Veeam Backup & Replication - Entra ID backup part 1

Note: The description in the article is based on Veeam Backup & Replication 12.3.1, licensed using Veeam Universal License (VUL), which is similar to Enterprise Plus.

Microsoft Entra ID Backup and Recovery Options

Veeam Backup for Microsoft Entra ID is a solution developed for protection and disaster recovery for Microsoft Entra ID. The official description can be found in the separate documentation User Guide for Microsoft Entra ID.

What We Can Back Up

We have two categories and two separate types of backup jobs. Within the Entra ID Tenant backup, all supported object types are backed up. Unfortunately, we cannot choose the type of objects or select specific objects for backup. The only exception is Conditional Access Policies, which are not backed up by default, but we can enable them. The second category is specific Entra ID logs.

Entra ID Tenant

• users and groups - including role assignments and group memberships
• administrative units and roles
• devices
• applications - App registrations, Enterprise applications, Service principals
• Conditional Access Policies - with special enablement

Logs

• audit and sign-in logs

Recovery Options

• granular recovery - we can restore individual objects (users, groups, etc.) or just their attributes
• full recovery - in case of disaster, we can restore everything
• data export - we can export backed-up data to a file
• point-in-time recovery - we can restore Entra ID data to a specific point in time (existing recovery point)

Solution Architecture - Components Used

• Veeam Backup Server - contains components
  • Microsoft Entra ID Plug-in for Veeam Backup & Replication
  • General-purpose backup proxy
• Microsoft Entra ID Backup Repository - PostgreSQL instance where Entra ID tenant backups are stored, by default a local instance on the Backup Server is used
• Log Backup Repositories - storage where audit and sign-in logs backups are stored
• Cache Repository - stores temporary metadata for log backups, tracks all log records that change between backups, as a Cache Repository we can only use certain types of storage

Note: It is important to have a General-purpose backup proxy. It is automatically deployed on the Backup Server during the installation of Veeam Backup & Replication. In the proxy list, we see it as type Agent (mine is simply named Backup Proxy).

Required Permissions in Entra ID

• documentation Permissions
• when adding an Entra ID tenant to Veeam, we can either create a new account or use an existing one, it's a Microsoft Entra application, if we let Veeam create the application, it temporarily needs high permissions, so we might want to prepare the application ourselves (but in case of recovery, we must again use an account with high permissions)
• for backup, a number of Microsoft Graph permissions for reading are needed, if we want to back up Conditional Access policies, we must manually add additional permissions (Considerations and Limitations - Tenant Backup and Restore)
• for recovery, higher permissions are of course needed, a user (delegated permissions) is used, which is specified in the recovery wizard

If we let it create a new application, we can find it in Microsoft Entra admin center - Identity - Applications - App registrations. Its name is VeeamAzureApp<ID>. We can look at the set API permissions.

Licensing

• Licensing

Everything looks very nice until we get to licensing. When we back up Active Directory Domain Services (AD DS), we back up domain controllers. Theoretically, it's enough to back up one and we need one license (VUL). It doesn't matter how many users or directory objects we have.

Backing up Microsoft Entra ID is licensed according to the number of protected users. Every 10 protected users consumes 1 Veeam Universal License (VUL). It should be noted that only enabled user accounts that are in a recovery point for the last 31 days are counted. Deactivated and guest accounts, as well as other objects or logs, are not counted towards consumption. In my test, backing up 26 users consumed 2 VUL. For log backup, we need Veeam Data Platform Advanced or Premium.

How It Works

• we add Microsoft Entra ID Tenant to the backup infrastructure
• Microsoft Graph API is used for secure access to data
• we create a backup job for the Tenant or logs
• Veeam connects to Entra ID through secure API integration
• performs scheduled backup of directory objects

Configuration of Veeam Backup for Microsoft Entra ID

Adding Microsoft Entra ID Tenant

• Veeam Backup & Replication Console
• Inventory - Microsoft Entra ID - Add Tenant

• Tenant - we enter (copy) Tenant ID, for clarity we can enter Description, click on Cache and select the backup storage for temporary metadata

• Account Type - in our case, we choose Create a new account to create a new Entra ID application
• Authentication - a temporary one-time verification code is displayed, which we enter at https://microsoft.com/devicelogin, then we must log in with an account with sufficient permissions and under this account Veeam registers a new application, Microsoft Azure CLI is used

• by clicking Apply, the Microsoft Entra ID Tenant is added to the Backup Infrastructure

Problem with PostgreSQL

When I was performing a Veeam Backup & Replication upgrade to version 12.3, the upgrade ended with an error in step 6 of 7. I struggled a lot before I managed to run the upgrade again so that it would complete.

Now, when I wanted to add Microsoft Entra ID Tenant, the wizard did not appear, but I got the following error:

Database connection settings for the Microsoft Entra ID backup repository cannot be found. Configure the repository according
 to this KB article to continue.

The link leads to the article KB4653: Database connection settings for the Microsoft Entra ID backup repository cannot be found. There is also a mention of a situation where the upgrade did not succeed on the first attempt, For Customers Who Ran the Upgrade a Second Time and It Succeeded" on KB4698. But it talks about the upgrade failing in step 1, when it was installing PostgreSQL 15.10-1.

That was not my situation, yet I found that the service postgresql-x64-15 was missing on the server. PostgreSQL 15 is not among the installed applications, but there is a PostgreSQL 15 folder in the start menu.

I performed a PostgreSQL reinstallation (from the Veeam installation ISO). Subsequently, I performed an upgrade to 12.3.1, but that did not solve the problem. According to the referenced article, the missing repository configuration needs to be added. The description is in Connecting to Remote Microsoft Entra ID Backup Repository. Information about what values to use is missing. I entered localhost 5432, user postgres, and I left the password blank. Everything went through.

The second article recommends performing optimization described in Adjusting PostgreSQL Instance Configuration after manually installing PostgreSQL (which obviously had not been done in my case). The command in the second step ended with an error again:

C:\Program Files\PostgreSQL\15\bin> psql -U postgres -f "C:\config.sql"

psql: error: connection to server at "localhost" (127.0.0.1), port 5432 failed: FATAL:  SSPI authentication failed for
 user "postgres"

The article SSPI authentication failed for user provided a hint. A line for the Veeam admin account was missing in the file C:\Program Files\PostgreSQL\15\data\pg_ident.conf. After adding it, the command ran successfully and the previously empty postgresql.auto.conf file gained content.