Coming off the energy of our multi-day Microsoft Virtual Roadshow, identity protection is the topic I keep thinking about quite a bit, and these conversations are starting to become top of mind for many organizations. The questions are sharper than they were a year ago, the threat models are more honest, and the appetite for a real architecture (not just a backup product) is finally there. 

Earlier this year, I wrote Identity Is the New Perimeter to make the case that Active Directory and Entra ID had become the primary attack target, and that traditional backup strategies had not kept pace. That post laid out the ‘Why’. This one picks up where it left off and gets into the ‘How’: The three layers of protection you really need, what Microsoft gives you out of the box for each one, and where Cohesity, Semperis, and Rubrik close the gaps. 

The Three-Layer Model 

Identity and modern work protection are easiest to talk about as three discrete layers. It looks straightforward on paper. Every layer has its own threat surface, its own native tooling, and its own restoration physics. 

1. Active Directory. The hybrid root of trust. Still the source of truth for most enterprise identity, even in cloud-forward shops. Yes, I keep hearing AD is going away 
2. Entra ID. The cloud control plane. Conditional Access, app registrations, role assignments, named locations, and authentication methods. 
3. Microsoft 365 workload data. Exchange, SharePoint, OneDrive, Teams chats and channel files, OneNote, Loop. 

Protecting any one of these in isolation produces a recovery story that fails at the seam between layers. That seam is exactly where Storm-0501 and similar actors operate: pivot from on-prem AD into Entra, mint privileged tokens, then attack the M365 data plane and the backup copies along with it. 

Layer 1: What “Forest Recovery” Means 

Microsoft’s documented forest recovery procedure (the one referenced in AD Forest Recovery on Microsoft Learn) is a 28-plus step sequence that assumes three things most incidents invalidate: 

1. You know which domain controller’s System State backup is clean. 
2. The backup media itself was not on the network during the compromise window. 
3. The forest can come back on the same hardware and IP schema. 

The technical work is non-trivial. You identify a writable DC for each domain, isolate surviving DCs, seize FSMO roles, and run ntdsutil metadata cleanup against the dead ones, reset the krbtgt password twice (with a wait between to age out outstanding TGTs), reset every DC computer account, reset all trust passwords, raise the RID pool and invalidate the current one, then promote replacement DCs, restore SYSVOL/DFSR, and validate replication across every site link before you reconnect anything. If you skip the krbtgt double-reset, you carry forward Golden Ticket persistence into the rebuilt forest. If you skip the trust reset, you carry forward a Silver Ticket path. 

The way Semperis Active Directory Forest Recovery (ADFR) changes the math is mechanical, not marketing. It backs up AD at the database level, decoupled from the underlying Windows OS, so when you restore, you bring back NTDS.dit, SYSVOL, and the registry pieces AD depends on, without restoring whatever malware was sitting on the host. The product orchestrates the rest of the 28-step sequence (metadata cleanup, krbtgt resets, FSMO seizure, RID pool invalidation, BMR to alternate hardware or cloud) inside a single workflow, and it scans the backup for known attack indicators before you reuse it. Bare-metal recovery to Azure or alternate hardware is supported, which matters when the working assumption is that the original infrastructure can’t be trusted. 

Cohesity’s ADFR partnership with Semperis is an integration point worth flagging: Cohesity-protected backup tiers feed Semperis-orchestrated forest recovery, so the immutable storage and the recovery automation are part of the same workflow rather than two products you stitch together at 2 a.m. 

Rubrik’s AD protection runs along a similar line of thinking with a different architecture. Rubrik Security Cloud captures granular AD objects (users, groups, GPOs, OUs, attributes) into its Append-Only File System, which is true write-once at the filesystem level, not WORM applied by retention policy. That distinction matters because policy-based WORM can be overridden by a sufficiently privileged admin or a compromised management plane; filesystem-level immutability cannot. 

Layer 2: Entra ID, Beyond the Preview 

Microsoft Entra Backup (currently in preview) is a meaningful step forward, and you should turn it on. The specifics matter: 

• Daily snapshots, 5-day retention window. 
• Covers users, groups, applications, service principals (including the new Agent ID object class), Conditional Access policies, named locations, partial authentication-method policy, and partial authorization policy. 
• Immutable in the sense that no tenant admin can delete or modify a snapshot. 
• Requires Entra ID P1 or P2 on a workforce tenant. 
• Difference reports show what changed between snapshot and current tenant state, and recovery is selective by object type or object ID. 

