Overview
Cayosoft Guardian uses Microsoft Graph APIs to access Entra ID (formerly known as Azure AD or AAD) and other Microsoft 365 cloud services. By this nature, Cayosoft Guardian supports data collection and change tracking capabilities for almost any object type available via the Graph API. Out of the box, Cayosoft Guardian focuses on scenarios for identities, such as attribute level restore and undelete of cloud and hybrid users, groups, roles, conditional access policies, administrative units, mailbox settings, mailbox permissions, teams settings, and teams channels. Other object types might not be enabled for data collection by default but can be supported with additional configuration.
All object types are split into three groups by the functionality provided in Cayosoft Guardian for such objects:
- Level 1: Object type is enabled by default for the following operations: data collection, change tracking, attribute level restore, undo create, undelete from AAD Recycle Bin, and re-create. Known limitations are mentioned below for each operation type.
- Level 2: Object type is available via Graph API and can be enabled for data collection and change tracking. Guardian supplies data to perform attribute level restore, undo-create, and recreate manually.
- Level 3: Object type is not available via Graph API and support of this object type can be added in future versions of Guardian.
Supported object types
Object type | Support level | Known limitations (if any) |
---|---|---|
Entra ID Objects | ||
Entra ID User |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
Entra ID Guest User |
Level 1 |
All guest changes are shown as changes of a user object. |
Entra ID Contacts |
Level 3 |
|
Entra ID registered or joined devices |
Level 1 |
Cayosoft Guardian collects changes in the properties of Intune-managed devices. |
Microsoft 365 Groups |
Level 1 |
Audit and restore of the following settings and links will be supported in the future versions:
|
Microsoft 365 Groups with dynamic membership |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
Entra ID Security Groups |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
Entra ID Security Groups with dynamic membership |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
Entra ID Roles (built-in) |
Level 1 |
Creation record is produced on the first role assignment, and it cannot be restored |
Entra ID Custom Roles |
Level 1 |
|
Entra ID Roles assignments with Privileged Identity Management |
Level 1 |
Changes in role assignment requests and schedules are shown as Entra ID role changes. |
Entra ID Administrative Units |
Level 1 |
|
Entra ID Conditional Access Policies |
Level 1 |
|
Entra ID Named Locations in Conditional Access Policies |
Level 1 |
|
Entra ID Enterprise applications (Security Principals) |
Level 1 |
|
Entra ID Application assignments |
Level 1 |
|
Entra ID domains and federation settings |
Level 1 |
|
Entra ID tenant-wide policies and settings |
|
|
Activity Based Timeout Policy |
Level 1 |
Represents a policy that can control the idle timeout for web sessions for applications that support activity-based timeout functionality. |
Admin Consent Request Policy |
Level 1 |
Represents tenant-wide admin consent policy. |
Authentication Flows Policy |
Level 1 |
The authentication flows policy allows modification of settings related to authentication flows in Microsoft Entra tenant, such as self-service signup configuration. |
Authorization Policy |
Level 1 |
Used to manage authorization-related settings across the company. |
Consent Policy Settings |
Level 1 |
These are general consent settings in the tenant. |
Custom Policy Settings for Conditional Access |
Level 1 |
These settings allow the management of custom conditional access policy url. |
Device Registration Policy |
Level 1 |
Tenant-wide policy that manages initial provisioning controls using quota restrictions, additional authentication, and authorization checks. |
External Identities Policy |
Level 1 |
This policy allows management of settings related to the External identities. |
Group Lifecycle Policy |
Level 1 |
Represents tenant-wide group lifecycle policy. |
Password Rule Settings |
Level 1 |
These are settings related to some password policies in the tenant. |
Privileged Application Update Settings |
Level 1 |
Represents the tenant-wide application behavior. |
Prohibited Names Settings |
Level 1 |
These are settings related to application naming in the tenant. |
Unified Group Settings |
Level 1 |
These are settings related to unified groups in the tenant. |
Hybrid Objects Synchronized with Entra ID Connect |
|
|
Hybrid security group |
Level 1 |
|
Hybrid Distribution List |
Level 1 |
Undelete device scenario will be supported in future versions. |
Hybrid User |
Level 1 |
|
Hybrid Contact |
Level 3 |
|
Hybrid Guest |
Level 1 |
|
Exchange Online Objects |
|
|
Exchange Online Distribution Lists |
Level 1 |
|
Exchange Online Dynamic Distribution Lists |
Level 3 |
|
Exchange Online Mailbox |
Level 1 |
|
Teams Objects |
|
|
Teams |
Level 1 |
Audit and restore of the following settings and links will be supported in future versions:
|
Team Channels |
Level 1 |
|
Microsoft Intune |
|
|
Devices
|
Level 1 |
Restore in the following scenarios will be supported in future versions:
|
Configuration profiles Windows 10 |
Level 1 |
|
Group Policy Configurations (Administrative Templates) |
Level 1 |
|
Settings catalog
|
Level 1 |
|
Device Compliance policies |
Level 1 |
|
Device configurations for iOS/iPadOS |
Level 1 |
|
Device configurations for macOS |
Level 1 |
|
Device configurations for Android |
Level 1 |
|
Device configurations for Android device administrator |
Level 1 |
|
Device configurations for Android (AOSP) |
Level 1 |
|
Device configurations for Windows 10 and later |
Level 1 |
|
Device configurations for Windows 8.1 and later |
Level 1 |
Comments
2 comments
Very useful reference list that I will use when liaising with other teams with regards to alerts that they would like to receive - is there an equivalent list for on-prem AD objects?
Hi Tim
Cayosoft Guardian by default reports all changes of any object type in the Active Directory database. Domain partitions are added as Managed domains Configuration: Add a Domain – Cayosoft Help Center and you can also add other partitions such as Configuration to monitor changes there:
1) Expand Configuration node
2) Click on Managed domains
3) Press Add, select Managed Partition, enter connection parameters on form and confirm
Please sign in to leave a comment.