EntraExportRestore
Attribute-level Entra ID directory backup and restore — your safety net for bulk update mistakes.
EntraExportRestore brings directory backup and identity management discipline to Microsoft Entra ID (formerly Azure Active Directory) — providing selective, attribute-level backup and restore of directory objects via Microsoft Graph. Unlike full-tenant disaster recovery solutions, EntraExportRestore targets the everyday operational risk: accidental attribute changes, bulk update errors, and configuration drift that full DR tools were never designed to address.
Who it’s for
Identity administrators and IT operations teams responsible for Entra ID tenants who need a lightweight, auditable safety net for directory data — without the complexity or cost of enterprise backup platforms.
The problem it solves
Every Entra ID administrator has run a bulk update — a PowerShell script, a Graph API call, a third-party provisioning action — and wondered immediately after whether it did exactly what was intended. Entra ID has no native mechanism to roll back individual attribute changes or restore specific object states after an erroneous bulk operation, scripted change, or delegated-admin mistake.
When something goes wrong, the options are manual reconstruction from memory, piecing together audit log fragments, or accepting data loss. EntraExportRestore eliminates that gap by capturing versioned, identified snapshots of Users, Groups, Devices, and Contacts to a local SQLite database, then enabling granular, reviewable attribute restore operations back to Graph — with clear visibility into what will change before anything is written.
- Export snapshots of Entra ID Users, Groups, Devices, and Contacts on demand or on schedule
- Restore individual attributes selectively, with pre-restore preview showing current vs. backed-up values
- Attribute catalog drives all operations — defining what is exportable, restorable, sensitive, and what Graph permissions are required; catalog version is recorded with each snapshot
- WPF desktop UI for interactive use; CLI for scripted and automated workflows
- Local SQLite storage — no data leaves your environment, and no vendor-operated background service is involved in the product model
- Supports both vendor-supplied multi-tenant app registration (delegated, interactive) and customer-owned single-tenant registration (application permissions, certificate-based) for organizations with strict third-party risk requirements
- Organizational contacts can be exported for reference but are read-only in Microsoft Graph and cannot be restored automatically; snapshot data serves as a manual recovery reference
- Device attribute restore requires application permissions and is supported via the CLI only, not the desktop Restore UI
Up and running in five steps.
Follow these steps to complete your initial setup and take your first snapshot.
Download and install
After purchase, download the installer ZIP using the button at the top of this page (or in the Download section below). Retrieve your licence file from your Marketplace activation page. Extract the signed .exe, run the installer on a Windows machine with network access to your Entra ID tenant, and keep the licence file in a known location — you will need it in the next step.
Activate your licence
On first launch, the application will prompt for your licence file. You can also place the file in the default discovery location documented in the User Guide, or supply it via the --licence argument on the CLI.
Prepare authentication
Desktop UI (EntraExportUI / EntraRestoreUI): No app registration is required on your part. Sign in interactively using your Entra ID credentials when prompted. Your administrator may need to grant consent for the application on first use — this is a standard Entra ID enterprise application consent flow.
CLI (automated / unattended use): You must create your own app registration in your tenant, configure a client certificate credential, and grant admin consent on the required Microsoft Graph application permissions. Run the following command to list the exact permission names required for your configuration:
EntraExportRestore permissions
See section 4.3 of the User Guide for full app registration and certificate setup instructions.
Take your first snapshot
Open EntraExportUI, sign in, select the object types and attributes you want to capture, and run an export. Note the snapshot ID reported on completion — you will use it if you need to restore from this snapshot later.
Verify restore readiness
Open EntraRestoreUI, select the snapshot you just created, and review the attribute preview. No changes are written until you confirm. This confirms your permissions and configuration are correct before you need to rely on a restore in a real incident.
Further reading
The User Guide covers the full attribute catalog, restore behaviour, CLI reference, known Graph constraints, and security model in detail. Refer to it before deploying the CLI in a production automation context.
Get EntraExportRestore
Available via the Microsoft Marketplace. Licensed subscribers can download the Windows x64 installer ZIP below.