A few weeks ago we wrote that identity resilience should not stop at one provider, and that Google Workspace and Microsoft Entra ID were in active development — engines built, under test, not yet something we would call live.
Today they are live.
Butterfly now backs up, restores, and diffs Microsoft Entra ID and Google Workspace with the same preview-first discipline we have always shipped for Okta. That brings us to five identity providers under one recovery contract: Okta, Okta Workflows, Auth0, Microsoft Entra ID, and Google Workspace.
The same contract, one more provider each time
The reason we move deliberately is that consistency is the product. Every provider we add has to meet the same bar before it appears in the supported list — not a lighter version of it:
- Connect with least-privilege, read-only access. Entra ID uses a Microsoft Graph app registration with read-only application permissions and admin consent. Google Workspace uses a service account with domain-wide delegation and read-only Admin SDK scopes. No standing write access to your directory, ever.
- Back up the configuration that actually matters. For Entra ID: users, groups, app registrations and service principals, conditional access policies, directory and app roles, tenant settings. For Google Workspace: users, groups, organizational units, admin roles, domains, and directory settings.
- Restore with a dry run first. You see exactly what will change before a single write happens.
- Diff any two points in time, so drift is visible instead of discovered during an incident.
We back up configuration, never secrets. No passwords, no client secrets, no key material leaves your provider.
What stays Okta-first, on purpose
We would rather under-promise here than blur the line. Backup, restore, and diff are live across all five providers. But our deeper, opinionated surfaces — automated compliance checks across six frameworks, continuous drift monitoring, Terraform/HCL export, and scheduled backups — remain Okta-first today. Bringing them to Auth0, Entra ID, and Google Workspace is on the roadmap, and we will say so plainly until each one actually ships.
If you see a capability listed for a provider on our site, it works for that provider. That is the whole point of trusting a recovery vendor.
Why Microsoft and Google, and why now
Most teams we work with do not run a single identity provider. They run Okta for workforce SSO, Microsoft Entra ID for the Azure and Windows estate, and Google Workspace for mail and directory — often all three at once, stitched together with automation. A recovery story that covers one seam and ignores the others is not really covering the company.
With Entra ID and Google Workspace live, the two largest directories in the enterprise are now inside the same backup, dry-run restore, and diff workflow you already use for Okta. One resilience layer, one console, one honest status page — across the providers your business actually depends on.
If you run Entra ID or Google Workspace, you can connect a tenant today and take your first backup in minutes. And if identity recovery across your whole estate is on your mind, we would like to hear how you are thinking about it.