What it does not cover today, and what production environments still need: 

• Retention beyond 5 days. Useful for long-tail compliance recovery and for breaches whose dwell time exceeded the snapshot window. Most published dwell-time numbers still land in the 10 to 21-day range. 
• PIM eligibility and approval workflows. Lose your PIM configuration, and you’ve lost the governance layer protecting global admin. 
• Hard-deleted object recovery. Once an object passes the 30-day soft-delete window, native Entra cannot get it back. Third-party snapshots can. 
• Role assignments at scale, particularly custom role definitions and administrative-unit scoping. 
• Out-of-tenant copy. A tenant-level compromise reaches anything inside the tenant. The snapshot needs to live somewhere else. 
• Hybrid AD DS objects in the same workflow as the cloud objects they sync to. 
• Cross-tenant restore for M&A integration, tenant consolidation, or DR to an alternate tenant. 

Semperis Directory Services Protector (DSP) closes most of the detection and rollback gaps at this layer. DSP captures changes by tapping the AD replication stream and the Microsoft Graph change feed rather than relying on Windows event logs, so an attacker who clears 4624/4625/4720 events on a DC, or who modifies a Conditional Access policy through a stolen token, can’t hide the change from the tool. Auto-rollback applies to specific change patterns (a new member added to Domain Admins, a Conditional Access policy modified, a service principal granted an excessive Graph permission), and rollback runs against the captured baseline. 

Rubrik’s Entra ID protection extends the Rubrik Security Cloud model to the directory: continuous capture of users, groups, app registrations, service principals, role assignments, and Conditional Access policies, with the same immutable storage layer that protects their AD and M365 backup sets. The advantage of running Entra protection on the same platform as your M365 and AD backups is unified retention, unified search-and-restore, and a single recovery runbook spanning all three layers. 

Layer 3: The M365 Data Estate 

Two numbers frame this layer well:

45 percent of SaaS data loss is malicious or accidental deletion, not Microsoft service failures, and Microsoft’s own recycle bins and retention policies are productivity features, not a recovery architecture. 

Microsoft 365 Backup is now generally available for Exchange, SharePoint, and OneDrive, with restore throughput in the range of 2 to 3 TB per hour and recovery scoped in-tenant. For day-to-day “undelete what HR mass-deleted by accident” scenarios, it’s fast and operationally low cost. It does not produce an out-of-tenant copy, and it does not cover Teams chat history, OneNote section deletion, or the Loop component graph at the fidelity production environments expect. 

Cohesity DataProtect for M365 covers Exchange, SharePoint, OneDrive, and Teams (chats included) with the backup target landing in customer-controlled storage. DataLock provides time-locked WORM windows, and FortKnox provides the isolated virtual-air-gapped vault that survives a tenant-level compromise.  

Rubrik’s M365 coverage (Exchange, SharePoint, OneDrive, Teams chat, plus Teams channel posts and files) sits behind the same Append-Only File System and the same Anomaly Detection layer that watches for ransomware patterns on the backup data itself. Rubrik’s Sensitive Data Monitoring identifies regulated data inside the backup set, which is useful when you need to scope an incident notification under SEC, DORA, or state breach law without first restoring everything to look at it. 

The Visibility Layer Most Teams Are Missing 

Recovery testing maturity sits underneath every conversation in this space. The fix for “we have backups, we just don’t know if we can recover with them” sits on the assessment side, not the backup side. 

Two free Semperis tools belong in every environment, regardless of which backup vendor you settle on: 

• Purple Knight scans AD and Entra ID for about 150 indicators of exposure and compromise. Output is a security posture score and a prioritized remediation list. You can run it in under an hour against a production directory. It is free. 
• Forest Druid maps attack paths to Tier 0. Most environments discover non-Tier-0 accounts with paths to Domain Admin through nested group memberships, AdminSDHolder ACL anomalies, or risky delegations that an inventory tool will not surface. 

Pair either of those with Microsoft’s Zero Trust Assessment for the policy and configuration view, and you have a defensible baseline before you ever write a check for a backup platform. 

Where to Take This Next 

If you want to put any of this into practice in your own environment, the actionable sequence looks like this: 

1. Run Purple Knight and Forest Druid this week. Both are free, neither requires an agent, and the output will tell you whether your forest is even in a state worth backing up. 
2. Evaluate starting with Microsoft Entra Backup (preview) and Microsoft 365 Backup. Floor coverage matters. They are not the ceiling. 
3. Pilot a forest-recovery exercise. Pick a non-production forest or a lab clone. Whether you use Microsoft’s documented procedure or Semperis ADFR, the goal is to discover what your runbook is missing before an incident forces the discovery. 
4. Scope an out-of-tenant copy for Entra and M365 data. This is where Cohesity Cloud Services and the Rubrik Security Cloud architectures both shine, and the right choice depends on what else you’re running and where your data already lives. 

If you want to walk through any of the above against your environment specifically, that’s what we’re here for. The next 90 days are where the architecture decisions get made. 

Strengthen Your Identity Foundation

Identity is the control plane for Microsoft 365 resilience. eGroup can help assess your current identity posture, uncover access and recovery gaps, and build a secure foundation for the next phase of your environment.