Veeam has announced the backup for Entra ID, and I had the chance to explore it before the General Availability (GA) release. I installed and tested a beta version in my lab environment. For this setup, I continue to use a Microsoft Azure VM for the installation and deployment of Veeam (manually installed), utilizing a Microsoft CDX tenant as the source data basis for testing.
Introduction:
Unlike the backup solutions for Microsoft Azure workloads or Microsoft 365 workloads, Veeam has integrated the backup of Entra ID into VBR (Veeam Backup & Replication). The menu and handling feel familiar since all settings have been adapted to the already well-known VBR style and integrated into the existing GUI.
The licensing details have not yet been released by Veeam and are therefore still not finalized. It is generally expected that Veeam will integrate Entra ID backup into the VUL (Veeam Universal License), thereby allowing additional use of the already well-known VUL licensing model.
Creating an Entra ID Tenant:
The menu navigation is already familiar from VBR, and the Entra ID tenant must be created under the „Inventory“ tab.
Important: It is essential to specify the Tenant ID here, as this uniquely identifies the tenant. An email address or a name alone is not sufficient.
Authentication using an administrative account is already familiar from Veeam Backup for Microsoft 365:
The tenant has now been successfully created and jobs can be set up for it:
Types of Backup Jobs:
There are two different types of jobs:
- Tenant Backup Job
- Audit Log Backup Job
In a Tenant Backup Job, the objects within the tenant are backed up and can be individually restored. The Audit Log Backup Job specifically backs up audit logs, which can then be reviewed (see below).
Creating a Tenant Backup Job:
A backup job is created via the familiar method in VBR, for example, under the „Home“ tab. The following objects are backed up:
- Users
- Groups
- Entra ID Roles
- Administrative Units
- Application Registrations
The creation of a backup job is done through the VBR GUI:
As with VBR, we can choose a retention policy here; however, there are currently no additional configuration options available:
The scheduling follows the familiar VBR standard:
Important: Currently, it is not possible to select a backup repository as a target for the backups. Since I only have one backup repository available in my lab environment for this test (the Default Backup Repository), the backups are stored there.
First Test Run:
The backup job completed successfully and all objects were backed up without issues.
Creating an Audit Log Backup Job:
A backup job is created through the familiar method in VBR, for example, under the „Home“ tab. The following logs are backed up:
- Audit Logs
- Sign-In Logs
The creation of an Audit Log Backup Job is also done through the VBR GUI:
As with VBR, we can define a retention policy here and, as usual, find the „Advanced“ button for configuring additional settings:
Aligned with VBR, we can again select a compression level and enable backup file encryption, which I have set as a standard in my environments:
The scheduling is also familiar and is configured at the end:
Important: Unlike the Tenant Backup Job, here you can select a repository as usual. By default, I used the Default Backup Repository, which I am using for this test installation.
First Test Run:
The backup job completed successfully, and all objects were backed up without issues. Compared to the Tenant Backup Job, less data is written, as it only involves log files.
Health Check Jobs:
The new Veeam version also introduces a health check, which, however, is only executable for the audit logs:
Detailed information about the content and type of the check is not available at this time.
Tentant Restore:
As with VBR, we can restore the existing backups by right-clicking:
As described above, we can restore multiple workloads:
Full Restore of a user:
As an example, I performed a full restore of a user object. The functionality is reminiscent of an Active Directory restore (Veeam Explorer for Microsoft Active Directory), as we also have options here to either perform a full restore or a metadata comparison („Compare with production“):
Multiple users can be selected simultaneously. It is also possible to select users via CSV file:
The familiar authentication against the Azure Cloud is prompted during each restore:
Overall, Veeam offers many features for the restore of a single user object. For example, we can choose to overwrite the existing object or skip it if it already exists. Additionally, similar to the functions of an on-premises Active Directory restore, we can assign a new password to the user and enforce MFA if needed:
Restore from the Entra ID Recycle Bin is also possible:
In the final step, we receive an overview of the selected options for the restore:
In my case, the restore took only about 10 seconds and completed without errors:
I was able to successfully verify and validate the activities within Entra ID.
Compare-Restore of a user:
To compare a user with the current state in the production environment instead of performing a full restore, follow the same steps as above. However, instead of selecting „Full Restore,“ choose the „Metadata Comparison“ option:
We now see an overview of the current user properties and can select the restore point and the affected user(s):
Relatively high permissions within Azure are also required here. This is prompted during each restore:
In the final step, we again see a summary of the user to be restored and the attributes that are to be restored:
In my case, the restore took approximately 2 minutes and completed without errors:
Audit Log Restore:
Audit logs cannot be natively restored back to the Entra ID infrastructure. The only way to restore the logs is by copying the data from the backup to another location (such as the backup server itself) and manually processing the logs within Azure.
According to my information, Azure currently does not provide an interface for restoring these logs.
The wizard is started through the familiar method within the GUI:
Here, we see that the restore options are limited; only „Copy to“ is available:
As mentioned above, we can select one of the Veeam Managed Servers and specify a path for the file export there:
Finally, we receive a warning message that the destination file system (in my case, the C:\ drive of the backup server) has different permissions compared to the source (Azure Entra ID). This message is expected and can be disregarded:
Analysis of the Restored Logs:
I moved the logs to the C:\Restore folder for better organization. There, you will find the restored SignInLog folder, which contains sign-in logs:
The content of the log files looks as follows:
Conclusion:
With the implementation of Entra ID backups, Veeam is making a significant move towards cloud readiness, enabling customers to now back up sign-in objects, including logs, within the Azure infrastructure.
Many customers do not focus on backing up these elements, partly because, in my opinion, Microsoft does not sufficiently highlight the priority and relevance of this data.
Conclusion: Licensing
Veeam has not yet made a final statement regarding the licensing of the product. As mentioned above, it is planned to integrate the license into the VUL (Veeam Universal License).
It is clearly desirable to consider the competition (e.g., CommVault) in terms of pricing and position accordingly.
Currently, VUL licenses are required for cloud workloads within Veeam Backup for Azure, and these can also be used to license a VBR environment.