Overview
Cayosoft Guardian uses Microsoft Graph APIs to access Azure AD and other Microsoft 365 cloud services. By this nature, Cayosoft Guardian supports data collection and change tracking capabilities for almost any object type available via the Graph API. Out of the box, Cayosoft Guardian focuses on scenarios for identities, such as attribute level restore and undelete of cloud and hybrid users, groups, roles, conditional access policies, administrative units, mailbox settings, mailbox permissions, teams settings, and teams channels. Other object types might not be enabled for data collection by default but can be supported with additional configuration.
All object types are split into three groups by the functionality provided in Cayosoft Guardian for such objects:
- Level 1: Object type is enabled by default for the following operations: data collection, change tracking, attribute level restore, undo create, undelete from AAD Recycle Bin, and re-create. Known limitations are mentioned below for each operation type.
- Level 2: Object type is available via Graph API and can be enabled for data collection and change tracking. Guardian supplies data to perform attribute level restore, undo-create, and recreate manually.
- Level 3: Object type is not available via Graph API and support of this object type can be added in future versions of Guardian.
Supported object types
| Object type | Support level | Known limitations (if any) |
|---|---|---|
| Azure AD Objects | ||
| Azure AD User |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
| Azure AD Guest User |
Level 1 |
All guest changes are shown as changes of a user object |
| Azure AD Contacts |
Level 3 |
|
| Azure AD registered or joined devices |
Level 1 |
Cayosoft Guardian also collects changes in the properties of Intune-managed devices. |
| Microsoft 365 Groups |
Level 1 |
Audit and restore of the following settings and links will be supported in the future versions:
|
| Microsoft 365 Groups with dynamic membership |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
| Azure AD Security Groups |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
| Azure AD Security Groups with dynamic membership |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
| Azure AD Roles (built-in) |
Level 1 |
Creation record is produced on the first role assignment and it cannot be restored |
| Azure AD Custom Roles |
Level 1 |
|
| Azure AD Roles assignments with Privileged Identity Management |
Level 1 |
Changes in role assignment requests and schedules are shown as Azure AD role changes. |
| Azure AD Administrative Units |
Level 1 |
|
| Azure AD Conditional Access Policies |
Level 1 |
|
| Azure AD Named Locations in Conditional Access Policies |
Level 1 |
|
| Azure AD Enterprise applications (Security Principals) |
Level 1 |
|
| Azure AD Application assignments |
Level 1 |
|
| Azure AD domains and federation settings |
Level 1 |
|
| Azure AD tenant-wide policies and settings |
|
|
| Admin Consent Request Policy |
Level 1 |
Represents tenant-wide admin consent policy. |
| Authentication Flows Policy |
Level 1 |
The authentication flows policy allows modification of settings related to authentication flows in AAD tenant, such as self-service signup configuration. |
| Authorization Policy |
Level 1 |
Used to manage authorization-related settings across the company. |
| Consent Policy Settings |
Level 1 |
These are general consent settings in the tenant. |
| Custom Policy Settings for Conditional Access |
Level 1 |
These settings allow the management of custom conditional access policy url |
| Device Registration Policy |
Level 1 |
Tenant-wide policy that manages initial provisioning controls using quota restrictions, additional authentication, and authorization checks. |
| External Identities Policy |
Level 1 |
This policy allows management of settings related to the External identities. |
| Group Lifecycle Policy |
Level 1 |
Represents tenant-wide group lifecycle policy. |
| Password Rule Settings |
Level 1 |
These are settings related to some password policies in the tenant. |
| Privileged Application Update Settings |
Level 1 |
Represents the tenant-wide application behavior. |
| Prohibited Names Settings |
Level 1 |
These are settings related to application naming in the tenant. |
| Unified Group Settings |
Level 1 |
These are settings related to unified groups in the tenant. |
| Hybrid Objects Synchronized with Azure AD Connect |
|
|
| Hybrid security group |
Level 1 |
|
| Hybrid Distribution List |
Level 1 |
Restore in the following scenarios will be supported in future versions:
|
| Hybrid User |
Level 1 |
|
| Hybrid Contact |
Level 3 |
|
| Hybrid Guest |
Level 1 |
|
| Exchange Online Objects |
|
|
| Exchange Online Distribution Lists |
Level 1 |
|
| Exchange Online Dynamic Distribution Lists |
Level 3 |
|
| Exchange Online Mailbox |
Level 1 |
|
| Teams Objects |
|
|
| Teams |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
| Team Channels |
Level 1 |
|
| Microsoft Intune |
|
|
| Devices |
Level 1 |
|
| Configuration profiles for Windows 10 |
Level 1 |
|
| Group Policy Configurations (Administrative Templates) |
Level 1 |
Comments
2 comments
Very useful reference list that I will use when liaising with other teams with regards to alerts that they would like to receive - is there an equivalent list for on-prem AD objects?
Hi Tim
Cayosoft Guardian by default reports all changes of any object type in the Active Directory database. Domain partitions are added as Managed domains Configuration: Add a Domain – Cayosoft Help Center and you can also add other partitions such as Configuration to monitor changes there:
1) Expand Configuration node
2) Click on Managed domains
3) Press Add, select Managed Partition, enter connection parameters on form and confirm
Please sign in to leave a comment.