I am looking for a way to backup/restore Windows Azure Active Directory to protect against user error. I recognize the robust nature of Azure and am not concerned with infrastructure failure and the like.
What I am concerned with is protection from a fat finger mistake caused by a member of the DevOps team. For example: an authorized member of the DevOps team is assigned the task of deleting an obsolete Role. However, by accident he deletes the wrong role which contains a complex set of rules.
I need a mechanism to backup the WAAD data so that when the above example occurs, I can take the most recent backup copy and restore the WAAD data back to an acceptable state as it existed prior to the incident. Has anyone come across this scenario? Are there existing API calls that I am missing? Or should I be thinking outside the box here?
Windows Azure Active Directory Backup/Restore
4.4k views Asked by Hydroslide AtThere are 2 answers
On
Microsoft really fell down on this on - third parties do have tools. Basically, they totally ignore issues like creeping corruption, APTs, failures in provisioning,etc.
The goal of Azure is to make it impossible to move away from the Microsoft's overpriced cloud hosting and to block third parties from providing an alternative technology lock in ...
That said, design your architecture to NOT use Azure as an authoritative store and then provision into Azure as a downstream. Front end all Azure services with on-prem shims that can failover to Azure if the on-prem fails - the downstream savings will be huge.
This would be a great area for community developed software. However, beware of Microsoft's blocking any useful development in this space by deprecating components of the sync or locking out third parties. Ultimately, someone big is going to get their AAD wiped out and then something will be done to fix this...
There are PowerShell mechanisms to piecewise backup components, and one could literally run a client side query to maintain a synchronized copy of the state. Some third parties have implemented backup tools, I will look at these to see how functional and complete they are.
The main issue is synchronization of passwords without incurring client licenses.
You could consider using some of the Windows Azure Active Directory PowerShell Cmdlets to save your configuration. The various Get- Cmdlets (see http://technet.microsoft.com/en-us/library/jj151815.aspx) should allow you to save all your configuration settings, users, roles, etc.