Best Microsoft 365, Entra ID & Azure configuration backup tools for MSPs

Microsoft tenants get compromised at the configuration layer — disabled Conditional Access policies, OAuth grants on Mail.ReadWrite.All, transport rules forwarding to attacker mailboxes, NSG rules opened to the internet. The best tools detect those changes, log who made them, and let you roll them back.

The Microsoft 365 attack pattern most likely to cost an MSP a client in 2026 is not mailbox compromise or ransomware — it's configuration drift that nobody noticed. A junior admin disables the CA policy that requires MFA on global admin sign-ins. A compromised user consents to an OAuth app that gets Mail.ReadWrite.All. A transport rule starts forwarding the CFO's inbox to an external address. An NSG rule opens RDP to the world. A role assignment promotes a service principal to Owner. None of these get caught by EDR. Microsoft's native audit log retains 30 days at most on default plans, has no “undo”, and offers no diff against the previous state.

Configuration backup is the missing layer. The right tool snapshots the tenant configuration on a schedule, computes a diff against the previous snapshot, surfaces every change with severity, correlates the change with Microsoft's audit log to show who, when, and from where — and lets you roll it back.

This guide is for MSPs choosing among the credible options: Lavawall®, Cayosoft Guardian, Dropsuite Entra Backup (NinjaOne), AvePoint Cloud Backup, and CIPP. None of these is the right answer for every MSP. They have meaningfully different strengths and meaningfully different costs.

What to look for

  1. Object scope. Conditional Access, named locations, authentication methods policy, role assignments (active & PIM), app registrations, service principals, OAuth permission grants (delegated & admin-consented), Entra users (cloud and hybrid, with attribute-level diffs), administrative units, group memberships, Intune device-config / compliance / app-protection profiles, Teams settings, Exchange transport rules, and (depending on the tool) Azure subscription resources. The more object types covered, the fewer blind spots.
  2. Azure subscription scope. Most M365-focused tools stop at Entra. But NSG rules, Key Vault access policies, RBAC role assignments, and managed identities are part of the same threat model — Azure-resident systems get compromised through subscription-level misconfiguration as much as through identity drift.
  3. Change feed with severity ratings. Not every change is critical. CA policy disabled = critical; named-location renamed = informational. The change feed has to triage automatically; otherwise it becomes noise the operator ignores.
  4. Audit-log correlation. “Conditional Access policy X was modified” is half the story. “Modified by admin@client.com from 198.51.100.7 in Russia” is the other half. The tool has to correlate its detected changes with the M365 audit log automatically.
  5. Per-object rollback with an approval workflow. The tool has to be able to revert a single change, not just “restore the entire tenant.” And rollback is a write operation against a production tenant, so it needs an explicit plan, an admin approval step, and a separate execute step — not a “one-click revert” that operators can fire by accident. Dry-run mode (preview every API call without making any) is the difference between a defensible rollback workflow and an outage waiting to happen.
  6. Multi-tenant & MSP-priced. The tool has to manage many client tenants from one console. The pricing model has to fit MSP economics — typically per-user or per-tenant, not enterprise quote-based.
  7. Endpoint & file integrity coverage as a bundled bonus. Configuration backup is necessary but not sufficient. An attacker who steals admin credentials writes code to a domain controller, modifies a file on a workstation, or harvests data from a laptop. Tools that bundle file integrity monitoring and event-log analytics on endpoints catch what tenant-config tools miss.
  8. Compliance evidence. “Who changed what, when, from where” is core evidence for SOC 2, ISO 27001, CMMC, HIPAA, and similar audits. The change feed has to be exportable in a form the auditor will accept.

Options to evaluate

Lavawall® M365 / Entra / Azure configuration backup & rollbackBundled with an MSP platform

The configuration backup & rollback module ships as part of the Lavawall® platform — a single agent and console that also covers patching, M365 / Entra / Azure / Google Workspace breach detection, AV/EDR coexistence, file integrity monitoring & event-log analytics on endpoints, GRC compliance evidence (15+ frameworks), application control, helpdesk, and remote support. Snapshots cover ~30 object types across M365, Entra (including users, OAuth grants, administrative units), Intune, Teams settings, Exchange transport rules, and Azure subscription resources. Plan → approve → execute rollback workflow with dry-run preview. Audit-log correlation in every change row. Pricing: bundled in the Complete tier, or a-la-carte at C$3.95 / US$2.95 per user per month.

