaving administrators scrambling to manually restore these connections.
The shared responsibility model further compounds these challenges. While Microsoft offers foundational backup and recovery tools, they are often incomplete and require Power Shell scripting and deep knowledge of Entra ID APIs. Customers are responsible for disaster planning, documenting configurations, and maintaining operational security themselves. Without a tested recovery plan, even minor misconfigurations or targeted attacks can lead to prolonged disruptions. For this reason, many organizations turn to third-party providers to fill the gaps in backup and recovery.
A growing number of devices also play a critical role in the security and uptime of modern IT environments. As organizations rely more on Entra ID-joined devices, backing up and restoring these objects becomes vital for both user productivity and organizational security. If these device objects are missing or corrupted, users may lose access to essential applications and services, leading to significant disruptions in daily operations.
Many organizations have adopted cloud services and SaaS tools, which means the frequency of attacks on both hybrid identity environments and Entra ID continues to rise. Hybrid environments are especially vulnerable as attackers can exploit weaknesses across both cloud and on-premises systems.
This highlights the critical need for robust cloud identity management, backup and recovery strategies. Companies should focus on the following tasks:
- Automate backups to ensure consistency and reduce human error.
- Leverage advanced recovery options, such as differential restores, to minimize downtime and resource use.
- Fill gaps in native tools by implementing tools that address the limitations of Microsoft’s Recycle Bin, such as restoring relationships, Conditional Access Policies, and device objects.
- Proactively manage configurations to avoid missteps that could leave identity systems vulnerable to attacks.
Organizations modernizing their identity systems must stay vigilant to address gaps, secure identity environments, and prepare for potential incidents. By investing in comprehensive and tested identity management strategies, such as Identity Threat Detection and Response (ITDR), businesses can mitigate risks, protect critical assets, and ensure uninterrupted productivity as threats arise.
Sergey Medved, vice president of product management, Quest
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
