Veeam Backup & Replication

Version 12
User Guide for Microsoft Entra ID
April, 2025
© 2025 Veeam Software.

All rights reserved. All trademarks are the property of their respective owners.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or
translated into any language in any form by any means, without written permission from Veeam Software
(Veeam). The information contained in this document represents the current view of Veeam on the issue
discussed as of the date of publication and is subject to change without notice. Veeam shall not be liable for
technical or editorial errors or omissions contained herein. Veeam makes no warranties, express or implied, in
this document. Veeam may have patents, patent applications, trademark, copyright, or other intelle ctual
property rights covering the subject matter of this document. All other trademarks mentioned herein are the
property of their respective owners. Except as expressly provided in any written license agreement from Veeam,
the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.

NOTE
Read the End User Software License Agreement before using the accompanying software programs. Using
any part of the software indicates that you accept the terms of the End User Software License Agreement.

2 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Contents
CONTACTING VEEAM SOF TWARE ................................ ................................ ........................... 5
ABOUT THIS DOCUMENT ................................ ................................ ................................ ..... 6
OVERVIEW ................................ ................................ ................................ ...................... 7
Solution Architecture ............................................................................................................................ 8
PLANNING AND P REPARATION ................................ ................................ ............................. 10
System Requirements .......................................................................................................................... 11
Considerations a nd Limitations ............................................................................................................. 13
Supported Entra ID Item Properties ...................................................................................................... 15
Permissions ........................................................................................................................................ 25
Ports .................................................................................................................................................. 27
LICENSING ................................ ................................ ................................ ..................... 29
DEPLOY MENT ................................ ................................ ................................ ................. 31
CONFIGURING VEE AM BACKUP FOR MICROSOFT ENTRA ID................................ ............................ 32
Configuring Log and Cache Rep ositories .............................................................................................. 33
Managing Microsoft Entra ID Tenants .................................................................................................. 34
Adding Microsoft Entra ID Tenants ............................................................................................ 35
Editing Microsoft Entra ID Tenants ............................................................................................ 43
Removing Microsoft E ntra ID Tena nts ........................................................................................ 44
Managing Microsoft Entra ID Repository .............................................................................................. 45
Connecting to Remote Microsoft Entra ID Backup Repository ...................................................... 46
Rescanning Microsoft E ntra ID Rep ository ................................................................................... 51
PERFORMING BACKUP ................................ ................................ ................................ ....... 52
Creating Tenant Backup Jobs .............................................................................................................. 53
Step 1. La unch New Microsoft Entra ID Tenant Backup Job Wizard ............................................... 54
Step 2. Specify Job Name and Description .................................................................................. 55
Step 3. Specify Tenant and Retention Settings............................................................................ 56
Step 4. Specify Advanced Backup Settings ................................................................................. 57
Step 5. Define Job Schedule ......................................................................................................60
Step 6. Finish W orking with Wizard ............................................................................................ 62
Creating Log Backup Jobs ................................................................................................................... 63
Step 1. La unch New Microsoft Entra ID Log Backup Job Wizard .................................................... 64
Step 2. Specify Job Name and Description .................................................................................. 65
Step 3. Specify Tenant............................................................................................................... 66
Step 4. Specify Backup Rep ository Settings ................................................................................ 67
Step 5. Specify Advanced Backup Settings .................................................................................. 68
Step 6. Specify Secondary Repository Settings ........................................................................... 73
Step 7. Define Job Schedule ...................................................................................................... 75

3 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 Step 8. Finish W orking with Wizard ............................................................................................ 77
Managing Backup Jobs ........................................................................................................................ 78
Starting and Stopping Backup Jobs ............................................................................................ 79
Editing Backup Job Settings .......................................................................................................81
Enabling and Disabling Backup Jobs........................................................................................... 82
Retrying Jobs............................................................................................................................ 83
Cloning Log Backup Jobs ........................................................................................................... 84
Deleting Backup Jobs ................................................................................................................ 86
MANAGING BACKUPS ................................ ................................ ................................ ........87
Viewing Log Backup Properties ........................................................................................................... 88
Performing Health Check for Log Backups............................................................................................ 89
Copying Log Backups .......................................................................................................................... 92
Detaching Backups ............................................................................................................................. 93
Deleting Backups ................................................................................................................................ 94
PERFORMING RESTORE ................................ ................................ ................................ ......95
Entra ID User Restore .......................................................................................................................... 96
Restoring Entire Users ............................................................................................................... 97
Restoring Synchronized Users (Hybrid Identity) .........................................................................107
Restoring User Properties ........................................................................................................ 109
Entra ID Group Restore .......................................................................................................................115
Restoring Entire Groups ........................................................................................................... 116
Restoring Group Properties ...................................................................................................... 124
Entra ID Administrative Units Restore .................................................................................................130
Restoring Entire Administrative Units.........................................................................................131
Restoring Administrative Unit Properties ................................................................................... 139
Entra ID Role Restore ......................................................................................................................... 145
Restoring Entire Roles ..............................................................................................................146
Restoring Role Properties ......................................................................................................... 154
Entra ID Application Restore ............................................................................................................. 160
Restoring Entire Applications ................................................................................................... 161
Restoring Application Properties ...............................................................................................170
Entra ID Conditional Access Policies .................................................................................................... 176
Restoring Entire Conditional Access Policies .............................................................................. 177
Restoring Conditional Access Policy Properties .......................................................................... 185
Entra ID Log Restore .......................................................................................................................... 191
Restoring Logs ......................................................................................................................... 192
GETTING TECHNICAL SUPPORT................................ ................................ ........................... 199

4 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Contacting Veeam Software
At Veeam Software we value feedback from our customers. It is important not only to help you quickly with your
technical issues, but it is our mission to listen to your input and build products tha t incorporate your
suggestions.

Customer Support
Should you have a technical concern, suggestion or question, visit the Veeam Customer Support Portal to open a
case, search our knowledge base, reference documentation, manage your license or obtain the latest product
release.

Company Contacts
For the most up-to-date information about company contacts and office locations, visit the Veeam Contacts
Webpage.

Online Support
If you have any questions about Veeam products, you can use the following resources:

• Full documentation set: veeam.com/documentation-guides-datasheets.html

• Veeam R&D Forums: forums.veeam.com

5 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
About This Document
This guide is designed for IT professionals who plan to use Veeam Backup for Microsoft Entra ID. The guide
includes system requirements, licensing information and configuration instructions. It also provides a
comprehensive set of features to ensure easy execution of protection and disaster recovery tasks in the
Microsoft Entra ID environment.

6 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Overview
Veeam Backup for Microsoft Entra ID is a solution developed for protection and disaster recovery tasks for
Microsoft Entra ID. With Veeam Backup for Microsoft Entra ID, you can perform the following operations:

• Create backups of Microsoft Entra ID tenants and store them in PostgreSQL databases.

• Create backups of Microsoft Entra ID audit and sign-in logs and store them in backup repositories.

• Restore users, groups, administrative units, roles, applications and service principals from Microsoft Entra
ID tenant backups to the Microsoft Entra ID environment.

• Restore properties of users, groups, administrative units, roles, applications and service p rincipals from
Microsoft Entra ID tenant backups to the Microsoft Entra ID environment.

• Restore audit and sign-in logs from Microsoft Entra ID log backups to the Microsoft Entra ID environment.

7 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Solution Architecture
The Veeam Backup for Microsoft Entra ID architecture comprises the following set of components:

• Backup server

• Microsoft Entra ID Plug-in for Veeam Backup & Replication

• General-purpose backup proxy

• Microsoft Entra ID backup repository

• Log backup repositories

• Cache repository

Backup Server
A backup server is a Windows-based physical or virtual machine on which Veeam Backup & Replication is
installed. The backup server is the configuration, administration and management core of the backup
infrastructure. It coordinates backup and restore operations, controls job scheduling and manages resource
allocation.

The backup server comprises the following components:

• Microsoft Entra ID Plug-in for Veeam Backup & Replication — an architecture component that extends the
Veeam Backup & Replication functionality and allows you to add Microsoft Entra ID tenants to the backup
infrastructure.

• General-purpose backup proxy — an architecture component that allows communication between

Microsoft Entra ID and Microsoft Entra ID Plug-in for Veeam Backup & Replication, processes jobs, and
transfers data to and from backup repositories. The role of the backup proxy is assigned to the machine
where the backup server is installed. For more information on the backup proxy, see the
Veeam Backup & Replication User Guide, section General-Purpose Backup Proxies.

For more information on the backup server, see the Veeam Backup & Replication User Guide, section Backup
Server.

Microsoft Entra ID Backup Repository

A Microsoft Entra ID backup repository is a PostgreSQL instance where Veeam Backup for Microsoft Entra ID
stores backups of protected Microsoft Entra ID tenants. By default, Veeam Backup for Microsoft Entra ID uses
the local PostgreSQL instance installed on the backup server. To ensure data safety, you can instruct Veeam
Backup for Microsoft Entra ID to use a remote instance. For more information on the Microsoft Entra ID backup
repository configuration, see Configuring Repositories.

Log Backup Repositories

A log backup repository is a storage location where Veeam Backup for Microsoft Entra ID stores backups of audit
and sign-in logs of protected Microsoft Entra ID tenants.

To increase log availability and ensure that data can b e recovered in case a disaster strikes, you can store
backed-up data of audit and sign-in logs in different locations — primary and secondary log backup repositories
with their own retention policies and encryption settings.

8 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Cache Repository
A cache repository is a storage location where Veeam Backup for Microsoft Entra ID keeps temporary metadata
to reduce the load on the backup server when performing backup operations. The cache repository keeps track
of all log records that change between backup sessions.

TIP

To minimize network load during backup operations, it is recommended that you configure the cache
repository to be located closer to the backup server in the computer network.

9 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Planning and Preparation
Before you start using Veeam Backup for Microsoft Entra ID, check system requirements, limitations,
permissions and network ports used for data transmission.

10 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
System Requirements
Veeam Backup & Replication
Veeam Backup & Replication version 12.3 must be deployed on the backup server.

Backup Server
The backup server is the configuration, administration and management core of the backup infrastructure. It
must meet system requirements described in the Backup Server System Requirements section in the
Veeam Backup & Replication User Guide.

