Reading Time: 5 minutes

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based Identity and Access Management (IAM) system that delivers access
to your internal and external resources. But Entra ID is much more than just a directory of users and
groups, and protecting this data and knowledge is paramount. Entra ID is at the core of nearly every
organization and is essential to keep your business running, and Veeam can now give you peace of mind
by protecting it.

Veeam Backup & Replication 12.3 adds the EntraID backup as the first SaaS cloud workload support “embedded” in Veeam Backuup (other SaaS applications have a specific product not directly integrated with Veeam Backup).

When you open the Veeam Backup Console 12.3 for the first time, you will see this note:

Key highlights of Veeam’s Microsoft Entra ID support include:

  • Accelerate change detection: quickly identify and revert changes created by human error, threat actors, automated attacks, and more when restoring Entra ID data. Bolster your forensic investigations with a point-in-time copy of your IAM data.
  • Simplify governance, risk and compliance: reduce risk and stay compliant through fast, automated backup processes to reduce human error risks, ensuring consistent resiliency practices. Unlock costeffective, long-term audit and sign-in log storage with unlimited retention to be able to easily go back in time during internal investigations of cybersecurity incidents.
  • Rapidly restore your business: bring your business back online in seconds by pinpointing broken or missing app registrations and restoring them in seconds with comprehensive app registration recovery. Using object-level recovery empowers you to choose exactly what data you restore.
  • Role-based access for restores: contrary to alternate solutions, which perform backup and restore operations under a single almighty account, Veeam relies on the native Entra ID permission system to ensure Entra ID administrators are unable to restore and/or overwrite data they do not have privileged access to.

Backup configuration

For more information you can follow the official documentation page: https://helpcenter.veeam.com/docs/backup/entraid/entra_id_configuration.html?ver=120

You can create two types of Entra ID backups:

  • Tenant backup jobs that protect tenant data — users, groups, administrative units, roles and applications.
  • Log jobs that protect tenant audit and sign-in logs.

But first you need to add one Entra ID tenant:

You need to copy the Entra ID Tenant ID from the Microsoft Entra admin center (https://entra.microsoft.com/). The ID is directly available in the first page.

Then you need to choose if you want to create a new account (an app used to take the backup) or build one by yourself. Create a new account will register a new application in Azure Entra ID and provide all the required permissions.

You need to login at https://microsoft.com/devicelogin (use a browser in InPrivate mode) and provide the one-time passcode:

If you prefer to create the application manually but you need to ensure the following permissions:

List of permissions to add Microsoft Entra ID tenants and to perform backup:Microsoft Graph application permissionsAuditLog.Read.AllDirectory.Read.AllGroup.Read.AllMailboxSettings.ReadRoleManagement.Read.DirectoryUser.Read.All
List of permissions to perform restore:Microsoft Graph delegated permissionsDirectory.ReadWrite.AllRoleManagement.ReadWrite.DirectoryAdministrativeUnit.ReadWrite.AllDirectory.AccessAsUser.AllApplication.ReadWrite.AllGroup.ReadWrite.AllAPI delegated permissionuser_impersonationNote: the application must also have the Allow public client flows option enabled.

For more information on how to get tenant and application IDs, secret and certificate, see Microsoft Docs.

Now you can create a backup job where the settings are very limited: you cannot exclude users, groups or apps. But you can restore single user, group or app!

Note that the backup job use the generic proxy role, so be sure to add one or enable the default (on the Veeam Backup Server).

Note that each 10 Entra ID object will cost you a VUL license!

Logs backup does not use additional licenses.

Share