Backup and Recovery Notification Enhancements in Microsoft Entra ID: What Admins Need to Know

WHAT JUST CHANGED

On June 2024, Microsoft rolled out new notification management capabilities for Entra ID backup and recovery workflows in Public Preview. The changes include:

• notificationEventsType and notificationRecipientsType enumeration types for granular event and recipient targeting.
• New notificationRecipients resource to specify who receives alerts.
• emailNotificationsSetting relationship on the backupRestoreRoot resource, centralizing notification config.
• Dedicated emailNotificationsSetting resource and methods for managing notification settings.

Affected tenants: All commercial cloud tenants with Entra ID Backup and Restore enabled. GCC, DoD, and sovereign clouds not included in this preview.

Rollout status: Public Preview (GA expected Q3 2024).

WHAT’S NEXT ON THE ROADMAP

• Automated Recovery Workflows: Microsoft has announced at Ignite 2024 that streamlined, API-driven recovery processes are coming, allowing admins to trigger point-in-time restores and receive notifications for successful or failed attempts.
• Granular Role-Based Notification Controls: Future updates will let admins assign notification policies based on custom roles—not just global or backup admins.
• Cross-Tenant Recovery Support: Early previews hint at the ability to recover objects across tenant boundaries, with notification controls for external admins and partners.
• Integration with Microsoft Purview: Expect deeper compliance reporting, linking backup/recovery notifications to audit logs and legal hold events.

WHY THIS DIRECTION IS BETTER

Previously, Entra ID backup and recovery notifications were basic—sent only to a fixed set of admins, and with limited event filtering. Now, with notificationEventsType and notificationRecipientsType, admins can:

• Target notifications to specific events (e.g., backup failures, recovery completions, policy changes).
• Choose recipients by role, individual user, or group.
• Configure notification frequency and content.

Compared to legacy approaches and competitors like Okta or Ping, Entra now offers:

• Richer, more targeted notification controls.
• Reduced alert fatigue for admins—only relevant events are surfaced.
• Better compliance: notifications can be mapped to audit and incident response policies.
• Improved operational awareness: faster response to backup/recovery failures or suspicious activity.

Adjacent changes: Admins should note recent improvements to Entra ID Access Reviews and Conditional Access reporting, which now integrate with backup/recovery events. If a backup triggers a Conditional Access policy, related notifications can be surfaced to relevant reviewers.

WHO’S AFFECTED

• Tenants running Entra ID Backup and Restore (Standard/Premium P1/P2).
• Global admins, Backup and Restore admins, and any role with delegated notification rights.
• Any automated workflow or external system relying on notification delivery.
• Organizations with compliance, legal hold, or incident response requirements around identity data.

WHAT TO DO: Step-by-Step Admin Actions

1. Review current notification settings: Audit existing recipients and events to baseline your configuration.
2. Plan notification recipient groups: Identify who should receive which events (e.g., backup failures to backup team, recoveries to security admins).
3. Configure emailNotificationsSetting: Use Microsoft Graph or Entra admin center to set event filters and recipient types.
4. Test notifications: Simulate backup/recovery events to verify correct delivery and content.
5. Document roles and update incident response runbooks: Ensure your team is aware of new notification flows.

CHECK IT YOURSELF: PowerShell Audit Script

Use the Microsoft.Graph module to list notification settings for backup and recovery, including pagination and error handling. This script does not modify your tenant and can be run in production.

# Requires Microsoft.Graph.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Identity.DirectoryManagement

function Get-BackupRecoveryNotifications {
    $uri = 'https://graph.microsoft.com/v1.0/backupRestoreRoot/emailNotificationsSetting/notificationRecipients'
    $headers = @{ Authorization = 'Bearer ' + (Get-MgGraphAccessToken) }
    $results = @()
    $nextLink = $uri
    try {
        do {
            $response = Invoke-RestMethod -Uri $nextLink -Headers $headers -Method GET
            if ($response.value) {
                $results += $response.value
            }
            $nextLink = $response.'@odata.nextLink'
        } while ($nextLink)
        if ($results.Count -eq 0) {
            Write-Warning 'No notification recipients configured for backup/recovery events.'
        } else {
            foreach ($item in $results) {
                Write-Output "Event: $($item.notificationEventsType)"
                Write-Output "Recipients: $($item.notificationRecipientsType) -> $($item.recipientIds)"
            }
        }
    } catch {
        Write-Error "Failed to retrieve notification settings: $_"
    }
}

# Run audit
Get-BackupRecoveryNotifications

PORTAL PATH: Where to Find This in Entra Admin Center

• Entra Admin Center → Backup & Restore → Settings → Email Notifications
• Drill down to Notification Recipients to view/edit event types and recipients.
• Preview features are marked with a purple flask icon.
• Audit logs for notification changes are found in Monitoring → Audit Logs

BOTTOM LINE

Prioritised Recommendation:

• Audit your backup/recovery notification settings now—most tenants have legacy configurations that won’t leverage new granularity.
• Update recipient lists and event filters to ensure the right people get the right alerts.
• Monitor the Public Preview and prepare for GA cutoff (Q3 2024)—Microsoft will deprecate old notification endpoints after GA.
• Integrate notification events into compliance workflows and incident response. This is an important step for audit and legal readiness.