In my previous post, we explored the reasons and methods for safeguarding Microsoft Entra ID data using Veeam Backup & Replication. While having secure, encrypted backups is essential, their value diminishes if you can’t restore them when it matters most. In this post, we’ll dive into the recovery process step by step.
If you’ll remember there are a number of object types within Entra ID that can be protected at this time and they are:
-
- Users
- Groups
- Roles
- Administrative Units
- Applications (App Registrations, Enterprise Apps, Service Principals)
- Conditional Access Policies (if enabled)
Restoring Tenant Objects
For me, the most challenging part of restoring Entra ID tenant objects was figuring out where to initiate the restore process. Since version 12.3 marks the debut of this feature, it’s understandable that the UI might not yet be fully refined, especially with the major UI overhaul planned for version 13. To start a restore session, go to Home > Backups in the VBR UI, expand your tenant job, and select your protected tenant. Once selected, you’ll see the ‘Entra ID Tenant Restore‘ option in the taskbar, or you can simply right-click on the tenant within the job to access it.
Metadata Comparison
Once clicked you will be met with the modern version of a Veeam Explorer, if you’ve ever had to recover Active Directory objects from Veeam this should feel familiar, but with new additional capabilities.
One feature I really appreciate in the Entra ID restore workflow is the metadata comparison option. This allows you to pull a specific restore point and compare it to the current state in Entra ID. As someone who’s dealt with permission mishaps and group membership issues in AD before, this is a game-changer. To use this feature, simply select an item in the restore window and choose ‘Metadata Comparison’ from the restore button.
Oh no, it looks like Hackerman’s got to me! I should go restore these properties on my user. I can do that by simply selecting all the fields and hitting next. This will prompt me to login to Entra ID with the regular device code method.
Once you successfully authenticate it will inform you and you can proceed.
You will need to provide a restore reason as is common with standard Veeam restores.
Once you hit Next and finish the protected metadata will be sent back to the user and restored. Success can be tracked within the job.
As you can see the user properties have now been restored.
Full User/Object Recovery
While the metadata recovery is great what if my entire user account (or other protected Entra object) is deleted or corrupted? While the hackerman is always a threat this is just as likely to be an administrative flub in the cloud. Not to worry, we can recover from scratch as well.
Similar to our metadata restore we select the account(s) we want to restore and then click Full Restore.
We do have to select them again on the next screen to begin the wizard.
We will once again login with the device ID and then be presented a number of restore options. Most noticably is the need to set a default password and how you want to handle if the object is present.
If you are bulk restoring users you can click the “Set temporary passwords” link and it will let you set separate passwords or autogenerate them all for you.
Once you supply a reason, or not, you will be able to finish up. Unless you’ve used something common I recommend you click the Passwords link on the Summary page so you can download a CSV file with any passwords used.
If you chose to overwrite existing then you will be prompted to do so if you are sure.
Once you hit yes it will complete the process. If this was a recent deletion it will pull the data from the Entra Recycle Bin rather than the backup itself making for a very fast restore.
It’s worth noting that while this has restored the Entra ID user it has not recovered any data within it. This is because Microsoft365 data is a function of the Entra user but not protected in the same process.
If you are protecting this with 11:11 Office 365 backup you will simply need to hop over to 11:11 Console and recover all of your Microsoft365 data back to the now recovered Entra ID user. Restores via the 11:11 console or via the Veeam Explorers (VEX) connected remotely are both well covered in the 11:11 Success Center so I’ll not recreate that documentation.
Conclusion
Recovering protected Entra ID objects is a straightforward and hassle-free process. While 11:11 plans to incorporate this functionality into its SaaS-based Microsoft 365 backup solution in the future, you can currently safeguard and restore this data using your on-premises Veeam Backup & Replication server. By leveraging 11:11 Cyber Vault for Veeam to capture log backups and utilizing Veeam Rental Licensing for any additional licensing needs, you can ensure seamless protection and recovery.