Best when: MSPs serving SMB and mid-market clients who want config backup bundled with the rest of an MSP platform — including Azure subscription scope and endpoint file integrity. Feature page.

Cayosoft GuardianIdentity-first, hybrid AD strength

Cayosoft Guardian is the strongest direct competitor for the cloud-identity change-monitoring and rollback function. It covers Entra ID, Microsoft 365, Intune, Teams, Exchange Online, AND on-premises Active Directory. The paid tier (Guardian Audit & Restore) adds attribute-level rollback for users, groups, and roles; the top tier adds patented Instant Forest Recovery for catastrophic AD scenarios. Pricing is enterprise quote-based. The free tier (Guardian Protector) gives change monitoring without rollback. Real-time change capture (vs polling) is a meaningful operational advantage in identity-only deployments.

Best when: Enterprises whose on-premises AD is the keystone of identity and forest recovery is a board-level concern, OR when identity protection is a discrete budget line not tied to RMM/GRC/helpdesk/endpoint. Lavawall® vs Cayosoft Guardian.

Dropsuite Entra Backup (a NinjaOne company)Identity-only configuration backup, MSP-channel

Launched as the identity counterpart to Dropsuite's flagship mailbox backup product. Dropsuite Entra Backup covers Conditional Access, device configurations, app service principals — Entra ID configuration. Per-user MSP-channel pricing. Strong fit for MSPs already standardised on NinjaOne and Dropsuite.

Best when: NinjaOne shops wanting one-vendor procurement; identity backup as a discrete SKU. Lavawall® vs Dropsuite.

AvePoint Cloud BackupEnterprise content + config backup with governance

AvePoint is enterprise-grade backup with broad workload coverage — mailbox, OneDrive, SharePoint, Teams content plus Entra ID directory and policy backup. BYOK encryption with customer-held keys, immutable storage, integration with Microsoft 365 Backup Storage for Express Recovery. Positioned at organisations of 500+ users.

Best when: Enterprise IT or MSPs serving 500+ user clients with regulated data and active records-management or e-discovery requirements. Lavawall® vs AvePoint.

CIPP (Cyber Drain)Free, open-source, MSP-built — you self-host

CIPP is a free, open-source M365 management platform built by and for MSPs. It self-hosts on your own Azure subscription. Strong at bulk standardisation (“every client gets this baseline”), tenant-by-tenant management, and change tracking. Active community, frequent updates. The cost is zero in software but non-zero in operational time and Azure hosting.

Best when: MSPs with engineering capacity to host and maintain self-hosted Azure infrastructure who want maximum control. Lavawall® vs CIPP.

N-able Cove Data ProtectionMailbox / file backup — not config backup

Worth flagging because the name suggests it competes here, but Cove backs up mailbox / OneDrive / SharePoint / Teams content — not tenant configuration. If you lose a Conditional Access policy, Cove cannot help. Most MSPs run Cove (or a similar mailbox backup) alongside a configuration backup tool. Lavawall® vs N-able Cove.

Bottom line

If hybrid on-premises AD is the keystone of your environment — Cayosoft Guardian. Lavawall® tracks Entra users (including hybrid users synced from AD) but does not snapshot on-prem AD objects, GPOs, or schema; if those matter, Cayosoft is the right answer.

If you want enterprise-grade content backup with BYOK encryption — AvePoint. Different category (mailbox / OneDrive / SharePoint content backup with config backup added on); pick when records management and e-discovery are board-level requirements.

If you have engineering capacity and want to self-host — CIPP. Free, open-source, very capable for bulk standardisation; the cost shows up in your Azure bill and your engineers' time.