Veeam Backup & Replication Console

The Veeam Backup & Replication console is a client-side component that provides access to the backup server.
The consoles installed on Microsoft Windows Server 2012 or 2012R2 do not support Veeam Backup for Microsoft
Entra ID. For other system requirements, see the Veeam Backup & Replication Console System Requirements
section in the Veeam Backup & Replication User Guide.

By default, the console is installed locally on the backup server. If you plan to use the local console, make sure
that you do not install Veeam Backup & Replication on Microsoft Windows Server 2012 or 2012R2. If you plan to
use a remote console, you can install Veeam Backup & Replication on any supported OS.

General-Purpose Backup Proxy

The general-purpose backup proxy processes and transfers data. Veeam Backup for Microsoft Entra ID uses the
default general-purpose backup proxy that is deployed on the backup server. The system requirements for the
backup server are described in the Backup Server System Requirements section in the
Veeam Backup & Replication User Guide.

Microsoft Entra ID Backup Repository

The Microsoft Entra ID backup repository stores tenant backups. This repository is based on a PostgreSQL
instance. The requirements for this instance are the same as for the PostgreSQL instance that stores
configuration database on the backup server. For more information, see the Configuration Database row in
Backup Server System Requirements section in the Veeam Backup & Replication User Guide.

Cache Repository
The cache repository stores temporary cache files for log processing. This repository must meet system
requirements described in the Cache Repository System Requirements section in the
Veeam Backup & Replication User Guide.

Log Backup Repositories

The primary and secondary log backup repositories store audit and sign-in log backups and their copies. These
repositories must meet requirements described in the Backup Repository System Requirements section in the
Veeam Backup & Replication User Guide.

11 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
For information on which types of repositories can be used as primary and secondary re positories, see
Configuring Repositories.

12 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Considerations and Limitations
When you plan to deploy and configure Veeam Backup for Microsoft Entra ID, keep in mind the following
limitations and considerations.

Infrastructure
• Veeam Backup for Microsoft Entra ID can use only the default general-purpose backup proxy. This proxy is
deployed during Veeam Backup & Replication installation. If you delete this proxy, Microsoft Entra ID
tenant backup and log backup will not be possible. For more information on the architecture, see Solution
Architecture.

• One backup server can work only with one Microsoft Entra ID backup repository. For more information on
the architecture, see Solution Architecture.

• If you plan to store backed-up data in remote Microsoft Entra ID backup repositories, consider that only
PostgreSQL password authentication is supported to connect to these repositories. For more information,
see Connecting to Remote Microsoft Entra ID Backup Repository.

Tenant Backup and Restore

• Veeam Backup for Microsoft Entra ID does not support the Government and China regions.

• For one Microsoft Entra ID tenant, you can create only one tenant backup job. One tenant backup job can
protect only one tenant.

• You cannot restore Entra ID built-in roles.

• To be able to protect Conditional Access policies, you must configure a registry key value and a set of
permissions and roles:

o On the backup server, set the value of the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam

Backup and Replication\EntraIdBackupSupportsConditionalAccessPolicyRestore
{DWORD} key to 1.

o To be able to backup Conditional Access policies, assign the Policy.Read.All (application) permission
to the Entra ID application used for backup. You specify this application when adding a tenant to
Veeam Backup & Replication.

o To be able to restore Conditional Access policies, the user account that you specify during restore
must have the following roles: Conditional Access Administrator or Security Administrator. The Entra
ID application used for restore must have the following permissions:
Policy.ReadWrite.ConditionalAccess (delegated) and Agreement.Read.All (delegated) . You specify
this application when adding a tenant to Veeam Backup & Replication.

For more information on the permissions, see Permissions.

• The backup copy feature does not work for tenant backups. To protect the backups, you need to protect
the Microsoft Entra ID backup repository based on the PostgreSQL instance. For this, you can use the
native PostgreSQL pg_dump method or create the VM or Veeam Agent backup of the machine where the
Microsoft Entra ID backup repository is located.

13 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
• By default, Veeam Backup for Microsoft Entra ID does not back up relationships between protected
resources and management groups. If you want to add these relationships into the backup scope, you must
perform additional configuration steps described in this Veeam KB article.

• During one restore session, you can restore items of one type only. For example, only users or only
groups, not users and groups.

• [Entire restore of permanently deleted and linked applications and service principles] You can restore a
service principle that represents an application only together with this application and within one restore
session. If you restore the application in a separate restore session, the res tored application gets a new AppID.
The service principal will not recognize this new ID, and the restore of the service principal will fail.

• Restore of users synchronized with Microsoft Active Directory (hybrid identities) is possible using Veeam
Backup for Microsoft Entra ID. For more information, see Restoring Synchronized Users (Hybrid Identity).

Log Backup and Restore

• You cannot back up sign-in logs with Microsoft Entra ID free license. With this license, you can back up
only audit logs.

• To create a log backup, you must have the backup of the tenant whose logs you want to protect. The
latest restore point of this backup must be created within 30 days before the log backup.

14 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Supported Entra ID Item Properties
Veeam Backup for Microsoft Entra ID supports protection of the listed Microsoft Entra ID items and their
properties.

Users

P roperty Comments

AccountEnabled —

Ag eGroup —

Ap p RoleAssignments —

AssignedLicenses —

BusinessPhones —

City —

CompanyName —

ConsentProvidedForMinor —

Country —

CreatedDateTime Read-only property in Entra ID.

Dep artment —

DirectReports —

DisplayName —

E mp loyeeId —

E mp loyeeType —

Fa x Number —

15 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

GivenName —

Id entities —

Job Title —

Ma il —

Ma ilNickname —

Ma nager —

MemberOf —

Mob ilePhone —

OfficeLocation —

OnP remisesDistinguishedName Read-only property in Entra ID.

OnP remisesDomainName Read-only property in Entra ID.

OnP remisesExtensionAttributes —

OnP remisesImmutableId —

OtherMails —

OwnedObjects —

P a sswordPolicies —

P ostalCode —

P referredDataLocation —

Sta te —

16 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

StreetAddress —

Surname —

Usa geLocation —

UserPrincipalName —

UserType —

NOTE

Besides the listed properties, Veeam Backup for Microsoft Entra ID also protects role assignments for the
users. This role assignment protection is available for Microsoft Entra ID P2 and Governance tenant
licenses.

Groups

P roperty Comments

AllowExternalSenders —

Ap p RoleAssignments Not available for restore.

AssignedLabels —

AssignedLicenses —

Cla ssification —

CreatedDateTime Read-only property in Entra ID.

Description —

DisplayName —

GroupTypes —

IsAssignableToRole Read-only property in Entra ID.

17 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

Ma il Read-only property in Entra ID.

Ma ilEnabled Read-only property in Entra ID.

Ma ilNickname —

MemberOf —

Members —

MembershipRule —

MembershipRuleProcessingState —

OnP remisesDomainName Read-only property in Entra ID.

Owners —

P referredDataLocation —

SecurityEnabled —

Theme —

Visibility —

Administrative Units

P roperty Comments

Description —

Visibility —

DisplayName —

E x tensions Not supported for restore.

18 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

Members Can be restored only for non-hidden administrative units.

Scop edRoleMembers —

Roles

P roperty Comments

Description —

DisplayName —

InheritsPermissionsFrom —

IsBuiltIn Read-only property in Entra ID.

IsEnabled —

ResourceScopes —

RolePermissions —

Temp lateId —

Version —

Applications and Service Principles

Applications

P roperty Comments

Ad d Ins —

Ap i —

Ap p Id Read-only property in Entra ID.

19 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

Ap p licationTemplateId Read-only property in Entra ID.

Ap p Roles —

Certification Read-only property in Entra ID.

CreatedDateTime Read-only property in Entra ID.

Description —

DisabledByMicrosoftStatus Read-only property in Entra ID.

DisplayName —

E x tensionProperties —

Fed eratedIdentityCredentials —

GroupMembershipClaims —

Id entifierUris —

Info —

IsDeviceOnlyAuthSupported —

IsFallbackPublicClient —

Notes —

Oa uth2RequirePostResponse —

Op tionalClaims —

Owners —

P a rentalControlSettings —

20 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

P ub licClient —

P ub lisherDomain Read-only property in Entra ID.

RequestSignatureVerification —

RequiredResourceAccess —

Sa mlMetadataUrl —

ServiceManagementReference —

ServicePrincipalLockConfiguration —

Sig nInAudience —

Sp a —

Ta g s —

Tok enEncryptionKeyId Read-only property in Entra ID.

VerifiedPublisher Read-only property in Entra ID.

W eb —

Service Principles

P roperty Comments

AccountEnabled —

Read-only property. The property value is inherited from the

Ad d Ins
associated application.

AlternativeNames —

21 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

Read-only property. The property value is inherited from the

Ap p Description
associated application.

Read-only property. The property value is inherited from the

Ap p DisplayName
associated application.

Ap p Id Read-only property in Entra ID.

Ap p licationTemplateId Read-only property in Entra ID.

Ap p ManagementPolicies Read-only property in Entra ID.

Ap p OwnerOrganizationId Read-only property in Entra ID.

Ap p RoleAssignedTo —

Ap p RoleAssignmentRequired —

Ap p RoleAssignments —

Read-only property. The property value is inherited from the

Ap p Role
associated application.

Description —

DisabledByMicrosoftStatus Read-only property in Entra ID.

Read-only property. The property value is inherited from the

DisplayName
associated application.

E nd points —

Fed eratedIdentityCredentials Read-only property in Entra ID.

Read-only property. The property value is inherited from the

Homepage
associated application.

Read-only property. The property value is inherited from the

Info
associated application.

22 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

Log inUrl —

Log outUrl Read-only property in Entra ID.

MemberOf —

Notes —

NotificationEmailAddresses —

Oa uth2PermissionGrants —

Read-only property. The property value is inherited from the

Oa uth2PermissionScopes
associated application.

OwnedObjects Read-only property in Entra ID.

Owners —

P a sswordCredentials Read-only property in Entra ID.

P referredSingleSignOnMode —

Rep lyUrls Read-only property in Entra ID.

ResourceSpecificApplicationPermissions Read-only property in Entra ID.

Sa mlSingleSignOnSettings —

Read-only property. The property value is inherited from the

ServicePrincipalNames
associated application.

ServicePrincipalType Read-only property in Entra ID.

Sig nInAudience Read-only property in Entra ID.

Ta g s —

Tok enEncryptionKeyId Read-only property in Entra ID.

