TL;DR: Entra ID recovery often fails when teams restore users and groups but leave behind device identities, Intune policies, and custom security attributes that drive real access decisions, according to Semperis. Recovery that ignores those layers can preserve directory objects while still breaking Conditional Access, endpoint posture, and business access continuity.
NHIMG editorial — based on content published by Semperis: Identity building blocks you don’t want to lose in Entra ID recovery
Questions worth separating out
Q: How should teams recover Entra ID without breaking Conditional Access?
A: Teams should restore the identity signals that Conditional Access actually depends on, not only users and groups.
Q: What breaks when only users and groups are restored in Entra ID?
A: Access can break even though directory objects appear restored.
Q: Why do custom security attributes matter in identity recovery?
A: Custom security attributes often carry the business rules that applications use to make access decisions.
Practitioner guidance
- Map access dependencies before defining restore scope. Document which Entra ID device objects, Intune policies, and custom attributes directly influence Conditional Access and application authorisation.
- Test recovery against access outcomes, not just object restoration. Run tabletop and technical recovery tests that verify users can sign in, endpoints remain compliant, and downstream applications still read the expected attributes after restore.
- Treat device identities as governed identity assets. Include Entra ID device objects in lifecycle, backup, and restore processes so trust signals survive incidents instead of forcing weaker access exceptions.
What's in the full article
Semperis' full article covers the operational detail this post intentionally leaves for the source:
- Backup and restore scope for Entra ID device objects and how that differs from standard user recovery.
- Intune policy recovery considerations for preserving endpoint compliance and Conditional Access behaviour.
- User custom security attributes that applications depend on and how they should be included in recovery planning.
- The practical recovery gaps that appear when identity, device, and policy state are only partially restored.
👉 Read Semperis' analysis of Entra ID recovery beyond users and groups →
Entra ID recovery beyond users and groups: what teams miss?
Explore further
Identity recovery that stops at users and groups is structurally incomplete. Entra ID access now depends on multiple signals, including device identity, endpoint posture, and custom attributes. When recovery only restores the directory core, the organisation regains objects but loses the conditions that make those objects usable. The implication is that recovery must be designed around access dependencies, not directory completeness.
A few things that frame the scale:
- 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to the 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: Who should own recovery for Entra ID device identities and Intune policies?
A: Identity, endpoint, and platform teams should share ownership, because these controls span authentication, compliance, and access governance. If one team owns only the directory and another owns only the device estate, the restore process can reassemble parts of the environment without restoring the full access model. Joint testing is the only reliable answer.
👉 Read our full editorial: Entra ID recovery depends on restoring devices and attributes