Azure Active Directory Recycle Bin Won’t Save Your Critical Data

Uploaded on 2022-01-12 in TECHNOLOGY--Resilience, FREE TO VIEW

The ability to reverse mistakes has probably saved every Active Directory (AD) admin around the world at least one stress-induced headache during their career.  
 
For on-premises AD deployment, the Active Directory Recycle Bin feature allows admins to restore accidentally deleted objects without using a backup. Anything placed in the Recycle Bin is accessible for 180 days. If you make a mistake, the Recycle Bin can be a godsend, and IT teams considering Azure Active Directory will be happy to know that the cloud service has a Recycle Bin feature of its own. 
 
What might surprise them, however, is that there are differences between the on-premises AD Recycle Bin and what is available in the cloud. As useful as the Recycle Bin is, it is not a panacea for your Azure AD resources backup and recovery needs. To understand why, let's talk about the feature’s functionality.  
 
Fixing Accidents  

Before moving to Azure AD, organizations should first assess the impact of the change on their security, data backup, and compliance. Though the Recycle Bin function might seem like a relatively small matter, the reality is that without it, bringing back deleted objects would become a manual, time-consuming process. Both on-premises and in the cloud, enabling the Recycle Bin makes life easier. 
 
Still, as part of assessing your move to the cloud and the functionality of Azure AD, it is important to understand what the Recycle Bin does and does not do.   

  • Rolling back accidental deletions. We all make mistakes. Just like in your on-premises AD environment, the Recycle Bin in Azure AD allows administrators to restore user objects in the event of accidental deletion. 
  • However, all objects are not protected. The Recycle Bin feature for Azure AD enables the recovery of only user objects, application objects, and Office 365 groups. Delete a setting, and the Azure AD Recycle Bin will not be able to help. If you are using Azure AD sync and accidentally delete an on-premises AD user object, the corresponding user object in Azure AD will also be deleted during the next sync cycle.  
  • User objects do not stay in the soft-deleted state for 180 days. This timeframe is a significant difference between Azure and on-premises AD. In Azure, deleted objects are kept only for 30 days. This time limit cannot be extended. After 30 days, the objects are hard-deleted. 
  • Modified object attributes cannot be recovered. While a user object can be brought back from accidental deletion via the Recycle Bin feature, specific attributes cannot be. The only way to restore modified attributes is through backups, which brings us to our next point. 

Partial Solution 

The Recycle Bin cannot serve as a replacement for backups. It is only a starting point. While its functionality might be enough to reverse deleted object mistakes, its limitations preclude it from being a solution to your backup and recovery needs. Enabling the Recycle Bin feature in Azure AD offers protection for a particular scenario. However, if your organization needs to restore information such as modified attributes or recover certain types of objects, the Recycle Bin will not suffice. 

In the event of a ransomware attack, for example, the Recycle Bin is of no use if, for example, user accounts are compromised. In that case, the Recycle Bin won’t help with recovering those accounts. Additionally, the fact that it can be used only to recover a specific type of object that has been deleted for 30 days or less also makes it a non-viable solution for your longer-term backup and recovery needs.  

From the standpoint of an attack, if one of the threat actor’s activities involves deleting users, they will likely go to the Recycle Bin to finish the job. This final deletion will make it impossible to recover the user object without using a backup. But more likely, an attacker is going to change settings such as changing role assignments, turning off multifactor authentication, and altering conditional access policies. 

Without a single spot where administrators can go to evaluate every setting that has been changed, they will be left to remember and manually fix all of the modified configurations.  

In this reality, failing to monitor activity across on-premises and cloud AD environments and failing to implement an effective backup and recovery strategy can lead to disaster. 

For organizations to operate in the cloud with confidence, they need the ability to restore their environment anytime unwanted changes are made. The Recycle Bin offers a partial solution to this need, but is only one piece of a larger Azure AD security puzzle.  

Greg Jones is Senior Product Manager for Azure Solutions at Semperis

You Might Also Read: 

Detecting & Mitigating Cyber Attacks:

 

« African Nations Join UN Cyber Crime Initiative
SIM Swapping Attacks Caused T-Mobile Breach »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resilient Information Systems Security (RISS)

Resilient Information Systems Security (RISS)

RISS is a research group is in the Department of Computing at Imperial College London.

Adeptis Group

Adeptis Group

Adeptis are experts in cyber security recruitment, providing bespoke staffing solutions to safeguard your organisation against ever-changing cyber threats.

Texplained

Texplained

Texplained specializes in security audits of microchips to identify vulnerabilities and protect against invasive cyber attacks.

Sopra Steria

Sopra Steria

Sopra Steria is a leading European information technology consultancy.

InfoGuard

InfoGuard

InfoGuard is a leading Swiss company providing comprehensive cyber security and network solutions.

Checksum Consultancy

Checksum Consultancy

Checksum Consultancy specializes in Information security, Risk management, and IT governance.

Sergeant Laboratories

Sergeant Laboratories

Sergeant Laboratories builds advanced technologies to prove compliance in complex IT security and regulatory compliance situations.

aDolus Technology

aDolus Technology

aDolus delivers a robust solution for safeguarding against counterfeit or malicious software and firmware in mission-critical systems.

Curricula

Curricula

Curricula's cyber security awareness training delivers short relatable security stories to your employees. We make learning cyber security simple and fun.

swIDCH

swIDCH

swIDch is a technology company that aims to eliminate CNP (card not present) Fraud.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

European Data Protection Supervisor (EDPS)

European Data Protection Supervisor (EDPS)

The EDPS is the European Union’s independent data protection authority. We monitor and ensure the protection of personal data and privacy when EU institutions and bodies process personal information.

ActiveFence

ActiveFence

ActiveFence enables Trust & Safety teams to be proactive about online integrity so they can keep their users safe from online harm – across content formats, languages, and abuse areas.

Bastion Technologies

Bastion Technologies

All your cyber defense. One platform. Keep your business assets and employees safe under one roof. Manage your cyber defense quickly, easily & efficiently.

Anzen Technology Systems

Anzen Technology Systems

Anzen create software solutions which allows organisations to utilize the public cloud for sensitive or classified information, whilst increasing data security and retaining data sovereignty.

Loccus AI

Loccus AI

Loccus are developers of AI solutions in the voice safety space. We build identity verification solutions, deepfake detection systems and fraud protection products for companies and end-users.