23 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 P roperty Comments

VerifiedPublisher Read-only property in Entra ID.

Conditional Access Policies

P roperty Comments

Cond itions —

CreatedDateTime Read-only property in Entra ID.

DisplayName —

Gra ntControls —

Mod ifiedDateTime Read-only property in Entra ID.

SessionControls —

Sta te —

Temp lateId Read-only property in Entra ID.

24 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Permissions
The accounts that Veeam Backup for Microsoft Entra ID uses to deploy and manage backup infrastructure
components must be granted the following permissions.

Veeam Backup & Replication User Account Permissions

A user account that you plan to use when installing and working with Veeam Backup & Replication must have
permissions described in the Veeam Backup & Replication User Guide, section Installing and Using
Veeam Backup & Replication.

Microsoft Entra Roles and Permissions

Veeam Backup for Microsoft Entra ID requires a Microsoft Entra application whose permissions are used to add
Microsoft Entra ID tenants to the backup infrastructure and to perform backup and restore operations with
Microsoft Entra ID resources.

Adding and Backing Up Tenants

You can specify an existing application or instruct Veeam Backup & Replication to create a new one. The list of
permissions granted to the Microsoft Entra application and the list of roles assigned to the Microsoft Entra ID
user account that you use to create the application depend on the actions you plan to perform using the
application.

Ap p lication P ermissions

New The Microsoft Entra ID user account associated with the

tenant where the Microsoft Entra ID application will be
created must have the following built-in roles assigned:
• Application Administrator
• Privileged Role Administrator

As an alternative, you can assign the Global Administrator

Microsoft Entra built-in role.

Note: The created application will have most permissions

described in the Existing Application row in this table. To
protect Conditional Access policies, the following
permissions must be assigned manually: Policy.Read.All,
Policy.ReadWrite.ConditionalAccess, Agreement.Read.All.

Existing To perform backup, the application must have the

following permissions:

• Microsoft Graph application permissions:

AuditLog.Read.All, Directory.Read.All,
Group.Read.All, MailboxSettings.Read ,
RoleManagement.Read.Directory , User.Read.All,
Policy.Read.All

25 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 Ap p lication P ermissions

To be able to further perform restore, the application must

have the following permissions:

• Microsoft Graph delegated permissions:

Directory.ReadWrite.All ,
RoleManagement.ReadWrite.Directory ,
AdministrativeUnit.ReadWrite.All ,
Directory.AccessAsUser.All ,
Application.ReadWrite.All , Group.ReadWrite.All,
Policy.ReadWrite.ConditionalAccess,
Agreement.Read.All
• API delegated permissions: user_impersonation

Note: Make sure that the Allow public client flows option is
enabled for the application. For more information, see
Microsoft Docs.

IMP ORTANT

By default, Veeam Backup for Microsoft Entra ID does not back up relationships between protected
resources and management groups. If you want to add these relationships into the backup scope, you must
perform additional configuration steps described in this Veeam KB article.

Restoring Tenant Data

To restore tenant data, Veeam Backup for Microsoft Entra ID uses the Microsoft Entra application that was used
to add the tenant. This application has delegated access and acts on behalf of a user that you specify in the
restore wizard.

This user must have with the following roles:

• Application Administrator

• Conditional Access Administrator

• Exchange Administrator

• Groups Administrator

• Privileged Role Administrator

• Privileged Authentication Administrator

• User Administrator

As an alternative, you can use Global Administrator Microsoft Entra plus Conditional Access Administrator
(recommended) or plus Security Administrator roles.

26 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Ports
The main ports required to create backups of Microsoft Entra ID tenants are lis ted in the following table.

From To P rotocol P ort Notes

Veeam Backup & Replication Backup server TCP 9419 Default port for
console communication with REST
API service.

Backup server TCP 9392 Ports used by the

9420 Veeam Backup & Replication
console to communicate
with the backup server.

Note that both ports are

required.

Management client PC Backup server TCP 3389 Default port used by

(remote access) Remote Desktop Services. If
you use third-party
solutions to connect to the
backup server, other ports
may need to be open.

Backup server PostgreSQL server TCP 5432 Port used for

hosting the database communication with
for the Microsoft Entra PostgreSQL server on which
ID backup repository the database for Microsoft
Entra ID backup repository
is located.

Note: This port is required if

the database is located on a
remote PostgreSQL server.

Microsoft Entra ID TCP 443 Default management and

Services data transport port required
(service tag: for communication with
AzureActiveDirectory) Microsoft Azure.

Azure Resource TCP 443

Manager
(service tag:
AzureResourceManager)

27 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 From To P rotocol P ort Notes

TIP

To allow inbound access to an Azure service, you can use the IP address,
DNS name or virtual network service tag of the service. If you want to use
an IP address, you can download a .JSON file with the full list of Azure IP
ranges and service tags from the Microsoft Download Center.

As Veeam Backup for Microsoft Entra ID is installed on the same machine where Veeam Backup & Replication
runs, it also uses the same ports as those described in the Ports section in the Veeam Backup & Replication User
Guide.

• Backup server

• Cache repository

• Backup repositories

28 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Licensing
Veeam Backup for Microsoft Entra ID is licensed by the number of protected Microsoft Entra ID users. Each 10
protected users consume one Veeam Universal License instance from the license scope.

For the license consumption, Veeam Backup for Microsoft Entra ID counts only enabled member users. The
tenant to whom these users belong must have a restore point created during the past 31 days. Note that
disabled users, guest users and logs do not consume license instances, but Veea m Backup for Microsoft Entra ID
still protects them.

By default, Veeam Backup for Microsoft Entra ID automatically revokes a license instance from protected users
if no new restore points have been created during the past 31 days. However, you can manually revoke license
instances from protected users as described in the Revoking License section in the Veeam Backup & Replication
User Guide.

Obtaining New License

Tenant Backup
Backing up of Microsoft Entra ID tenants is available for all types of licenses:

• No license (Community Edition, free) is when you do not have the license key. With the Community
Edition, you get 10 instances that allow protection of 100 enabled member users.

For more information, see Veeam Backup & Replication Community Edition.

• E valuation license (free) is a license that can be used for product evaluation. The license is valid for 30
days from the moment of the product download.

To obtain this license, request a trial key on the Veeam downloads page as described in the Obtaining and
Renewing License section in the Veeam Backup & Replication User Guide.

• NFR license ( free) is a license used for product demonstration, training and education. The person to
whom the license is provided agrees that the license is not for resell or commercial use.

• Sub scription license (paid) is a license with a limited subscription term. The expiration date of the
Subscription license is set to the end of the subscription term. The Subscription license term is normally 1–
3 years from the license issue date.

To obtain this license, choose the required subscription term on the Veeam Backup & Replication Pricing
page and contact the Veeam Sales Team.

• P erpetual license (paid) is a license without an expiration date. The Perpetual license typically includes
one year period of basic support and maintenance that can be extended.

To obtain this license, contact a reseller in your region.

• Rental license (paid) is a license with the license expiration date set according to the chosen rental
program (normally 1-12 months from the date of license issue). The Rental license can be automatically
updated upon expiration.

Rental licenses are provided to Veeam Cloud & Service Providers (VCSPs) only. For more information, see
the Rental License section in the Veeam Cloud Connect Guide.

NOTE

Protection of Conditional Access policies is included in the Veeam Data Platform Advanced or Premium. For
more details about all Veeam Data Platform packages, see Veeam Data Platform Feature Comparison.

29 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
After you obtain a license, install it on the backup server as described in the Installing License section in the
Veeam Backup & Replication User Guide.

Log Backup
The feature is included in the Veeam Data Platform Advanced or Premium. For more details about all Veeam
Data Platform packages, see Veeam Data Platform Feature Comparison.

Using Existing License

If you already use Veeam Backup & Replication and you have spare Veeam Universal License instances on your
backup server, they can be used to protect Microsoft Entra ID tenants. You can check the number of available
license instances in the Veeam Backup & Replication console as described in the Viewing License Information
section in the Veeam Backup & Replication User Guide.

If you have a legacy perpetual per-socket license, you must obtain Veeam Universal License instances and
merge them with the existing perpetual socket license as described in the Merging Licenses section in the
Veeam Backup & Replication User Guide.

30 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Deployment
The Veeam Backup & Replication solution allows you to add Microsoft Entra ID tenants to the backup
infrastructure, and to manage data protection and recovery operations for Microsoft Entra ID tenants fr om a
single console.

To access the Veeam Backup for Microsoft Entra ID functionality, you can either deploy a new backup server as
described in the Veeam Backup & Replication User Guide or use a backup server that already exists in your
backup infrastructure if it meets the Veeam Backup for Microsoft Entra ID system requirements.

31 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Configuring Veeam Backup for Microsoft
Entra ID
To start working with Veeam Backup for Microsoft Entra ID, perform the following steps for its configuration:

1. Configure a cache repository.

2. Add to the backup infrastructure the Microsoft Entra ID tenant that you want to protect.

3. [Optional] Configure remote Microsoft Entra ID backup repository where Veeam Backup for Microsoft
Entra ID will store backups of Microsoft Entra ID tenants.

4. [Optional] Configure the primary log backup repository where Veeam Backup for Microsoft Entra ID will
store backups of audit logs and sign-in logs.

5. [Optional] Configure the secondary log backup repositories where Veeam Backup for Microsoft Entra ID
will store backups of audit logs and sign-in logs.

6. [Optional] Configure global email notification options to get notifications with results on jobs performed
on the backup server. For more information, see the Configuring Global Email Notification Settings section
in the Veeam Backup & Replication User Guide.

32 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Configuring Log and Cache Repositories
To protect Microsoft Entra ID tenant data and logs, you require the following repositories:

• Cache repository that stores temporary cache files for log processing.

• Primary log backup repository.

• [Optional] Secondary log backup repository that stores copies of log b ackups.

By default, the backup server can perform the roles of cache and primary log backup repositories.

You can also configure other types of repositories to keep data in another location. The following types of
repositories are supported for all repositories (the cache, primary and secondary repositories):

• Direct attached storage: Microsoft Windows or Linux virtual or physical machines. For the cache repository
only 64-bit versions are supported.

• Network attached storage: SMB (CIFS) shares or NFS shares.

