How to Configure Veeam Backup & Replication to Protect Entra ID
If you’re not familiar with Entra, you might still think of it as “the artist formerly known as Azure Active Directory.” While its roots lie in being a cloud-based Active Directory (AD), Entra has evolved far beyond that. The name change reflects its expanded capabilities, making it much more than just AD.
Many of our customers leverage Microsoft 365 or other Azure services that rely on the Entra platform. Just as you wouldn’t exclude your on-premises Active Directory infrastructure from backups, it’s critical to protect Entra ID—the authentication backbone for many of your SaaS applications.
The Current State of Entra ID Protection
At 11:11, we’re proud to offer award-winning protection for Microsoft 365 workloads. However, we currently don’t have a dedicated product for Entra ID protection itself. But don’t worry—this is a task you can easily and cost-effectively handle yourself, especially if you’re already using Veeam Backup & Replication (VBR) to safeguard your computing and storage workloads.
With the release of VBR version 12.3, Veeam now supports protecting Entra ID tenant information and essential logs, which are invaluable in the event of a security incident. Here’s what’s included in the backup:
Backed-Up Objects:
- Users, Groups, Devices
- Role Assignments, Administrative Units
- Applications (App Registrations, Enterprise Apps, Service Principals)
- Conditional Access Policies (optional, must be enabled)
- Audit Logs & Sign-in Logs
What You’ll Need
To protect these components, you’ll need some infrastructure in place. Entra ID’s core components (referred to as the “Tenant” in Veeam Backup Job types) will back up to a local PostgreSQL database. If you’ve already updated to VBR 12.3 and followed the “click, click, next” installation process, PostgreSQL was likely installed automatically—even if you’re still using Microsoft SQL Server for your configuration.
For logs, Veeam uses the existing NAS/S3 backup mechanism to write data to a supported repository, such as an 11:11 Cyber Vault for Veeam. This ensures your data is stored in AWS’s resilient S3 object storage platform.
Licensing Requirements
Before you begin, ensure you have sufficient licensing to protect Entra ID. Each Veeam license covers 10 enabled users, and it’s an all-or-nothing approach. For example, if you have 1,000 users, you’ll need 100 licensing units.
If you’re an existing 11:11 Veeam rental licensing customer or approaching renewal, consider discussing how we can help you protect Entra ID and other workloads through our rental licensing products.
Pro tip: Veeam provides a 30-day grace period for licensing, so you can start protecting your workloads immediately. To check your licensing needs, navigate to Home > About > Licensing in VBR.
Let’s Get Started
Ready to protect Entra ID? Here’s your first step:
- Access https://entra.microsoft.com and copy your Tenant ID.
- Use this Tenant ID to add your Entra organization to Veeam Backup & Replication.
Add your Tenant organization to VBR Inventory
- Navigate to Inventory in the VBR Console, right click Microsoft Entra ID, click Add Microsoft Entra ID Tenant.
- In wizard paste your Tenant ID from Entra admin center.
- Choose to create a new account, which will effectively create a new app registration. If you’ve previously protected this tenant or need to create an app registration manually for compliance reasons, then you can reuse an existing app by providing the app ID.
- Copy the one-time passcode and enter it at https://microsoft.com/devicelogin.
- Complete your login and confirm you are logging into Azure CLI. If you have registered an organization for VB365, this is a similar workflow.
- Click Apply and Finish to complete adding your tenant organization.
OPTIONAL: Enabling backup of Conditional Access Policies
If you would like to backup your conditional access policies there are some additional steps you need to take.
-
Add the DWORD entry
HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\EntraIdBackupSupportsConditionalAccessPolicyRestorein your VBR instance and set it to 1, restarting services. -
Find your app registration created in the step above in Entra ID > Applications > App registrations
-
Navigate to API Permissions
-
Add Policy.Read.All under Microsoft Graph > Application
-
Click Grant admin consent
-
Protect Entra ID Tenant Data
Now you’re ready to configure VBR.
- From Home right click Backup, choosing Backup Entra ID > Tenant…
- Name your Backup Job, select your Tenant, and then set your retention. By default, it is set to 7 days, We always recommended that you encrypt your backups, so be sure to click Advanced and enable Backup Data Encryption.
- Enable the job to run automatically on whatever schedule you need. Then click Apply & Finish, letting the job run when finished.
Now you’re ready to protect log files.
Protect Entra ID Logs
You can create 11:11 Cloud Object Storage to store EntraID Logs. You can reuse an existing repository if you want, but I always like to segregate my repositories based on the workload type. I’ve covered how to add these repositories in a past blog, if you need help.
- Set up your Entra ID log repository.
- Once the Entra ID Tenant job has successfully completed, right click Backup again, choose Microsoft Entra ID > Logs…, and then name your job and select your tenant.
- Select your newly created repository and set retention. Once again, be sure to click Advanced and Enable backup file encryption. Set any other settings you might need.
- Enable the job to run automatically on whatever schedule you need, then click Apply & Finish, letting the job run when finished.
Now you’re ready to set your licensing.
Determine Licensing Needs
- Navigate to Home > Licensing and click Create Report… after you’ve successfully run your tenant job. This will show you how many licenses you will need to protect your entire tenant, as well as any other workloads protected by VBR. Remember that you will need a single composite license for everything Veeam Backup & Replication is protecting.
Conclusion
As you can see, you can easily protect Entra ID with your existing Veeam backup infrastructure and 11:11 Systems Cloud Object Storage and Rental Licensing components. Just as important as protecting data is being able to restore it, so be sure to check back next week for a follow-up post about recovering Entra ID objects.
Additional resources:
