Two-admin approval required
Restore is one of the most destructive operations Vault supports. You initiate, a second administrator approves, then Vault executes. Privileged-role memberships, PIM assignments, subscribed licenses, and app registrations are permanently disabled from restore — these MUST be managed manually to prevent lockout.
Permanently disabled from restore
These categories cannot be restored by Vault under any circumstances. Restoring any of these could lock you out, suspend billing, or cause authentication failures.
privilegedAccess.globalAdminMembers privilegedAccess.privilegedRoleMembers directory.subscribedSkus directory.appRegistrations pim.activeAssignments