The following types of repositories are supported only for the primary and secondary log backup repositories:

• Direct attached storage: Hardened repositories

• Deduplicating storage appliances: ExaGrid, Quantum DXi, Dell Data Domain or other

• Backup repositories with rotated drives

• Object storage repositories: Amazon S3, S3 compatible, Google Cloud or other

• Scale-out backup repositories (SOBR)

NOTE

You cannot use Veeam Cloud Connect repository as cache repository, primary or secondary backup
repositories. To learn more about this repository, see the Cloud Repository section in the Veeam Cloud
Connect Guide.

33 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Managing Microsoft Entra ID Tenants
A Microsoft Entra ID tenant is a dedicated instance of Microsoft Entra ID that allows the ba ckup server to access
Entra ID resources such as users, groups, administrative units, roles, applications, service principals, audit logs
and sign-in logs.

After you add a Microsoft Entra ID tenant to the backup infrastructure, you will be able to back up this Microsoft
Entra ID tenant and restore Entra ID resources managed by the tenant.

34 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Adding Microsoft Entra ID Tenants
To add a Microsoft Entra ID tenant, use the Microsoft Entra ID Tenant wizard:

35 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Microsoft Entra ID Tenant Wizard
To launch the Microsoft Entra ID Tenant wizard:

1. Open the Inventory view.

2. In the inventory pane, click the Microsoft Entra ID node.

3. Do one of the following:

o Right-click the Microsoft Entra ID node and select Ad d Microsoft Entra ID tenant .

o In the working area, select Ad d Microsoft Entra ID tenant.

o On the ribbon, click Ad d Tenant.

36 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Specify Tenant ID and Cache Repository
At the Tena nt step of the wizard, configure the general settings of the tenant and select a cache repository:

1. In the Tena nt ID field, specify the ID of a Microsoft Entra ID tenant whose resources you plan to back up.

2. In the Description field, provide a description for future reference.

3. Select a cache repository that Veeam Backup & Replication will use to store temporary cache files for log
processing:

a. Click Ca che.

b. In the Ad vanced Settings window, from the Ca che repository drop-down list, select a backup
repository that will be used as the cache repository.

37 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Choose Connection Method
At the Account Type step of the wizard, choose if you want to connect to Microsoft Azure using an existing or a
newly created Microsoft Entra ID application. In the latter case, Veeam Backup & Replication will create a new
Microsoft Entra ID application automatically.

Creating New Application

This step applies only if you have selected the Create a new a ccount option at the Account Type step of the
wizard.

If you choose to create a new account, Veeam Backup & Replication registers a new Microsoft Entra ID
application for the specified Microsoft Entra ID tenant. Veeam Backup & Replication will use this application to
authenticate to Microsoft Azure and will grant all the necessary permissions to this application. For more
information on Microsoft Entra ID applications, see Microsoft Docs. To create the Microsoft Entra ID application,
you must use a single-use verification code that Veeam Backup & Replication provides you.

At the Authentication step of the wizard, do the following:

1. Click Cop y to clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Azure account that will be used to create an application. Note that the user name
must be specified in the user principal name format (username@domain). The account must have
permissions described in section Permissions.

4. Go back to the E ntra ID Tenant wizard.

38 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 5. Click Ap p ly and check whether any errors occurred during the authentication process.

Specifying Existing Application

This step applies only if you have selected the Use the existing account option at the Account Type step of the
wizard.

To use an existing Microsoft Entra ID application:

1. In the Ap p lication ID field, specify the ID of the necessary application. The Microsoft Entra ID application
must have permissions listed in Permissions.

2. In the Select authentication type area, choose if you want to use password-based authentication
(application secret) or certificate-based authentication. Then provide the necessary information.

39 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
For more information on how to get tenant and application IDs, a secret and a certificate, see Microsoft Docs.

40 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Apply Settings
At the Ap p ly step of the wizard, wait until the Microsoft Entra ID tenant is added to the backup infrastructure
and then click Nex t.

41 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Finish Working with Wizard
At the Summary step of the wizard, review details of configured settings and click Finish to close the wizard.

42 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Editing Microsoft Entra ID Tenants
You can edit properties of the Microsoft Entra ID tenant added to the backup infrastructure. These properties
include the tenant description in Veeam Backup & Replication, cache repository, application used to perform
operations and authentication method used to access the application.

To edit tenant properties:

1. Open the Inventory view.

2. In the inventory pane, click Microsoft E ntra ID.

3. Select the tenant that you want to edit.

4. Right-click the tenant and select E d it. Alternatively, click E d it Tenant on the ribbon.

43 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Removing Microsoft Entra ID Tenants
If you do not want to protect the added Microsoft Entra ID tenant a nymore, you can remove it from the backup
infrastructure. Note that the tenant will be removed only from the backup infrastructure, not Entra ID.

NOTE

You cannot remove a Microsoft Entra ID tenant protected by any job. To remove such a tenant, you first
need to delete the backup jobs associated with this tenant.

To remove a tenant:

1. Open the Inventory view.

2. In the inventory pane, click Microsoft E ntra ID.

3. Select the tenant that you want to delete.

4. Right-click the tenant and select Remove. Alternatively, click Remove Tenant on the ribbon.

44 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Managing Microsoft Entra ID Repository
Microsoft Entra ID backup repository is a repository that stores Microsoft Entra ID tenant backups. This
repository is based on a PostgreSQL instance.

By default, Veeam Backup for Microsoft Entra ID uses the local PostgreSQL instance installed on the backup
server:

• If you installed Veeam Backup & Replication using a local PostgreSQL instance, Microsoft Entra ID backup
repository uses the same PostgreSQL instance as the Veeam Backup & Replication configuration database.

• If you installed Veeam Backup & Replication using Microsoft SQL Server or a remote PostgreSQL instance,
Microsoft Entra ID backup repository uses a dedicated PostgreSQL instance that Veeam Backup for
Microsoft Entra ID installs on the backup server.

You can also change this local instance for a remote PostgreSQL instance. For more information, see Connecting
to Remote Microsoft Entra ID Backup Repository.

NOTE

If there is an existing PostgreSQL instance on the backup server that is not used by
Veeam Backup & Replication, Veeam Backup & Replication will not install a new PostgreSQL instance and
will not use the existing instance. Veeam Backup & Replication assumes that another product uses this
instance and avoids violating security best practices. To configure the connection to the required
PostgreSQL instance, see Connecting to Remote Microsoft Entra ID Backup Repository. For more
information and other possible solutions, see this Veeam KB article.

In all cases, Veeam Backup for Microsoft Entra ID creates a dedicated database for each Microsoft Entra ID
tenant.

You may also need to rescan the repository after you migrate the repository to another PostgreSQL instance or
in other cases. For more information, see Rescanning Microsoft Entra ID Repository.

45 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Connecting to Remote Microsoft Entra ID
Backup Repository
To use for the Microsoft Entra ID backup repository a remote PostgreSQL instance instead of the local one, use
the Veeam Configuration Database Connection Utility.

1. Launch the Veeam Configuration Database Connection Utility

2. Select a product

3. Configure the connection

4. Finish working with the wizard

46 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Utility
You can launch the configuration database connection utility using one of the following ways:

• From the Sta rt menu, click Configuration Database Connection Settings.

• Use the Veeam.Backup.DBConfig.exe file located in the installation folder. The default path to the
folder is the following: %PROGRAMFILES%\Common Files\Veeam\Backup and
Replication\DBConfig.

• Use the Veeam.Backup.DBConfig.exe file located in the ISO file. The path to the file is the following:
%ISO%:\Tools\DBConfig.

To run the utility, you must have administrative rights on the local machine, as the utility makes changes to the
registry. If prompted at the launch, choose Run a s administrator.

47 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Product
At the P roduct step of the wizard, select Microsoft E ntra ID backup repository.

48 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Configure Connection
At the Connection Settings step of the wizard, provide the connection settings for the PostgreSQL database
server that will be used as a remote Microsoft Entra ID backup repository. To do that, specify the host where the
database instance is located, the port that will be used to connect to the database instance, and the credentials
of the database account.

IMP ORTANT

You can connect to a remote PostgreSQL database server using PostgreSQL password authentication only.

49 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Finish Working with Wizard
At the Summary step of the wizard, review the configured settings.

50 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Rescanning Microsoft Entra ID Repository
You can rescan the Microsoft Entra ID backup repository configured in the backup infrastructure. Backup
repository rescan can be required in the following cases:

• You have moved information from one PostgreSQL instance on which the repository is based to another
instance.

• You have restored the Veeam Backup & Replication configuration database.

• After a job failed and it requested backup repository rescan.

• Other cases.

NOTE

We recommend you to stop or disable all jobs before performing the rescan.Veeam Backup & Replication
skips from scanning backups created by active jobs.

To rescan the Microsoft Entra ID backup repository:

1. Open the Ba ckup Infrastructure view.

2. In the inventory pane, select the Ma naged Servers > Microsoft Windows node.

3. In the working area, select the backup server.

4. Press the [Ctrl] key, right-click the backup server and select Rescan Entra ID repository.

51 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Performing Backup
To produce backups, Veeam Backup for Microsoft Entra ID runs backup jobs. A backup job is a collection of
settings that define the way backup operations are performed: what data to back up, where to store backups,
when to start the backup process, and so on.

Veeam Backup for Microsoft Entra ID supports two types of backup jobs:

• Tenant backup jobs that protect tenant data — users, groups, administrative units, roles and applications.

• Log jobs that protect tenant audit and sign-in logs.

One backup job can protect data of only one tenant. You can instruct Veeam Backup for Microsoft Entra ID to
run jobs automatically according to a specified schedule or start them manually.

52 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Creating Tenant Backup Jobs
To create a Microsoft Entra ID tenant backup, use the New Microsoft Entra ID Tenant Backup Job wizard.

53 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch New Microsoft Entra ID Tenant
Backup Job Wizard
To create a Microsoft Entra ID tenant backup job, do one of the following:

• Open the Home view. On the ribbon, click Ba ck up Job > Microsoft Entra ID > Tenant.

• Open the Home view. In the inventory pane, right-click Job s and select Ba ckup > Microsoft Entra ID >
Tena nt.

54 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Specify Job Name and Description
At the Na me step of the wizard, specify a name and description for the job.

55 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Specify Tenant and Retention Settings
At the Tena nt step of the wizard, select a Microsoft Entra ID tenant and configure the retention policy:

1. From the Tena nt drop-down list, select a tenant whose resources you want to back up.

2. In the Retention policy field, specify the number of days to maintain restore points. Veeam Backup for
Microsoft Entra ID will keep all restore points created during the last N days.

