Veeam Backup & Replication - Entra ID backup part 2

Note: The description in this article is based on Veeam Backup & Replication 12.3.1, licensed using Veeam Universal License (VUL), which is equivalent to Enterprise Plus.

Continuation of information from Veeam Backup & Replication - Entra ID backup part 1.

Veeam Backup for Microsoft Entra ID

• Performing Backup

Creating a Tenant Backup Job

Tenant backup job is special. We set only a few parameters. We don't select storage and backups are saved to a (local) PostgreSQL database.

• Veeam Backup & Replication Console
• Home - Backup Job - Microsoft Entra ID - Tenant

• Name - enter a unique name, optionally also a description
• Tenant - select the Tenant that we added in the first part, Retention Policy - how many days we want to keep recovery points, older ones are removed
  • Advanced - Encryption - we can enable backup encryption
  • Advanced - Notifications - setting up notifications when a job completes (we can set globally or customize for individual job, to be able to set it on a job, it must be enabled globally, for example if we don't enable Success globally, it won't work when set on the job)

• Schedule - we can schedule regular job execution (the second option is to run manually)

Running Tenant Backup Job

When we run the job, it connects to Entra ID and creates a list of objects to process. If we don't have enough licenses, we'll get an error and the job will end.

Job has been stopped with failures. Error: Unable to process the workload: your license has been exceeded

The backup of the test Tenant took 3.5 minutes.

Creating Log Backup Job

Log backup job is, on the other hand, classic. We set standard parameters and choose standard storage.

• Veeam Backup & Replication Console
• Home - Backup Job - Microsoft Entra ID - Logs
• Name - enter a unique name, optionally also a description, we can select High priority if we want to prioritize this job
• Tenant - select the Tenant that we added in the first part
• Storage - select Backup Repository (backup storage) and Retention Policy (how many recovery points or days we want to keep), Configure secondary destinations for this job (we can add secondary storage, a Backup Copy Job will be created)
  • Advanced - Storage - we can enable compression and encryption of backups
  • Advanced - Maintenance - we can schedule regular maintenance, check the last Restore Point - Perform backup files health check (it's important that there's no collision with the time when the backup is running)
  • Advanced - Scripts - we can run custom scripts before and/or after the backup job
  • Advanced - Notifications - setting up notifications when a job completes (we can set globally or customize for individual job, to be able to set it on a job, it must be enabled globally, for example if we don't enable Success globally, it won't work when set on the job)

• Schedule - we can schedule regular job execution (the second option is to run manually)

Running Log Backup Job

An interesting thing is that we must create a Tenant Backup Job and it must run successfully. Otherwise, when running Log Backup Job, we'll get an error:

Failed to process Firma a.s.: Unable to backup Microsoft Entra ID logs: a recent backup of the same tenant must be created within
 the last 30 days to perform the audit log backup.  

In the test Tenant, the backup ran extremely slowly (2 KB/s) and took 1:36 hours.

Tenant Backup Job Backing Up Conditional Access Policies

• Considerations and Limitations - Tenant Backup and Restore

If we want to back up Conditional Access Policies along with other Microsoft Entra ID objects, we need to do two things.

On the Veeam Backup Server, add a DWORD key EntraIdBackupSupportsConditionalAccessPolicyRestore with value 1 to the registry at path HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\.

Add permissions to the Veeam application in Entra ID.

• Microsoft Entra admin center
• Identity - Applications - App registrations
• open the application - API permissions - Add a permission
• Microsoft Graph - Application permissions - Policy.Read.All

During the next run, the job will also back up CAP.

Microsoft Entra ID Restore

Restore has many options, which are described in the official documentation Performing Restore. Here we'll show just a few images from the restore process.

Entra ID Tenant Restore

For Entra ID object restore, we have the Microsoft Entra ID Tenant Restore wizard, which has different graphics than the usual Browsers and Explorers in Veeam.

Entra ID Log Restore

For log restore, the Backup Browser is used, and we essentially export a text file with logs.