If you want config backup bundled with the rest of an MSP platform at MSP pricing — Lavawall®. One console, one bill, one vendor relationship across patching, breach detection, GRC, helpdesk, file integrity / event-log monitoring on endpoints, AND config backup. Plus the Azure subscription scope (NSG, Key Vault, RBAC, managed identities) that pure-identity tools don't cover.

How Lavawall® fits

Lavawall®'s configuration backup & rollback module covers ~30 object types across Microsoft 365, Entra ID, Intune, and Azure subscriptions — including Entra users (cloud and hybrid, with attribute-level diffs on accountEnabled, assigned licenses, manager, on-prem-sync state, proxy addresses), OAuth permission grants (the Mail.ReadWrite.All attack), administrative units, Teams team-level settings, and Exchange transport rules. Snapshots are content-addressable (SHA-256 of canonicalised JSON) so we don't store redundant copies; gzip compression kicks in for objects over 8KB. Diffs use JSON Patch (RFC 6902) so the change feed shows the exact path-level operations that changed.

Each detected change correlates with the CON_M365_Audit_Events table — we already collect that for the breach-detection module — to surface the UPN, IP, and country of who made the change. Severity is computed at detection time based on the object type and the operation: a CA policy state change is critical; a named-location rename is informational; any OAuth-grant change is high.

Rollbacks are a strict three-step lifecycle: plan (no Graph calls — just inspect existing snapshots and write the action list), approve (admin reviews the action plan), and execute (operator runs the executor on the m365sync host; only then does Graph get called). Dry-run mode lets you preview the plan without ever calling Graph. Continue-on-error is per-rollback. Action ordering respects dependency tiers (NSG rules before subscription role assignments, OAuth grants before app-registration restoration, for example).

Plus the bonus that pure identity-tool competitors don't ship: file integrity monitoring and event-log analytics on every Lavawall®-managed Windows, macOS, and Linux endpoint — so when an attacker pivots from a compromised tenant config to a workstation, the same console catches that too.

The module is bundled in the Lavawall® Complete tier or available a-la-carte at C$3.95 / US$2.95 per user per month. See pricing. See the feature page.

Frequently asked

What is M365 / Entra / Azure configuration backup?
Configuration backup captures and snapshots tenant settings — Conditional Access policies, role assignments, app registrations, OAuth permission grants, Intune profiles, NSG rules, Key Vault access policies, mail-flow rules — so changes can be detected, logged, and reverted. It's distinct from mailbox / file content backup (Dropsuite, SkyKick, Veeam) which captures user data.
Does Lavawall® cover Entra ID users?
Yes. Lavawall® snapshots Entra users — both cloud-only and hybrid (synced from on-prem AD) — with attribute-level diffs on accountEnabled, assignedLicenses, manager, jobTitle, department, on-prem sync status, proxy addresses, and other privilege-relevant fields. The first snapshot pass is silent (no change-feed noise); subsequent passes diff and produce per-attribute change rows with rollback support.
What about file integrity monitoring?
That is an endpoint capability, not a tenant-config one — Lavawall® covers it through the Lavawall® agent on Windows, macOS, and Linux endpoints, alongside event-log analytics and configuration-vulnerability scanning. Configuration backup and endpoint monitoring are different layers; Lavawall® ships both in one platform. Cayosoft and Dropsuite do not cover endpoints at all.
Why isn't Microsoft's audit log enough?
Microsoft audit retention is 30 days for default plans, and the audit log records that a change happened — it doesn't store the previous value or offer a one-click revert. Configuration backup tools snapshot the actual object state and provide rollback.
Is CIPP a configuration backup tool?
CIPP includes change tracking and some configuration management for MSPs, but its primary design point is bulk standardisation across tenants rather than structured per-object rollback with a plan / approve / execute lifecycle. It is open-source and self-hosted.
Do I need configuration backup if I have an EDR?
Yes. EDR is endpoint behavioural detection. It doesn't see Conditional Access policies being disabled, OAuth grants opened to Mail.ReadWrite.All, transport rules forwarding to attacker mailboxes, or NSG rules opened to the internet. Configuration backup is a different layer of defence.