When the number of days is exceeded, the earliest restore point is removed from the backup chain.

56 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Advanced Backup Settings
At the Tena nt step of the wizard, specify advanced settings for the tenant backup job:

• Encryption Settings

• Notification Settings

Encryption Settings
To specify encryption settings for the file backup job:

1. At the Tena nt step of the wizard, click Ad vanced.

2. On the E ncryption tab, select the E nable backup data encryption check box to encrypt the backups.

3. From the P a ssword drop-down list, select a password that you want to use for encryption. If you do not
specify the password, Veeam Backup & Replication does not encrypt data in backups.

If you have not created the password beforehand, click Ad d or use the Ma nage passwords link to specify a
new password. For more information, see the Password Manager section in the
Veeam Backup & Replication User Guide.

NOTE

After you enable encryption, you can only change the password. Disabling encryption will prevent the
backup job from running.

57 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Notification Settings
To specify notification settings for the backup job:

1. At the Tena nt step of the wizard, click Ad vanced.

2. Click the Notifications tab.

3. To receive SNMP traps on the backup job, select the Send SNMP notifications for this job check box.

SNMP traps will be sent if you specify global SNMP settings in Veeam Backup & Replication and configure
software on the recipient machine to receive SNMP traps. For more information, see the Specifying SNMP
Settings section in the Veeam Backup & Replication User Guide.

4. To receive notifications by email in case of backup failure, success or warning, select the Send e-mail
notifications to the following recipients check box. Then configure notification settings:

a. Check that you have configured global email notification settings as described in the Configuring
Global Email Notification Settings section in the Veeam Backup & Replication User Guide.

b. In the text field, specify a recipient email address. If you want to specify multiple addresses, separate
them by a semicolon.

c. To use global notification settings, select Use global notification settings.

d. To specify a custom notification subject and redefine at which time notifications must be sent, select
Use custom notification settings specified below. Then specify the following settings:

i. In the Sub ject field, specify a notification subject. You can use the following variables in the
subject: %JobResult%, %JobName%, %ObjectCount% (number of tenants in the backup job)
and %Issues% (number of tenants in the job that have been processed with the Warning or
Failed status).

ii. Select the Notify on success, Notify on error or Notify on warning check boxes to receive an
email notification if the job gets the Success, Warning or Error status.

58 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 iii. Select the Sup press notifications until the last retry check box to receive the notification
about the final job status. If you do not enable this option, Veeam Backup for Microsoft Entra
ID will send one notification per every job retry.

59 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Define Job Schedule
At the Schedule step of the wizard, configure a job schedule. You can select to run the backup job manually or
schedule the job to run on a regular basis.

To specify the job schedule:

1. Select the Run the job automatically check box. If this check box is not selected, you will have to start the
job manually to create the Microsoft Entra ID tenant backup.

2. Define scheduling settings for the job:

o To run the job at a specific time daily, on defined week days or with specific periodicity, select Da ily at
this time. Use the fields on the right to configure the necessary schedule.

o To run the job once a month on specific days, select Monthly at this time. Use the fields on the right
to configure the necessary schedule.

NOTE

When you configure the job schedule, keep in mind possible date and time changes (for
example, related to daylight saving time transition).

o To run the job repeatedly throughout a day with a specific time interval, select P eriodically every. In
the field on the right, select the necessary time unit: Hours or Minutes. Click Schedule and use the
time table to define the permitted time window for the job. In the Sta rt time within an hour field,
specify the exact time when the job must start.

A repeatedly run job is started by the following rules:

▪ Veeam Backup & Replication always starts counting defined intervals from 12:00 AM. For
example, if you configure to run a job with a 4-hour interval, the job will start at 12:00 AM, 4:00
AM, 8:00 AM, 12:00 PM, 4:00 PM and so on.

▪ If you define permitted hours for the job, after the denied interval is over,
Veeam Backup & Replication will immediately start the job and then run the job by the defined
schedule.

For example, you have configured a job to run with a 2-hour interval and defined permitted hours
from 9:00 AM to 5:00 PM. According to the rules above, the job will first run at 9:00 AM, when the
denied period is over. After that, the job will run at 10:00 AM, 12:00 PM, 2:00 PM and 4:00 PM.

o To run the job continuously, select the P eriodically every option and choose Continuously from the
list on the right. A new backup job session will start as soon as the previous backup job session
finishes.

o To chain jobs, use the After this job field. In the common practice, jobs start one after another: when
job A finishes, job B starts and so on. If you want to create a chain of jobs, you must define the time
schedule for the first job in the chain. For the rest of the jobs in the chain, select the After this job
op tion and choose the preceding job from the list.

NOTE

The After this job function will automatically start a job if the first job in the chain is started
automatically by schedule. If you start the first job manually, Veeam Backup & Replication will
display a notification. You will be able to choose whether Veeam Backup & Replication must
start the chained job as well.

60 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 3. In the Automatic retry section, define whether Veeam Backup & Replication must attempt to run the
backup job again if the job fails for some reason. During a job retry, Veeam Backup & Replication processes
failed tenants only. Enter the number of attempts to run the job and define time intervals between them.
If you select continuous backup, Veeam Backup & Replication will retry the job for the defined number of
times without any time intervals between the job runs.

4. In the Ba ckup window section, define the time interval within which the backup job must complete. The
backup window prevents the job from overlapping with production hours and ensures that the job does
not provide unwanted overhead on the production environment. To set up a b ackup window for the job:

a. Select the Terminate the job outside of the allowed backup window check box and click W ind ow.

b. In the Time P eriods window, define the allowed hours and prohibited hours for the backup job. If the
job exceeds the allowed window, it will be automatically terminated.

61 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the configured settings. If you want to start the backup job right
after you close the wizard, select the Run the job when I click finish check box. Then click Finish to close the
wizard.

62 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Creating Log Backup Jobs
To create a Microsoft Entra ID audit and sign-in log backup, use the New Microsoft Entra ID Log Backup Job
wizard.

63 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch New Microsoft Entra ID Log
Backup Job Wizard
To create a Microsoft Entra ID log backup job, do one of the following:

• Open the Home view. On the ribbon, click Ba ck up Job > Microsoft Entra ID > Logs.

• Open the Home view. In the inventory pane, right-click Job s and select Ba ckup > Microsoft Entra ID >
Log s.

64 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Specify Job Name and Description
At the Na me step of the wizard, specify a name and description for the job.

Select the Hig h priority check box if you want the resource scheduler of Veeam Backup & Replication to
prioritize this job higher than other similar jobs and to allocate resources to it in the first place. For more
information on job priorities, see the Job Priorities section in the Veeam Backup & Replication User Guide.

65 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Specify Tenant
At the Tena nt step of the wizard, select a tenant within which you want to backup audit and sign-in logs.

66 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Backup Repository Settings
At the Storage step of the wizard, specify the backup repository that will keep log backup files and configure
the storage settings:

1. From the Ba ckup repository drop-down list, select a primary log backup repository where backup files will
be stored. When you select a repository, Veeam Backup & Replication automatically checks the amount of
free space left. Make sure that you have enough free space to store backups.

NOTE

You cannot use Veeam Cloud Connect repository to store log backups. To learn more about this
repository, see the Cloud Repository section in the Veeam Cloud Connect Guide.

2. If you want to map the job to an existing backup stored in this repository, click the Ma p backup link and
select the backup.

Mapping can help if a backup was moved to a new backup repository and you want to create a backup
chain using data from this backup instead of creating the chain anew. As a result,
Veeam Backup & Replication will transfer less data over the network. You can also use backup job
mapping if the configuration database has been corrupted and you need to reconfigure backup job
settings.

3. In the Retention policy field, specify how long backups will be stored in the backup repository.

For example, if Retention policy is set to 30 days, the backup repository will store all backups that
appeared in this repository during the last 30 days. At the scheduled time on the 31st day, the backup job
backs up logs and saves them to the backup repository. Right after that, backups older than 30 days
(created on the 1st day) are deleted from the backup repository.

4. If you want to keep a copy of the backups in another repository, select the Configure secondary
d estinations for this job check box. This enables the Secondary Target step of the wizard.

67 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Advanced Backup Settings
At the Storage step of the wizard, specify advanced settings for the log backup job:

• Storage settings

• Maintenance settings

• Script settings

• Notification settings

Storage Settings
To specify advanced storage settings for the log backup job:

1. At the Storage step of the wizard, click Ad vanced.

2. On the Storage tab, specify data reduction and encryption settings:

o From the Compression level list, select a compression level for the backup. For more information on
the levels, see the Data Compression and Deduplication section in the Veeam Backup & Replication
User Guide.

o Select the E na ble backup file encryption check box to encrypt the content of backup files. In the
P a ssword field, select a password that you want to use for encryption. If you have not created the
password beforehand, click Ad d or use the Ma nage passwords link to specify a new password. For
more information, see the Password Manager section in the Veeam Backup & Replication User Guide.

If the backup server is not connected to Veeam Backup Enterprise Manager and does not have the
Veeam Universal License or a legacy socket-based Enterprise or Enterprise Plus license installed, you
will not be able to restore data from encrypted backups in case you lose the password.
Veeam Backup & Replication will display a warning about it. For more information, see the Decrypting
Backups With Enterprise Manager Keys section in the Veeam Backup & Replication User Guide.

NOTE

Consider the following:

• If you enable encryption for an existing backup job, during the next job session,
Veeam Backup & Replication will back up all logs to a new backup file irrespective of whether
they changed or not. The created backup files and subsequent backup files will be encrypted
with the specified password.
The existing unencrypted backups created by this job will be shown in the Disk (Orphaned)
node.
• If you enable encryption for an existing job, Veeam Backup & Replication does not encrypt the
previous backup chain created by this job.
• You can also use KMS keys for encryption. For more information, see the Key Management
System Keys section in the Veeam Backup & Replication User Guide.

68 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 3. If you want to save this set of settings as the default one, click Sa ve as Default. When you create a new
job, the saved settings will be offered as the default. This also applies to all users added to the backup
server.

Maintenance Settings
You can instruct Veeam Backup & Replication to periodically perform a health check for the log backup. The
health check helps make sure that the backup is consistent, and that you will be able to restore data from it.
During the health check, Veeam Backup & Replication performs a cyclic redundancy check (CRC) for metadata
and a hash check for data blocks in the backup files to verify their integrity.

