@Ian0x0r - SNURF

A blog about my adventures in IT

Microsoft Entra ID backup with Veeam – BETA preview

by · 25th August 2024

Background

Entra ID or the artist formerly known as Azure AD, is one of those workloads that few backup vendors seem to support, but there are many requests from people to protect it. This makes sense as more companies and organisations have diverse workloads spread across many platforms such as on-premises data centres, IaaS platforms in the public cloud and bespoke SaaS solutions like Microsoft 365. Entra ID is core to many products within the Microsoft Azure ecosystem, offering Identity Access Management (IAM). Think of IAM as the control plane where users, passwords, and other access control mechanisms are defined and stored. There is more to it than this of course, but at a high level, this makes sense. Microsoft 365 relies heavily on Entra ID to work. E-mail addresses, OneDrive access, SharePoint access, M365 license assignment, and Microsoft Teams profile, are all linked to Entra ID.

Why do I need to protect Entra ID?

If you are familiar with managing Microsoft server-based networks, you have likely used Active Directory. Active Directory has been around since the year 1999 and is an all-encompassing umbrella name for different domain management feature sets of which you can read more here in this Wikipedia article. For organisations that migrated from on-premises Exchange e-mail and SharePoint systems to Microsoft 365 SaaS-based offerings, organisations would typically synchronise user details between on-premises Active Directory and cloud-based Entra ID. As the Entra ID feature set has matured, not all attributes stored in Entra ID would synchronise back to on-premises Active Directory. Backing up Active Directory alone leaves gaps in an organisation’s protection policy and thus Entra ID backup is required.

Enter Veeam

Before continuing with this blog, as we are reviewing a BETA of the Entra ID backup feature set, I must preface this section with the following;

This is a beta preview of this upcoming Veeam release, this user interface is not finalized and TBDs, icons, etc. will be to the Veeam standard upon GA

With that out the way, let’s review how Veeam envisages the protection of Entra ID.

Add an Azure Tenant

Before a backup of Entra ID can be taken, the Entra ID tenant needs to be added to Veeam Backup and Replication.

Entra ID 1

Entra ID 2

Entra ID 3

Now it is worth pointing out at this point what the Tenant ID is. It is not the onmicrosoft domain, this is something you will need to grab from Entra ID in the Azure admin portal. More info here.

It will look something like this.

Entra ID 19

This will then move on to create a new App Registration in Entra ID to allow authentication between Veeam and Entra ID for backup.

Entra ID 4

Entra ID 5

Entra ID 6

Entra ID 7

The tenant can be modified and updated once added.

Entra ID 8

Create a backup job

There are two types of backup jobs available here. Tenant backup and Audit Log backup. I will create a backup job for both here.

Entra ID 9

Tenant Backup

Entra ID 10

Choose the tenant that was created prior and define retention.

Entra ID 11

Advanced settings allow us to enable encryption on the backup job.

Entra ID 12

Typical Veeam backup and Replication scheduling options.

Entra ID 13

Entra ID 14

Audit Log backup is much the same. I show the differences below.

Entra ID 15

Entra ID 16

And done.

Running the backup

For the tenant backup, we can see what types of assets are being protected. It is more than I was expecting honestly, nice to see.

Entra ID 17

And audit log backup. Audit logs capture exactly that, the Audit logs of Entra ID. Useful if you need to keep an external copy of these.

Entra ID 18

Tenant recovery

There are some great options here with tenant recovery. I will show what a user restore looks like from the Veeam perspective but also highlight other assets that can be recovered.

This is the user recovery view of my M365 tenant.

Entra ID 20

Azure Application Registrations for recovery.

Entra ID 21

Different roles. Nice if custom roles were created within Entra ID.

Entra ID 22

Initiating a full recovery of a user account.

Entra ID 23

The restore process will ask for permissions to the Azure Application Registration. This is the Application Registration that was created during the tenant creation.

Entra ID 24

Entra ID 25

Here we can see some of the granularity in terms of recovery options.

Entra ID 26

And away you go.

Entra ID 27

Conclusion and final thoughts

I like what Veeam have done here with the ability to back up Entra ID. Having the functionality within Veeam Backup and Replication does seem odd but I understand the decision. I am most frequently asked about Entra ID backup alongside M365 backup, so somehow tying into that solution stack makes more sense in my mind. But this is all open to change. Licensing has not been defined nor has the final packaged delivery of the product. It is nice to see that Veeam has responded to requests to make this happen.

The service provider hat in me also hopes that this does not become a Veeam Data Cloud exclusive offering. it would be nice to offer this as a bolt-on alongside the M365 backup. Time will tell how the final product is delivered though!

Additional content

Check out a live demo from VeeamON 2024 here on YouTube. Starts at 41:27.

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.