Entra ID recovery beyond users and groups: what teams miss

TL;DR: Entra ID recovery often fails when teams restore users and groups but leave behind device identities, Intune policies, and custom security attributes that drive real access decisions, according to Semperis. Recovery that ignores those layers can preserve directory objects while still breaking Conditional Access, endpoint posture, and business access continuity.

NHIMG editorial — based on content published by Semperis: Identity building blocks you don’t want to lose in Entra ID recovery

Questions worth separating out

Q: How should teams recover Entra ID without breaking Conditional Access?

A: Teams should restore the identity signals that Conditional Access actually depends on, not only users and groups.

Q: What breaks when only users and groups are restored in Entra ID?

A: Access can break even though directory objects appear restored.

Q: Why do custom security attributes matter in identity recovery?

A: Custom security attributes often carry the business rules that applications use to make access decisions.

Practitioner guidance

• Map access dependencies before defining restore scope. Document which Entra ID device objects, Intune policies, and custom attributes directly influence Conditional Access and application authorisation.
• Test recovery against access outcomes, not just object restoration. Run tabletop and technical recovery tests that verify users can sign in, endpoints remain compliant, and downstream applications still read the expected attributes after restore.
• Treat device identities as governed identity assets. Include Entra ID device objects in lifecycle, backup, and restore processes so trust signals survive incidents instead of forcing weaker access exceptions.

What's in the full article

Semperis' full article covers the operational detail this post intentionally leaves for the source:

• Backup and restore scope for Entra ID device objects and how that differs from standard user recovery.
• Intune policy recovery considerations for preserving endpoint compliance and Conditional Access behaviour.
• User custom security attributes that applications depend on and how they should be included in recovery planning.
• The practical recovery gaps that appear when identity, device, and policy state are only partially restored.

👉 Read Semperis' analysis of Entra ID recovery beyond users and groups →

Entra ID recovery beyond users and groups: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →