Spring til indhold

Entra Backup and Recovery is here: coverage, licensing and NIS2

By Michal Lampe Sørensen · 7 min read · 6 July 2026

Verified against Microsoft Learn, July 2026

Contents

TL;DR

Microsoft Entra Backup and Recovery became generally available in June 2026. It automatically takes a daily, immutable, Microsoft-managed backup of critical identity objects (users, groups, apps, service principals, Conditional Access policies) with seven days of history, and lets you recover to an earlier state after a mistake or an attack. It requires Entra ID P1 or P2, which is included with Business Premium, Microsoft 365 E3, E5 and E7. It is not a full backup: passwords and AD-synced objects are not included, and history is only seven days.

What Entra Backup and Recovery is

Microsoft Entra Backup and Recovery is a built-in feature in Entra ID (Microsoft’s identity platform, formerly Azure AD) that automatically backs up your most important identity objects once a day and keeps seven days of history. The backup is Microsoft-managed and immutable: no user or app, not even a Global Administrator, can turn it off, change it or delete it.

That is the whole point. If an attacker gains admin access, they often go straight for the very configuration and traces you need to recover. When the backup sits beyond the reach of even the highest administrator, it cannot be wiped as part of the attack. Data resides in the same geographic region as your tenant.

In practice you can view available backups, create a difference report comparing the current state with a backup, and then recover everything, selected object types, or specific object IDs. The feature became generally available in June 2026.

What it covers, and what it does not

The supported objects are users, groups, applications, service principals, Conditional Access policies, named locations, and authentication and authorization policies (selected properties). Agent ID is included too, because it consists of user and service principal objects. So it covers the configuration that a faulty change or an attack most often hits.

At the same time, be honest about the limits, because this is not a full backup:

  • Passwords are not backed up. After recovering users or authentication methods, you may need to set a new password and re-register MFA methods.
  • Only seven days of history. A mistake you notice after a week cannot be rolled back through this feature.
  • Objects synced from on-prem Active Directory stay managed by AD. They appear in difference reports (except group memberships) but cannot be recovered here.
  • Hard-deleted objects cannot be re-created. Soft-deleted users, Microsoft 365 groups, cloud security groups, app registrations and service principals can, however, be restored for 30 days.

The conclusion: it is a strong new line of defense for your identity configuration, but it does not replace a broader backup and recovery strategy for your data such as mailboxes, files and Teams.

The licensing angle: what it requires and which plans include it

Here is what matters for most companies: Entra Backup and Recovery requires Entra ID P1 or P2. If your tenant does not have at least P1, you cannot use the feature.

Here is how the Entra ID tier is included with the common plans:

PlanEntra ID tier
Business Basicfree tier only
Business Standardfree tier only
Business PremiumP1
Microsoft 365 E3P1
Microsoft 365 E5P2
Microsoft 365 E7P2

If you run Business Basic or Standard, you do not have access yet and must either upgrade to Business Premium or buy Entra ID P1 separately. It is one of the features that makes Business Premium more than “Standard with Office”, and a concrete example of why the license tier matters in practice.

Unsure which Entra ID tier your current plan includes? Use the comparison tool to see the plans side by side.

The NIS2 angle: identity has become a backup control

NIS2 (the EU’s network and information security directive) requires, among other things in Article 21, policies for backup, business continuity and crisis management. Most people think of backup as mailboxes and files, but your identity configuration is at least as critical: if a wrong Conditional Access change locks everyone out, or an attacker deletes groups and access roles, operations halt no matter how well your files are protected.

Entra Backup and Recovery addresses exactly that part of resilience. You can quickly see what changed and roll the configuration back to a known good state. It is not the whole NIS2 backup requirement, but it closes a gap that previously required third-party tooling or manual work.

For a company working toward NIS2 or the Danish D-seal, it is worth noting as a concrete control you now have access to, provided the license is in place. Tie it into your wider business continuity so you can document that the identity layer can be recovered too.

How to get started

The feature lives in the Microsoft Entra admin center (entra.microsoft.com) under “Backup and recovery”. There are four views: Overview, Backups (the last seven days), Difference Reports and Recovery History.

Access is governed by two roles, which is good for least privilege:

  • Microsoft Entra Backup Reader: can view backups, compare changes and view recovery history.
  • Microsoft Entra Backup Administrator: can also create difference reports and trigger recovery. The permissions are included in Global Administrator, but assign the specific role rather than handing more people Global Admin.

My advice: always run a difference report and review the changes before you recover. The time it takes depends mostly on how many changes need to be rolled back.

What else changed in June 2026

Entra Backup and Recovery was part of Microsoft’s security updates for June 2026. A few other things from the same round are worth knowing:

  • Unified Identity Risk Score: a single risk assessment per identity that combines behavior, access patterns and threat data and can trigger Conditional Access policies automatically.
  • Microsoft Defender for Local AI Agents (preview): detects local AI agents and MCP (Model Context Protocol) servers on machines and blocks prompt injection attacks against developer tools.
  • Purview customizable reports (generally available): customizable report views in Data Security Posture Management.

The common thread is clear: identity and AI agents are where Microsoft is putting its security effort in 2026. For you, it means the license tier on the identity side (P1 versus P2) increasingly decides which protections you can even access.

Sources: Microsoft Learn: Entra Backup and Recovery overview, Microsoft Entra blog: GA announcement, Microsoft Security: what’s new June 2026.

Are you in scope for NIS2?

Take the free test and see which of Article 21’s ten security requirements your current license covers.

Take the NIS2 test

Frequently asked questions

Which license does Microsoft Entra Backup and Recovery require?+

The feature requires Entra ID P1 or P2. P1 is included with Business Premium, Microsoft 365 E3, E5 and E7, while E5 and E7 provide P2. If you have Business Basic or Standard, you must upgrade or buy P1 separately. Only workforce tenants are supported, not External ID or Azure AD B2C.

Does it back up passwords?+

No. Passwords are not included in the backup. After recovering users or authentication methods, you may need to set a new password and re-register MFA methods. The feature covers configuration and objects, not secrets.

How far back can you recover?+

One backup is taken per day, and seven days of history are kept. In addition, soft-deleted users, Microsoft 365 groups, cloud security groups, app registrations and service principals can be restored for 30 days via the normal soft-delete. Hard-deleted objects cannot be re-created.

Is it enough to meet the NIS2 backup requirement?+

No, not on its own. Entra Backup and Recovery covers your identity configuration, which is an important and often overlooked part of business continuity. But NIS2 Article 21 is broader, covering backup, crisis preparedness and data recovery in general. Treat it as one concrete piece, not the whole solution.

Want a second opinion on your licenses?

I work with Microsoft 365 day to day and help Danish companies choose the right license and avoid overpaying. Write to me and I'll get back to you.

Get in touch