Is Entra ID the same as Active Directory?

No. Active Directory is the on-premises directory service; Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity service. They can be synced, but they're separate systems with separate object models, different APIs, and different backup tooling.

Does Microsoft back up Entra ID for me?

No. Microsoft maintains the platform, but the 'shared responsibility' model puts protection of your data — including configuration data — on you. Most Entra object types have no recycle bin; even the ones that do delete after 30 days. Audit logs retain 30 days on default plans.

What about Microsoft Entra ID's native backup feature?

Microsoft has begun building Entra ID protection capabilities, but they're limited in scope and don't replace dedicated configuration-backup tooling. They also don't offer the cross-tenant management and structured rollback workflows MSPs need.

What is Entra ID backup?

Definition

Entra ID backup is the practice (and product category) of capturing and storing the configuration state of Microsoft Entra ID (formerly Azure Active Directory) so that changes can be detected, audited, and reverted. The category exists because Microsoft's native protections for Entra ID configuration are limited: most Entra object types do not have a recycle bin, audit log retention is 30 days on default plans, and there is no native “undo” for configuration changes.

Entra ID is a special case worth its own term because it's the keystone of identity for Microsoft 365: every sign-in, every authorisation decision, every conditional access evaluation runs through it. Configuration drift in Entra has security consequences faster than configuration drift in any other M365 surface.

What gets backed up

Conditional Access policies. The single most-targeted Entra object in real-world incidents. Disabling, modifying, or deleting CA policies is a common attacker post-compromise action.
Named locations and authentication strengths. Trusted-IP and country-list configurations that other Entra objects depend on.
Authentication methods policy. Which auth methods (FIDO2, Authenticator app, SMS, voice) are allowed for which users.
Role assignments. Directory roles (Global Administrator, Security Administrator, etc.) and PIM (Privileged Identity Management) eligible / active assignments.
App registrations and service principals. Including OAuth permission grants and admin consent state. Highly sensitive — malicious app registrations are a common persistence mechanism.
Group memberships. Especially for security-sensitive groups (admin groups, license groups, PIM-eligible groups).
Custom security attributes. Used for attribute-based access control (ABAC) decisions.
Domain configuration. Verified domains, federation trust state.

Why it matters

The threat model for Entra ID is fundamentally different from the threat model for mailbox content. Mailbox content gets corrupted or deleted by user error, ransomware, or accidental policy. Entra ID configuration gets weaponised: an attacker who compromises a global admin doesn't usually delete things — they reconfigure things to maintain access and broaden their reach.

Specific incident patterns Entra ID backup addresses:

Disabled MFA enforcement on admin accounts after credential phishing.
Malicious OAuth app registration with high-privilege Graph scopes (Mail.ReadWrite.All, Files.ReadWrite.All).
Service principals promoted to privileged directory roles.
CA policy carve-outs for specific user accounts the attacker controls.
Authentication-methods-policy changes lowering required factor strength.

Without Entra ID backup, recovering from these typically requires manual investigation and manual remediation — slow, error-prone, and dependent on the audit log being thorough enough to reconstruct what changed.

How Lavawall® helps with Entra ID backup

Entra ID backup is part of Lavawall®'s broader M365 / Entra / Azure configuration backup & rollback module. Snapshots cover Conditional Access policies, named locations, authentication methods policy, role assignments, app registrations, service principals, group memberships, custom security attributes, and domain configuration.

Each detected change correlates with the M365 audit log to surface UPN, IP, country, and audit event ID. Severity is computed at detection time. Rollbacks follow a strict plan → approve → execute lifecycle with dry-run preview.

Lavawall® covers more than just Entra: the same engine handles Intune profiles, M365 organisation settings, and Azure subscription resources (NSG, Key Vault, RBAC, managed identities). For MSPs that want one tool for the whole Microsoft cloud surface, that's a meaningful simplification over running a dedicated Entra-only product alongside other config-recovery tooling.

Frequently asked

Is Entra ID the same as Active Directory?: No. Active Directory is the on-premises directory service; Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity service. They can be synced, but they're separate systems with separate object models, different APIs, and different backup tooling.
Does Microsoft back up Entra ID for me?: No. Microsoft maintains the platform, but the “shared responsibility” model puts protection of your data — including configuration data — on you. Most Entra object types have no recycle bin; even the ones that do delete after 30 days. Audit logs retain 30 days on default plans.
What about Microsoft Entra ID's native backup feature?: Microsoft has begun building Entra ID protection capabilities, but they're limited in scope and don't replace dedicated configuration-backup tooling. They also don't offer the cross-tenant management and structured rollback workflows MSPs need.