To configure the health check settings for the backup job:

1. At the Storage step of the wizard, click Ad vanced.

2. On the Ma intenance tab, select P erform backup files health check to enable the health check option.

3. Click Configure and specify the time schedule for the health check.

69 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 4. If you want to save this set of settings as the default one, click Sa ve as Default. When you create a new
job, the saved settings will be offered as the default. This also applies to all users added to the backup
server.

Script Settings
You can configure custom scripts to run before or after the log backup job. For example, you can configure
scripts to take a VSS snapshot before running the job and to delete it after completing the job.

To specify script settings for the backup job:

1. At the Storage step of the wizard, click Ad vanced.

2. Click the Scripts tab.

3. If you want to execute custom scripts, select the Run the following script before the job and Run the
following script after the job check boxes and click Browse to choose executable files from a local folder
on the backup server. The scripts are executed on the backup server.

You can select to execute pre- and post-backup actions after a number of backup sessions or on specific
week days.

o If you select the Run scripts every <N> backup session option, specify the number of the backup job
sessions after which the scripts must be executed.

o If you select the Run scripts on the selected days only option, click Da y s and specify week days on
which the scripts must be executed.

70 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 4. If you want to save this set of settings as the default one, click Sa ve as Default. When you create a new
job, the saved settings will be offered as the default. This also applies to all users added to the backup
server.

Notification Settings
To specify notification settings for the backup job:

1. At the Storage step of the wizard, click Ad vanced.

2. Click the Notifications tab.

3. To receive SNMP traps on the backup job, select the Send SNMP notifications for this job check box.

SNMP traps will be sent if you specify global SNMP settings in Veeam Backup & Replication and configure
software on the recipient machine to receive SNMP traps. For more information, see the Specifying SNMP
Settings section in the Veeam Backup & Replication Guide.

4. To receive notifications by email in case of backup failure, success or warning, select the Send email
notifications to the following recipients check box. Then configure notification settings:

a. Check that you have configured global email notification settings as described in the Configuring
Global Email Notification Settings section in the Veeam Backup & Replication Guide.

b. In the text field, specify a recipient email address. If you want to specify multip le addresses, separate
them by a semicolon.

c. To use global notification settings, select Use global notification settings.

71 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 d. To specify a custom notification subject and redefine at which time notifications must be sent, select
Use custom notification s ettings specified below. Then specify the following settings:

i. In the Sub ject field, specify a notification subject. You can use the following variables in the
subject: %JobResult%, %JobName%, %ObjectCount% (number of tenants in the backup job)
and %Issues% (number of tenants in the job that have been processed with the Warning or
Failed status).

ii. Select the Notify on success, Notify on error or Notify on warning check boxes to receive an
email notification if the job gets the Success, Warning or Error status.

5. If you want to save this set of settings as the default one, click Sa ve as Default. When you create a new
job, the saved settings will be offered as the default. This also applies to all users added to the backup
server.

72 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Specify Secondary Repository Settings
This step is available only if you have selected the Configure secondary destinations for this job check box at the
Storage step of the wizard.

At the Secondary Target step of the wizard, you can specify a secondary log backup repository that will keep
additional copies of log backups for redundancy.

If you add a secondary repository, Veeam Backup & Replication will create a separate job to copy backups to this
repository. The data copy process will start automatically after each primary job run.

To add a secondary log backup repository:

1. Click Ad d .

2. From the list of existing repositories, select a secondary log backup repository that will keep an additional
copy of the backup files. You can add several secondary repositories for copying files of the primary
backup job.

NOTE

You cannot use Veeam Cloud Connect repository to store log backups. To learn more about this
repository, see the Cloud Repository section in the Veeam Cloud Connect Guide.

3. Click OK.

4. By default, retention and encryption settings for the secondary log backup repository repository are
inherited from the primary job. To customize them, select the necessary repository in the Secondary
rep ositories list and click E d it.

o To enable custom retention settings:

i. Select Use custom retention policy.

ii. Specify how long all versions of each backup will be kept in the secondary repository.

o To specify encryption settings that are different from those of the primary log backup repository:

i. Select Use custom data encryption settings.

ii. In the P a ssword field, select a password that you want to use for encryption. If you have not
created the password beforehand, click Ad d or use the Ma nage passwords link to specify a new
password. For more information, see the Password Manager section in the
Veeam Backup & Replication User Guide.

If the backup server is not connected to Veeam Backup Enterprise Manager and does not have
the Veeam Universal License or a legacy socket-based Enterprise or Enterprise Plus license
installed, you will not be able to restore data from encrypted backups in case you lose the
password. Veeam Backup & Replication will display a warning about it. For more information,
see the Decrypting Backups With Enterprise Manager Keys section in the
Veeam Backup & Replication User Guide.

o Configure time intervals when data can be copied to the secondary repository.

▪ If you select the Any time (continuously) option, Veeam Backup & Replication will copy backup
files to the secondary repository as soon as the primary backup job completes.

73 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 ▪ If you want to specify time periods when it is permitted to copy backup files to the secondary
repository, select the During the following time periods only option and configure allowed and
prohibited hours. If the copy job exceeds the allowed hours, it will be automatically terminated.

74 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 7. Define Job Schedule
At the Schedule step of the wizard, configure a job schedule. You can select to run the backup job manually or
schedule the job to run on a regular basis.

To specify the job schedule:

1. Select the Run the job automatically check box. If this check box is not selected, you will have to start the
job manually to create the log backup.

2. Define scheduling settings for the job:

o To run the job at a specific time daily, on defined week days or with specific periodicity, select Da ily at
this time. Use the fields on the right to configure the necessary schedule.

o To run the job once a month on specific days, select Monthly at this time. Use the fields on the right
to configure the necessary schedule.

NOTE

When you configure the job schedule, keep in mind possible date and time changes (for
example, related to daylight saving time transition).

o To run the job repeatedly throughout a day with a specific time interval, select P eriodically every. In
the field on the right, select the necessary time unit: Hours or Minutes. Click Schedule and use the
time table to define the permitted time window for the job. In the Sta rt time within an hour field,
specify the exact time when the job must start.

A repeatedly run job is started by the following rules:

▪ Veeam Backup & Replication always starts counting defined intervals from 12:00 AM. For
example, if you configure to run a job with a 4-hour interval, the job will start at 12:00 AM, 4:00
AM, 8:00 AM, 12:00 PM, 4:00 PM and so on.

▪ If you define permitted hours for the job, after the denied interval is over,
Veeam Backup & Replication will immediately start the job and then run the job by the defined
schedule.

For example, you have configured a job to run with a 2-hour interval and defined permitted hours
from 9:00 AM to 5:00 PM. According to the rules above, the job will first run at 9:00 AM, when the
denied period is over. After that, the job will run at 10:00 AM, 12:00 PM, 2:00 PM and 4:00 PM.

o To run the job continuously, select the P eriodically every option and choose Continuously from the
list on the right. A new backup job session will start as soon as the previous backup job session
finishes.

o To chain jobs, use the After this job field. In the common practice, jobs start one after another: when
job A finishes, job B starts and so on. If you want to create a chain of jobs, you must define the time
schedule for the first job in the chain. For the rest of the jobs in the chain, select the After this job
option and choose the preceding job from the list.

NOTE

The After this job function will automatically start a job if the first job in the chain is started
automatically by schedule. If you start the first job manually, Veeam Backup & Replication will
display a notification. You will be able to choose whether Veeam Backup & Replication must
start the chained job as well.

75 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 3. In the Automatic retry section, define whether Veeam Backup & Replication must attempt to run the
backup job again if the job fails for some reason. During a job retry, Veeam Backup & Replication processes
failed log files only. Enter the number of attempts to run the job and define time intervals between them.
If you select continuous backup, Veeam Backup & Replication will retry the job for the defined number of
times without any time intervals between the job runs.

4. In the Ba ckup window section, define the time interval within which the backup job must complete. The
backup window prevents the job from overlapping with production hours and ensures that the job does
not provide unwanted overhead on the production environment. To set up a backup window for the job:

a. Select the Terminate the job outside of the allowed backup window check box and click W ind ow.

b. In the Time P eriods window, define the allowed hours and prohibited hours for backup. If the job
exceeds the allowed window, it will be automatically terminated.

76 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 8. Finish Working with Wizard
At the Summary step of the wizard, review the configured settings. If you wa nt to start the backup job right
after you close the wizard, select the Run the job when I click finish check box. Then click Finish to close the
wizard.

77 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Managing Backup Jobs
To view all jobs configured on the backup server, open the Home view and select the Job s node in the inventory
pane. The list of available jobs is displayed in the working area. You can start and stop jobs, retry failed jobs, edit
job properties, clone jobs, view job statistics and delete unnecessary jobs.

78 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Starting and Stopping Backup Jobs
You can start a backup job manually, for example, if you want to create an additional restore point and do not
want to modify the configured job schedule.

You can also stop a backup job manually if data processing is about to take too long, and you do not want to
impact the production environment during business hours. When you stop a running job,
Veeam Backup & Replication creates a new restore point only for those workloads that have already been
processed by the time you stop the job.

Considerations
Consider the following:

• [For tenant backup job] Veeam Backup & Replication will stop the job immediately and produce a new
restore point only for those workloads that have already been processed when you stop the job.

• [For log backup jobs] You can stop the job in two ways:

o Stop the job immediately. In this case, Veeam Backup & Replication will produce a new restore point
only for those workloads that have already been processed when you stop the job.

o Stop the job after the current file. In this case, Veeam Backup & Replication will produce a new restore
point only for those workloads that have already been processed and for objects that are being
processed at the moment.

Starting and Stopping Job

To start or stop a backup job, do the following:

1. Open the Home view.

2. In the inventory pane, select Job s .

79 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 3. In the working area, select the necessary job and click Sta rt or Stop on the ribbon. Alternatively, right-
click the job and select Sta rt or Stop.

80 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Editing Backup Job Settings
To edit job settings:

1. Open the Home view.

2. In the inventory pane, select Job s > Ba ckup.

3. In the working area, select the job and click E d it on the ribbon or right-click the job and select E d it.

You will follow the same steps you followed when creating the job and can change job settings as required.

81 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Enabling and Disabling Backup Jobs
You can disable a job with the enabled schedule.

