Feature request: Cross‑Tenant Microsoft 365 Recovery

[JasonOrchardIMNZ]

Use Case: Cross‑Tenant Microsoft 365 Recovery After Tenant Compromise


Use Case Name
Restore Microsoft 365 data into a clean tenant following full tenant compromise

Primary Actor
IT Security Team

M365/Azure Administrators


Stakeholders
Security Operations

Risk & Compliance

Business Owners

Executive Management

Legal / Audit


Description
This use case describes the ability to restore Microsoft 365 data from a compromised tenant into a brand‑new, secure tenant when the original environment can no longer be trusted.
It addresses scenarios where admin‑level compromise cannot be conclusively remediated, and restoring data back into the same tenant presents unacceptable security risk.

Trigger
Confirmed or suspected Global Administrator compromise

Evidence of:
OAuth application abuse

Backdoor service principals

Persistent attacker access

Inability to conclusively prove the attacker has been evicted

Regulatory or legal requirement to abandon the tenant


Pre‑Conditions
Microsoft 365 tenant is operational but untrusted

A third‑party Microsoft 365 backup solution exists with:
Immutable backups

Point‑in‑time restore capability

Cross‑tenant restore support

Licensing allows creation of a new Microsoft 365 tenant


Post‑Conditions
Business data is restored into a new, hardened tenant

No trust remains with the compromised tenant

Operations resume without inherited attacker persistence

Security posture is re‑established


In Scope
Exchange Online mailboxes

SharePoint Online sites and document libraries

OneDrive for Business user data

Microsoft Teams (teams, channels, files)

Select group structures (recreated)


Out of Scope
Restoring Entra ID (Azure AD) objects directly

Re‑using credentials, tokens, or app registrations from the old tenant

Tenant‑to‑tenant trust relationships


Main Success Scenario
Security team declares the original tenant compromised and untrusted

A new Microsoft 365 tenant is provisioned

Security baseline applied:
MFA enforced

Legacy authentication disabled

Conditional Access hardened

User accounts and groups are recreated

Third‑party backup platform performs cross‑tenant restore:
Mailboxes mapped to new users

OneDrive data restored to new ownership

SharePoint and Teams data restored

Business services resume from the clean tenant


Alternative Scenarios
A1: Partial Restore
Only critical users or departments are restored first to accelerate recovery

Remaining data restored in stages

A2: Legal / Regulatory Restore
Restore data as‑of a defined point‑in‑time before breach occurrence

Preserve audit and chain‑of‑custody evidence


Failure Scenarios
Scenario
Impact
No cross‑tenant restore capability
Data trapped in compromised tenant
Restore back into original tenant
Attacker regains access
Identity objects reused
Persistence reintroduced

Business Value
Enables recovery from worst‑case tenant compromise

Prevents reinfection or attacker persistence

Meets regulatory, audit, and cyber‑insurance requirements

Reduces operational downtime compared to manual rebuilds


Security Considerations
Identities are rebuilt, not restored

No credentials, tokens, or service principals are migrated

Full separation between old and new tenants


Constraints & Assumptions
Microsoft native tools cannot perform cross‑tenant restores

Third‑party backup tooling is mandatory for this capability

Domain names may need staged reassignment between tenants


Success Criteria
Data restored successfully into new tenant

Users regain access to mail, files, and collaboration tools

No access paths remain from the compromised tenant

Security team formally certifies the new tenant as trusted


Summary (Executive)

If a Microsoft 365 tenant is compromised beyond provable remediation, the organization must be able to restore business data into a clean tenant to safely resume operations. This capability cannot be achieved using Microsoft native tools alone and requires a third‑party backup solution that supports cross‑tenant restore.

[micoolpaul]

Hi,

Your feature request is tracked, but this does not match recommendations for tenant recovery.

Firstly, there’s commercial elements. If you have a Microsoft Enterprise Agreement or fixed term licensing, this is tied to your M365 tenant, so your organisation would be investing in double charges for the remaining duration to this original tenant.

Secondly, Export/Import APIs are limited in throughput, Microsoft’s own documentation for SharePoint/OneDrive has a ceiling of 400GB/hour assuming you pay for enough M365 seats to have enough API calls to achieve this figure. Compared to VDC’s Express capabilities utilising MBS which would achieve up to 3TB/hour without these seat restrictions. MBS data resides within tenant and so you wouldn’t be able to use the technology that Microsoft have designed for bulk-level disaster recovery, in a disaster. Would it not still be quicker to purge/reset all identity and leverage Express VS trying to recover potentially PBs of data over a much smaller bandwidth allocation?

Thirdly, relationships. Cross-tenant recovery means every relationship is broken, think of the security groups or static mappings of users in SharePoint, and of sensitive internal sites such as HR/Finance/Legal/Senior Leadership. You may not discover the data leak events created by breaking every relationship and permission for months, and spawn multiple secondary breaches this way.

I understand your ask, but there’s a lot of issues that it brings.