In an evolving threat landscape, identity is the new frontline. Recognizing this, Druva has recently expanded its protection for Microsoft Entra ID (formerly Azure Active Directory) to include two critical new objects — Conditional Access Policies and Administrative Units. This launch marks a major step forward in Druva’s commitment to delivering comprehensive, identity-aware data protection for Microsoft environments.
With this enhancement:
Druva now protects Conditional Access Policies, which help customers define how users and devices access their environments. Druva enables customers to view, download, and restore historical versions of these policies, allowing easy rollback to a prior snapshot after significant configuration changes or access rule updates.
Druva also protects Administrative Units, an Entra ID resource that can contain users, groups, or devices. Druva’s protection ensures these Administrative Units can be restored to a stable state in the event of misconfiguration or unwanted changes — helping organizations quickly override issues and maintain directory integrity.
By extending protection to these new Entra ID objects, Druva enables organizations to preserve their identity governance configurations — not just users and groups — ensuring that critical access controls and administrative boundaries remain intact even during recovery. In this post, we’ll explore how these new Entra ID objects strengthen identity control, enhance administrative resilience, and extend Druva’s leadership in Microsoft 365 data protection.
The Need for Granular Identity Governance
Identity has become the modern enterprise’s most targeted attack surface — and the numbers prove it. In 2024 alone, over 1.7 billion individual records were compromised, representing a staggering 312% increase over the previous year (HIPAA Journal, 2025). At the same time, 93% of organizations experienced at least two identity-related breach attempts within a single year (CyberArk, 2025). Yet despite this surge, only 26% of enterprises consistently enforce least-privilege access with approval workflows (Tailscale Zero Trust Report, 2025).
These numbers make one thing clear: broad, global administrative access and one-size-fits-all policies can no longer protect modern environments. Enterprises need granular, object-based identity controls that scale with their organizational structure. That’s where Conditional Access Policies and Administrative Units come in — giving IT teams the tools to enforce identity governance with precision and flexibility.
Protecting Entra ID Conditional Access Policies and Administrative Units
As organizations grow, managing identities across regions, departments, and subsidiaries becomes increasingly complex. Conditional Access Policies and Administrative Units are two of the most critical objects in Microsoft Entra ID that help bring structure and control to this complexity. Together, they define who manages what and how access is granted, forming the foundation of enterprise identity governance.
Conditional Access Policies, meanwhile, determine how and under what conditions users and devices can access resources. These policies operationalize Zero Trust by enforcing multifactor authentication, validating device compliance, or restricting access based on geography or user risk — translating security intent into enforcement.
Administrative Units act as containers for users, groups, or devices, enabling organizations to delegate management responsibilities to specific teams or departments. This scoped control reduces risk, simplifies operations, and enforces internal compliance boundaries.
Because these objects play such a vital role in controlling access and administration, even small misconfigurations or deletions can cause significant disruption. A mistakenly altered Administrative Units could assign privileges incorrectly, while a deleted Conditional Access Policy could expose critical applications to risk. When considering why you should back up these Entra ID objects, ask yourself:
Would you be able to recover a policy or configuration if it was mistakenly modified or deleted?
Could you analyze how your governance and access rules evolved over time?
And most importantly, could you quickly restore order if a misstep or malicious action disrupted your directory integrity?
Do you know historically who had access to these policies and what changed?
With Druva’s Entra ID protection, the answer is always yes. Druva eliminates these risks by ensuring both Conditional Access Policies and Administrative Units are fully protected. Organizations can restore either object to a stable state, view and download historical configurations, and roll back to earlier versions when needed. In doing so, Druva safeguards both the rules (Conditional Access Policies) and the structure (Administrative Units) that define identity governance — helping enterprises maintain compliance, continuity, and control, no matter what changes occur.
From Access to Assurance: How Druva Extends Entra ID’s Security Reach
Identity control is inseparable from data protection. Most breaches and insider threats originate with credential compromise or misused administrative privileges. By protecting Entra ID objects, Druva helps organizations align identity governance with data security — ensuring that access boundaries extend seamlessly into the backup and recovery layer.
How it strengthens Druva’s ecosystem:
Conditional protection: Druva respects Entra ID Conditional Access decisions, preventing unauthorized restores and ensuring only verified users perform sensitive operations.
Scoped authorization: Only Druva Entra ID admins can provide changes to specific Administrative Units.
Comprehensive auditability: Every backup, restore, and policy action is logged and traceable to a specific identity context.
Together, Entra ID and Druva create a layered defense model — identity verification at the access edge, and immutable data protection at the core. Even if credentials are compromised or misconfigurations occur, Druva ensures that both your identity framework and critical data remain resilient and recoverable.
Summary
Identity is the new perimeter — and it’s under siege. With more than 1.7 billion personal records exposed last year, identity compromise remains the leading root cause of data breaches. Microsoft Entra ID’s Conditional Access Policies and Administrative Units provide a clear path forward: object-based identity governance that’s granular, contextual, and resilient.
For Druva customers, this evolution naturally extends into data protection. As Entra ID objects define clearer identity boundaries, Druva ensures that those same boundaries govern who can access, back up, or recover data. The result is comprehensive cyber resilience — where identity control and data protection work together to safeguard what matters most. To learn more about securing your Entra ID, Download Datasheet.