To disable a job:

1. Open the Home view.

2. In the inventory pane, navigate to the Job s > Ba ckup node.

3. In the working area, select the job and select Disable on the ribbon or right-click the job and select
Disable.

To enable a disabled job, select it in the list and click Disable on the ribbon once again.

82 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Retrying Jobs
The retry option is necessary if a job fails and you want to retry this operation again. When you perform a retry,
Veeam Backup & Replication restarts the operation only for the failed workloads added to the job and does not
process workloads that have been processed successfully. As a result, the retry operation takes less time than
running the job for all workloads.

To perform retry:

1. Open the Home view.

2. In the inventory pane, select Job s .

3. In the working area, select the necessary job and click Retry on the ribbon. Alternatively, you can right-
click the job and select Retry.

83 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Cloning Log Backup Jobs
This option is available only for log backups.

You can create a new job by cloning an existing one. Job cloning allows you to create an exact copy of any job
with the same job settings.

The name of the cloned job is formed by the following rule: <job_name_clone1> , where job_name is the name of
the original job and clone1 is a suffix added to the original job name. If you clone the same job again, the numbe r
in the name will be incremented, for example, job_name_clone2, job_name_clone3, and so on. To change the
name of a cloned job, edit the job as described in Editing Backup Job Settings.

Considerations
When cloning a job, Veeam Backup & Replication can change some job settings so that cloned jobs do not hinder
original jobs.

• If the original job is scheduled to run automatically, Veeam Backup & Replication disables the cloned job.
To enable the cloned job, select it in the job list and click Disable on the ribbon or right-click the job and
select Disable.

• If the original job is configured to use a secondary target, Veeam Backup & Replication also clones the
copy job.

Cloning Job
To clone a log backup job:

1. Open the Home view.

2. In the inventory pane, select Job s .

3. In the working area, select the job and click Clone on the ribbon. Alternatively, right-click the job and
select Clone.

84 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
After a job is cloned, you can edit all its settings, including the job name.

85 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Deleting Backup Jobs
To delete a job:

1. Open the Home view.

2. In the inventory pane, navigate to the Job s > Ba ckup node.

3. In the working area, select the job and click Delete on the ribbon or right-click the job and select Delete.

After the job is deleted, the backups created by this job are displayed under the Ba ckups > Disk ( Orphaned)
node.

86 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Managing Backups
The following operations are available for backups:

• Viewing backup properties

• Performing health check for log backups

• Copying log backups

• Detaching backups

• Deleting backups

87 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Viewing Log Backup Properties
This section applies to log backups only.

You can view summary information about the log backup. The summary information provides the following
data:

• Name and path to the backup repository that stores backup files.

• Size of the backup source and the backup.

• Available restore points: date of their creation, their type and status.
You can restore the logs from any of these points. To learn how to restore the log data, see Entra ID Log
Restore.

To view summary information for backups:

1. Open the Home view.

2. In the inventory pane, select Ba ckups.

3. In the working area, right-click the log backup and select P roperties.

4. To see the list of available restore points, select the required tenant from the Ob jects list.

88 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Performing Health Check for Log Backups
This section applies to log backups only.

In this section, you will learn how to perform health check and repair log backups.

Health Check for Log Backup Files

You can manually perform a health check for the backup chain. During the health check,
Veeam Backup & Replication performs a cyclic redundancy check (CRC) for metadata and a hash check for data
blocks in backup files to verify their integrity. The health check helps make sure that the restore point is
consistent, and you will be able to restore data from this restore point.

To run the health check:

1. Open the Home view.

2. In the inventory pane, select Ba ckups.

3. In the working area, select the required log backup and click Run Health Check on the ribbon.
Alternatively, you can right-click the backup and select Run health check.

To run the health check periodically, you must enable the P erform backup files health check option in the
backup job settings and define the health check schedule. By default, the health check is performed on the last
Friday of every month. You can change the schedule and run the health check weekly or monthly on specific
days. To learn how to configure periodic health check, see Maintenance Settings.

89 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 IMP ORTANT

If you store your backups on public cloud object storage repositories, running the health check operations
may result in constantly downloading and uploading data to and from the storage, which may lead to
higher costs. To avoid this, use helper appliances configured for the repositories within the public clouds.
For more information, see the Unstructured Data Backups in Object Storage Repositories section in the
Veeam Backup & Replication User Guide.

Repair of Log Backup Files

If Veeam Backup & Replication detects some inconsistency in the log backup files during the health check, you
can run the backup repair procedure to fix the issues.

To run the backup repair:

1. Open the Home view.

2. In the inventory pane, select Ba ckups.

90 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 3. In the working area, select the required log backup, click Rep air backup on the ribbon. Alternatively, you
can right-click the backup and select Repair backup.

91 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Copying Log Backups
This section applies to log backups only.

Copying backups can be helpful if you want to copy audit and sign-in log backups to a repository, or local or
shared folder. Veeam Backup & Replication copies the whole backup chain.

When Veeam Backup & Replication performs the copy operation, it disables the job, copies files to the target
location and then enables the job. After the copy operation finishes, the copied backups are shown in a node
with the ( E xported) postfix in the inventory pane.

NOTE

This section is about one-time copy operation. If you want to copy backups on a schedule, configure the
secondary destination on the job settings.

Copying Backups
To copy log backups, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, select the necessary job.

4. Right-click the job and select Cop y backup. Alternatively, click Cop y Backup on the ribbon.

5. In the Cop y Backup to Another Location window, choose a repository to which you want to copy backups.

6. Click OK.

After the copy process finishes, the copied backups are shown in the Disk (Exported) node in the inventory pane.

NOTE

Consider the following:

• If you copy backups from a scale-out backup repository and some backups are stored on extents in
the Maintenance mode, such backups are not copied.
• Veeam Backup & Replication copies backups only from the performance tier of the scale-out backup
repository. If you want to copy data from the capacity tier, you first need to download it to the
performance tier. For more information, see the Downloading Data from Capacity Tier section in the
Veeam Backup & Replication User Guide.

92 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Detaching Backups
If you want to detach backups from a job, you can use the Detach from job operation.

When you detach backups from a job, the job stops processing these backup files. During the nex t run, the job
will start a new backup chain.

The detached backup files remain in the backup repository and the Veeam Backup & Replication console.
Veeam Backup & Replication shows the detached backups in the inventory pane in the node with the ( Orphaned)
postfix. These backups are retained according to the background retention process. For more information, see
the Background Retention section in the Veeam Backup & Replication User Guide.

To detach backups from a job:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, right-click the necessary backup and select Detach from job. Alternatively, click
Delete from > Job on the ribbon.

93 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Deleting Backups
To delete backup files from the backup repository, do the following:

1. Open the Home view.

2. In the inventory pane, select Ba ckups.

3. In the working area, select the backup and click Delete from > Disk on the ribbon. Alternatively, you can
right-click the backup and select Delete from d isk.

94 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Performing Restore
Veeam Backup & Replication offers the following types of data recovery:

• User restore — to restore entire users or their properties.

• Group restore — to restore entire groups or their properties.

• Administrative units restore — to restore entire administrative units or their properties.

• Role restore — to restore entire roles or their properties.

• Application restore — to restore entire applications, service principles or their properties.

• Log restore — to restore audit and sign-in logs.

95 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Entra ID User Restore
You can perform the following restore operations with Entra ID users:

• Restore entire users from a backup or Entra ID recycle bin. You can restore one or multiple users.

• Restore individual properties of a user. You can restore one or multiple properties.

96 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Entire Users
To restore an entire Entra ID user, use the Restore Users wizard.

97 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Users Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Users tab is selected.

6. In the list of users, select those you want to restore.

TIP

Consider the following:

• To find a user by its display name, use the search field.

• To show more user properties, click the button with three dots and select the properties you
want to show.
• You can export the list of all or filtered users for future references and imports. To do that,
click E x port to and select the format in which you want to save the list.
Veeam Backup & Replication will export backed-up users and their properties that can be
shown in the restore window.

7. To launch the user restore wizard, click Restore > Full Restore. Alternatively, right-click one of the
selected users and select Restore > Full restore.

98 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Points and Edit Selected Users
At the Users step of the wizard, select restore points. By default, Veeam Backup & Replication uses the most
recent valid restore point for each user. However, you can restore a user to an earlier state.

Additionally, you can edit the list of users selected for restore or import the list of users exported earlier.

Selecting Restore Points

To select a restore point:

1. Select the users for whom you want to change the restore point.

2. Click Restore Point.

3. In the Sp ecify restore point window, choose the necessary restore point and click Done.

If you select one user, Veeam Backup & Replication shows the restore points available for this user. If you
select multiple users, Veeam Backup & Replication shows all available restore points. After you select a
restore point, Veeam Backup & Replication verifies its availability for each user.

Editing Selected Users

You can add or delete users from the list of the selected users.

99 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
To add users, click Ad d and select users that you want to add from the opened list. To delete users, select the
necessary users and click Remove.

Importing Selected Users

If you have a list of the users to be restored, you can import it. To do that, click Up load CSV. The imported list
will be added to the list of currently selected users.

100 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 NOTE

The CSV file must contain only the list of user IDs or user principal names.

101 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

102 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Options
At the Op tions step of the wizard, configure the restore options, such as how to restore users, default password
and others:

1. In the Restore mode section, specify whether to overwrite users or skip restore of the already existing
users.

When you select the overwrite option, Veeam Backup & Replication updates fields present in the backup.
If a field in the backup is empty, it will be restored as empty. However, Veeam Backup & Replication does
not update read-only fields (the ID, creation date and so on) and fields that are not present in the backup.

2. In the P a ssword section, configure new passwords for the restored users:

o To set the default password for all users, specify it in the Set a default password for the user field.

o To set a password for each user, click Set temporary password(s). In the Set temporary passwords
window, specify your own passwords or use auto-generation.

o To force the restored users to change their password after the first logon, select Request the user to
cha nge the password at first logon.

TIP

Consider the following:

• You can set the default password and also specify temporary passwords for individual users.
Users for whom you do not specify a temporary password will have the default password.
• At the Summary step, you will be able to export passwords specified in the Set temporary
p a sswords window.

3. In the Ad vanced options section, configure the following:

o To restore relationships of users within the current tenant, click the Keep Relationships check box.
Veeam Backup & Replication will restore the following relationships: assigned roles, group
memberships, group ownerships, admin unit memberships, application ownerships, user manager and
direct reports for the user. Note that Veeam Backup & Replication restores only relationships — if a
role, group or admin unit does not exist, it will not be restored.

