Entra ID Retention Policy: Everything You Need to About Know Data Retention in Entra ID

Entra ID Retention Policy: Everything You Need to About Know Data Retention in Entra ID

By
Josh Wittman
January 16, 2024

Before you consider investing in a third-party backup tool for Entra ID (formerly Azure AD), it's important to familiarize yourself with the built-in data retention and configuration backup mechanisms offered within the platform by Microsoft.

Depending on its retention policy, Entra ID retains your tenant data for anywhere between 14 days to 1 year. While this is not a full-service backup solution, it still provides an opportunity for business users to export their data to a more secure storage system off site.

Today, we'll be taking a detailed look at the different types of data retention and backup options available natively within Entra ID, so that you can better understand where and when a third-party backup solution might fit in. Want to create a comprehensive retention plan for your business' Entra ID tenant configurations, but don't know where to start? Keep reading!

An Overview of the Different Data Retention Mechanisms in Entra ID

Azure Active Directory offers several built-in data retention and backup features to safeguard your tenant configuration against sudden disruptions and external threats. Here's a quick overview of each, with information on their retention period and retention policy:

Auditing and Monitoring

Unified Audit Log: Entra ID provides a detailed audit log to track and monitor user activities, sign-in attempts, and configuration changes through Microsoft Purview. The retention period for these audit logs is 30 days by default, but you can extend it to a maximum of 730 days (2 years) if you have a Entra ID Premium P1 or P2 subscription.

Azure Monitor: Azure Monitor integrates with Entra ID to collect, analyze, and act on telemetry data. It helps you monitor the performance and availability of your applications and infrastructure. Data retention in Azure Monitor varies based on the type of data. Metrics are retained for 93 days, Activity Logs for 90 days, and Log Analytics for 31 days to 730 days depending on your subscription tier.

Configurations and Data

Entra ID Backup and Restore: Entra ID automatically backs up directory data every few hours and retains these backups for a maximum of 30 days. In case of accidental deletion or corruption of directory data, you can restore objects, users, and groups within this retention period.

Entra ID Recycle Bin: Recycle Bin is a service that helps administrators recover deleted objects in Azure Active Directory. When an object such as a user, group, or application is deleted, it is moved in a soft-delete state to the Recycle Bin. These deleted items remain there for 30 days, during which they can be restored. Once a period of 30 days has passed, the objects undergo permanent deletion from the system.

Entra ID Connect: Entra ID Connect is a tool that synchronizes on-premises Active Directory data with Entra ID. The retention period for data in Entra ID Connect depends on the data type and synchronization settings. Deleted objects are retained for 30 days by default and can be configured to extend up to 365 days. Staged objects are retained for 7 days by default and can be configured up to 365 days.

Entra ID B2C: Entra ID B2C is a customer identity and access management (CIAM) solution that helps organizations manage customer identities and access to applications. The retention period for B2C data depends on the data type. Logs  are retained for 30 days by default, can be extended up to 730 days for Premium customers. User profiles and custom attributes are retained until the customer account is deleted.

Why Is the Built-In Data Retention Policy Considered Insufficient?

Entra ID's built-in retention policy provides basic protection to business users in the event of a sudden outage. However, it is not a reliable full-service backup solution because it lacks many key features which are often a must have for enterprise security and regulatory compliance. Here are a few examples:

Limited Retention Period

Entra ID's built-in retention policies have limited recovery windows, ranging from 30 to 730 days, depending on the log type and service tier. For organizations that require long-term data retention due to regulatory or compliance requirements, these policies are far from sufficient.

No Point-in-Time Recovery

The built-in retention policies in Entra ID do not provide point-in-time recovery or version histories. This means that if an object is accidentally modified multiple times, it is challenging to restore the particular object or the system state to a specific point in time before the change occurred.

Incomplete System Coverage

The built-in retention policies do not provide a comprehensive backup of all the directory data, configurations, and associated services. For example, settings related to Conditional Access Policies and Privileged Identity Management don't have a dedicated recovery solution in Entra ID.

Using Third-Party Solutions to Back Up Entra ID Using the Graph API

Microsoft Graph is a RESTful web API that allows external developers to interact with Entra ID resources programmatically. Using the Graph API allows third-party platforms to access, manage, and manipulate data and objects within Entra ID.

Once it has authenticated itself using the OAuth 2.0 protocol, a third-party backup solution can retrieve Entra ID objects such as users, groups, applications, and more by sending HTTP requests to specific endpoints. It can then store that data using an external cloud storage solution so that it can be used to restore an Entra ID tenant to a previous state on demand.

Of course, Entra ID backup solutions, even unofficial and third-party ones, that can provide comprehensive storage and recovery for enterprise tenant configurations are still few and far between. For example, you can use PowerShell Desired State Configuration (PowerShell DSC) to call on the Graph API so that you can back up tenant configurations as required using a command-line interface. However, this process is code-intensive and requires engineering skills to even attempt. Microsoft 365 DSC is an open-source tool from Microsoft developers that helps automate the process to some extent, but it still relies heavily on PowerShell cmdlets, preventing it from being a true no-code solution.

Automatically Schedule Entra ID Backups Without Code Using Simeon

Simeon Cloud is an end-to-end platform that uses configuration-as-code technology to automate the management of Microsoft 365 configurations and settings, including Entra ID. It enables you to schedule automatic backups of all your settings and policies each time there's a change in your tenant configuration in Entra ID.

Unlike other tools like Microsoft 365 DSC, Simeon Cloud is a no-code platform that allows you to manage all your Microsoft 365 and Entra ID configurations from a single intuitive dashboard without writing a single line of code. It also comes with a detailed audit log of all your configurations so that you can stay up-to-date on any deviations from your tenant baseline.

Want to learn more about how Simeon can help you back up Entra ID past its initial retention period? Request a free demo, today!