4 Reasons Why the Recycle Bin Can’t Fully Protect Azure Active Directory

Let’s face it, user errors are a reality, and the threat of malicious actors breaching Active Directory –both on-premises and in Azure – is on the rise.  Protecting your data has never been more important, yet no native tooling exists to tracks changes, store previous values or enable administrators to rollback those changes immediately.

Microsoft provides limited tools to recover a deleted user account, but what about when an AD object is changed?  Restoring the object and associated permissions, groups, roles and applications can be a manual, expensive and error-prone process.

As Microsoft MVP Brien Posey outlined recently in his paper there are four items related to Recycle Bins that are critical for IT teams to understand if they want to avoid Azure AD outages, or at least to fix them before they impact end users.

  1. Microsoft Won’t Restore Your AD Directory Data

The primary protective mechanisms for on-premises Active Directory environments are the Active Directory Recycle Bin and any backups that you create yourself.  For Azure AD, Microsoft’s cloud-based Active Directory, many users believe that Microsoft backs it up on their behalf.  In reality, organizations are 100% responsible for backing up their own Azure AD environments. The only significant protective mechanism that Microsoft provides is the Azure AD Recycle Bin, which is helpful, but not a complete solution.

  1. The Active Directory Recycle Bin Only Protects Against Deletions

The Recycle Bin is the go-to mechanism for recovering from Active Directory problems, so it is important to understand both its capabilities and its limitations. While the AD and Azure AD Recycle Bins offer a degree of protection, they never were intended to take the place of backups.

In many ways, the AD and Azure AD Recycle Bins function similarly to the Recycle Bin that is built into Windows 10. If a user deletes a document from a Windows 10 PC’s hard disk, that item is not physically deleted, but rather is placed into the Recycle Bin. This allows the item to be easily recovered if necessary.  But if the documents on a user’s Windows 10 PC were to become encrypted by ransomware, the Recycle Bin would not provide any means for recovering the now encrypted documents. That’s because the Windows 10 Recycle Bin protects only against deletions, not accidental modifications.

The Azure and Azure AD Recycle Bins serve a similar purpose. It exists as a tool for protecting organizations when an Active Directory object is accidentally deleted, but it does nothing to protect against unwanted modifications to objects. Only backups can give you point-in-time recovery capabilities for Active Directory deleted objects, unless you’re using a third-party tool.

  1. The Recycle Bin Won’t Always Protect You Against Accidental Deletions

So the AD and Azure AD Recycle Bins exist as a tool for protecting you against the accidental deletion of directory objects, and it helps for some objects with 30 days…but not all of them. If an administrator accidentally deletes an Active Directory user, for example, it is possible to retrieve the user object from its deleted state in the Recycle Bin. Even so, the Recycle Bin has a number of inherent limitations, and there is a possibility that an object that needs to be restored may not be exist within the Recycle Bin.  We covered 3 Reasons The Recycle Bin Won’t Always Protect You Against Accidental Deletions in a previous blog.

  1. Not All Object Types Are Protected

Another critically important thing to know about the Recycle Bins is that not all objects are protected. As previously mentioned, the Active Directory Recycle Bin protects any deleted Active Directory objects, so long as the Recycle Bin is enabled.

In contrast, the Azure AD Recycle Bin was primarily designed to protect user objects. It will also protect Office 365 groups (which are sometimes called unified groups). It does not however, offer any protection for security groups or Exchange Server distribution groups.

To learn more download “8 Truths & Tips: Avoiding Outages in Azure Active Directory and Hybrid AD”, a paper by Microsoft MVP Brien Posey or register to view our on-demand webinar, “Preventing Azure and Hybrid AD Outages: The Unsettling Truth”.

Looking for a solution to help prevent Azure AD outages? Cayosoft Guardian recovers and protects Azure Active Directory and hybrid AD data. With Guardian monitoring all directory changes, administrators can quickly see, understand and rollback mistakes or malicious changes across their entire hybrid AD environment.  Try it free today!

Check out these relevant resources.

A New Cayosoft.com

We’re excited to announce the new Cayosoft.com! This new and improved site was a true team effort by many at Cayosoft. After seven years it was time to retire our old

Read More »