Why backing up and restoring Entra ID with Veeam is a big thing

Reading Time: 3 minutes

Veeam plans to backup and restore Entra ID

During the Opening Keynote of VeeamON 2024 in Fort Lauderdale from June 3rd, 2024, to June 5th, 2024, Anton Gostev, Chief Product Officer at Veeam announced providing data resilience for several new platforms, including Entra ID (previously known as Azure AD).

As a Veeam Vanguard, I have had many discussions with Veeam leadership stressing out the importance of backing up and restoring objects in Entra ID. I’m glad to see that Veeam is now building this capability.

 

Why Entra ID backup and restore matters

Veeam already offers backing up and restoring data in Microsoft 365, both through self-managed instances of Veeam Backup for Microsoft 365 and through the Veeam Data Cloud for Microsoft 365 service. Veeam also offers backing up and restoring resources in Microsoft Azure, through Veeam Backup for Azure.

For some restoration actions, however, merely being able to backup and restore data from Microsoft 365 and Azure is insufficient. For some actions, objects in Entra ID and specific attributes for these objects are required to be able to restore resources and re-attach them to their rightful owner.

The Hybrid Identity scenario

When organizations operate Hybrid Identity environments, consisting in most cases of Active Directory, Entra ID (previously known as Azure AD) and Entra Connect Sync (previously known as Azure AD Connect), it’s critical for security and compliance purposes that they can ensure the availability and integrity of both on-premises Active Directory as well as Entra ID.

Regardless of the Hybrid Identity configuration, some attributes and some objects are not synchronized or synced back. Typical user attributes include strong authentication settings. Typical group attributes include memberships and dynamic group definitions. Entra-joined devices live in Entra ID only. Conditional Access policy definitions live in Entra ID only. When a user account is disabled in Active Directory on-premises, all the Teams memberships for the corresponding user object in Entra ID are irrevocably removed at that time.

Without the ability to backup and restore objects and attributes in Microsoft Entra ID, this information is lost forever when removed, inadvertently changed or improperly managed. As Entra ID provides authentication and authorization to all Microsoft 365, Dynamics 365 and Azure resource, this is increasingly seen as an unacceptable risk.

Cloud-only scenario

For organizations that merely have cloud-only objects and attributes that aren’t synchronized to an on-premises Identity store, the availability and integrity of objects and attributes in Entra ID is even more critical. When Entra ID is unavailable, all sign-ins stop and thus all access stops.

 

What Veeam plans to offer…

From the previews shown at VeeamON 2024, it seems that Veeam is joining the ranks of Quest, Commvault, Zoho, Avepoint, Keepit, Semperis and Rubrik to offer backing up and restoring the following Entra ID tenant’s objects:

  • Users
  • Groups
  • Privileged roles
  • Administrative Units (AUs)
  • Serviceprincipals (Application registrations and enterprise applications)

Furthermore, Veeam offers backing up the sign-in logs and audit logs of your organization.

Depending on the Entra licensing, organizations may merely have (immutable) access to the sign-in logs and audit logs for 30 days, after which they are irrevocably deleted by Microsoft. With Veeam, these logs can be protected for years, if need be.

 

… as part of Veeam Backup and Replication

These capabilities will be part of a future version of Veeam Backup and Replication (VBR).

This makes sense, as the two Veeam products that backup Microsoft 365 and Azure seamlessly integrate with VBR – although running both Veeam Backup for Microsoft 365 and Veeam Backup and Replication on the same Windows host can be tricky.

As Entra ID provides the identity and access management platform for both Microsoft 365 and Azure, being able to restore user objects, groups, etc. that govern this access, from the central Veeam Backup and Replication makes sense.

However, when an organization has merely adopted Veeam Backup for Microsoft 365 or Veeam Backup for Azure, it makes less sense, as the infrastructure now must be augmented with Veeam Backup and Replication. The question towards these organizations, of course, is how they would follow the 3-2-1 rule with these point solutions without Veeam Backup and Replication…

 

Looking forward

I’m looking forward to backing up and restoring Entra ID objects and their attributes with my favorite  backup and replication solution!

Veeam aims to publicly release the first version of this capability in Q4 2024.

Further reading

VeeamOn 24 – Day 1 Keynote Announcements – Ready, Set, Virtual! (readysetvirtual.com)
VeeamON 2024 Recap – Original-Network.com
Exciting Announcements at VeeamON 2024: New Hypervisors and Workloads | Nothing a Jameson can't fix (nicostein.com)

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.