If you have selected to overwrite the users, Veeam Backup & Replication will restore the relationships
from the backup and will remove the relationships not present in the backup.

103 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 o To restore users from the Entra ID recycle bin instead of the backup, click the Restore from Entra ID
Recycle Bin check box. If users exist in both the recycle bin and the backup, they will be restored
from the recycle bin and will preserve their object IDs. Otherwise, users will be restored from the
backup and get new object IDs.

104 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring users. This information will be saved to the
session history, and you will be able to reference it later.

105 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

To export new passwords of users to the .CSV file, click P a sswords. Veeam Backup & Replication exports only
passwords specified in the Set temporary passwords window.

106 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Synchronized Users (Hybrid Identity)
Veeam Backup for Microsoft Entra ID allows you to restore users synchronized with Microsoft Active Directory
(hybrid identities). Unlike the synchronization software (for example, Microsoft Entra Connect), restore with
Veeam Backup for Microsoft Entra ID preserves relations stored in the Entra ID: group memberships, assigned
roles, used licenses and other relations.

Veeam Backup for Microsoft Entra ID restores properties and relations listed in Supported Entra ID Item
Properties. To restore other properties, you still need synchronization software and, in some cases, local Active
Directory restore. This section describes possible scenarios and steps for restore.

User Removed from Entra ID Without Synchronization After

If a synchronized user was removed only from Entra ID, and there was no synchronization process after the
removal, do the following:

1. Use Veeam Backup for Microsoft Entra ID to restore an entire user to Entra ID. In the wizard, make sure
that restore of relations is enabled.

Veeam Backup for Microsoft Entra ID will restore a user with a new object ID.

2. Wait or launch synchronization with Active Directory, for example, using Microsoft Entra Connect.

After the synchronization, the relations restored using Veeam Backup for Microsoft Entra ID will be
preserved, the properties will be overwritten, and lacking properties will be restored. The user will
become the hybrid identity.

User Removed from Entra ID with Synchronization After

If a synchronized user was removed only from Entra ID, but the synchronization process has already restored
this user, Veeam Backup for Microsoft Entra ID will not be able to map this user and restore the relationships. In
this case, do the following:

1. Remove from Entra ID the user created after the synchronization.

2. Use Veeam Backup for Microsoft Entra ID to restore an entire user to Entra ID. In the wizard, make sure
that restore of relations is enabled.

Veeam Backup for Microsoft Entra ID will restore a user with a new object ID.

3. Wait or launch synchronization with Active Directory, for example, using Microsoft Entra Connect.

After the synchronization, the relations restored using Veeam Backup for Microsoft Entra ID will be
preserved, the properties will be overwritten, and lacking properties will be restored. The user will
become the hybrid identity.

User removed from Entra ID and Active Directory

If a synchronized user was removed from Entra ID and Active Directory, do the following:

1. Use Veeam Backup for Microsoft Entra ID to restore an entire user to Entra ID. In the wizard, make sure
that restore of relations is enabled.

Veeam Backup for Microsoft Entra ID will restore a user with a new object ID.

2. Use application item restore or Veeam Explorer for Microsoft Active Directory to restore the user locally in
Active Directory.

107 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 3. Wait or launch synchronization with Active Directory, for example, using Microsoft Entra Connect.

After the synchronization, the relations restored using Veeam Backup for Microsoft Entra ID will be
preserved, the properties will be overwritten, and lacking properties will be restored. The user will
become the hybrid identity.

108 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring User Properties
To restore Entra ID user properties, use the Restore user's properties wizard.

109 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore User's Properties Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Users tab is selected.

6. Select the user whose properties you want to restore.

TIP

To find a user by its display name, use the search field.

7. Click Restore > Metadata comparison. Alternatively, right-click the selected user and select Restore >
Metadata comparison.

110 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Point and Properties
At the User step of the wizard, do the following:

1. Select a restore point using one of the following ways:

o Find a restore point in the restore point calendar. For that, click a link with a date near the Restore
p oint field.

o Change the restore point by clicking the P revious and Next links.

o Click Jump to latest to select the latest restore point.

2. In the list of properties, select the properties you want to restore. In the Selected Restore Point, Latest
Restore Point and P roduction record columns, you can see values of the properties at different moments
of time.

By default, the list of properties shows changed properties. To show all properties, set the Show changes
only toggle to Off.

111 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

112 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring user properties. This information will be saved to
the session history, and you will be able to reference it later.

113 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

114 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Entra ID Group Restore
You can perform the following restore operations with Entra ID groups:

• Restore entire groups from a backup or Entra ID recycle bin. You can restore one or multiple groups.

• Restore individual properties of a group. You can restore one or multiple properties.

115 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Entire Groups
To restore an entire Entra ID group, use the Restore Groups wizard.

116 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Groups Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Groups tab is selected.

6. In the list of groups, select those you want to restore.

TIP

Consider the following:

• To find a group by its display name, use the search field.

• To show more group properties, click the button with three dots and select the properties you
want to show.
• You can export the list of all or filtered groups for future references and imports. To do that,
click E x port to and select the format in which you want to save the list.
Veeam Backup & Replication will export backed-up groups and their properties that can be
shown in the restore window.

7. To launch the group restore wizard, click Restore > Full Restore. Alternatively, right-click one of the
selected groups and select Restore > Full restore.

117 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Points and Edit Selected Groups
At the Groups step of the wizard, select restore points. By default, Veeam Backup & Replication uses the most
recent valid restore point for each group. However, you can restore a group to an earlier state.

Additionally, you can edit the list of groups selected for restore or import the list of groups exported earlier.

Selecting Restore Points

To select a restore point:

1. Select the groups for which you want to change the restore point.

2. Click Restore Point.

3. In the Sp ecify restore point window, choose the necessary restore point and click Done.

If you select one group, Veeam Backup & Replication shows the restore points available for this group. If
you select multiple groups, Veeam Backup & Replication shows all available restore points. After you
select a restore point, Veeam Backup & Replication verifies its availability for each group.

Editing Selected Groups

You can add or delete users from the list of the selected groups.

118 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
To add groups, click Ad d and select groups from the opened list. To delete groups, select the necessary groups
and click Remove.

Importing Selected Groups

If you have a list of the groups to be restored, you can import it. To do that, click Up load CSV. The imported list
will be added to the list of currently selected groups.

NOTE

The CSV file must contain only the list of group IDs.

119 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

120 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Options
At the Op tions step of the wizard, configure the restore options, such as how to restore groups, their
relationships and other:

1. In the Restore mode section, specify whether to overwrite groups or skip restore of the already existing
groups.

When you select the overwrite option, Veeam Backup & Replication updates fields present in the backup.
If a field in the backup is empty, it will be restored as empty. However, Veeam Backup & Replication does
not update read-only fields (the ID, creation date and so on) and fields that are not present in the backup.

2. In the Ad vanced options section, configure the following:

o To restore relationships of groups within the current tenant, click the Keep Relationships check box.
Veeam Backup & Replication will restore the following relationships: assigned roles, the membership
in a parent group, memberships in admin units, child groups, user members of the group and group
owners. Note that Veeam Backup & Replication restores only relationships — if a role, user, group or
admin unit does not exist, it will not be restored.

If you have selected to overwrite the groups, Veeam Backup & Replication will restore the
relationships from the backup and will remove the relationships not present in the backup.

o To restore groups from the Entra ID recycle bin instead of the backup, click the Restore from Entra ID
Recycle Bin check box. If groups exist in both the recycle bin and the backup, they will be restored
from the recycle bin and will preserve their object IDs. Otherwise, they will be restored from the
backup and get new object IDs.

121 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring groups. This information will be saved to the
session history, and you will be able to reference it later.

122 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

123 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Group Properties
To restore Entra ID group properties, use the Restore group's properties wizard.

124 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Group's Properties Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Groups tab is selected.

6. Select the group whose properties you want to restore.

TIP

To find a group by its display name, use the search field.

7. Click Restore > Metadata comparison. Alternatively, right-click the selected group and select Restore >
Metadata comparison.

125 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Point and Properties
At the Group step of the wizard, do the following:

1. Select a restore point using one of the following ways:

o Find a restore point in the restore point calendar. For that, click a link with a date near the Restore
p oint field.

o Change the restore point by clicking the P revious and Next links.

o Click Jump to latest to select the latest restore point.

2. In the list of properties, select the properties you want to restore. In the Selected Restore Point, Latest
Restore Point and P roduction record columns, you can see values of the properties at different moments
of time.

By default, the list of properties shows changed properties. To show all properties, set the Show changes
only toggle to Off.

126 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

127 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring group properties. This information will be saved to
the session history, and you will be able to reference it later.

128 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

129 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Entra ID Administrative Units Restore
You can perform the following restore operations with Entra ID administrative units:

• Restore entire units from a backup or Entra ID recycle bin. You can restore one or multiple units.

• Restore individual properties of a unit. You can restore one or multiple properties.

130 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Entire Administrative Units
To restore an entire Entra ID administrative unit, use the Restore Administrative Units wizard.

131 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Administrative Units Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Ad ministrative Units tab is selected.

6. In the list of units, select those you want to restore.

TIP

Consider the following:

• To find an administrative unit by its display name, use the search field.
• To show more administrative unit properties, click the button with three dots and select the
properties you want to show.
• You can export the list of all or filtered units for future references and imports. To do that,
click E x port to and select the format in which you want to save the list.
Veeam Backup & Replication will export backed-up administrative units and their properties
that can be shown in the restore window.

7. To launch the administrative unit restore wizard, click Restore > Full Restore. Alternatively, right-click one
of the selected units and select Restore > Full restore.

132 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Points and Edit Selected Units
At the Ad ministrative Units step of the wizard, select restore points. By default, Veeam Backup & Replication
uses the most recent valid restore point for each administrative unit. However, you can restore a unit to an
earlier state.

Additionally, you can edit the list of units selected for restore or import the list of units exported earlier.

Selecting Restore Points

To select a restore point:

1. Select the administrative units for which you want to change the restore point.

2. Click Restore Point.

3. In the Sp ecify restore point window, choose the necessary restore point and click Done.

If you select one administrative unit, Veeam Backup & Replication shows the restore points available for
this unit. If you select multiple units, Veeam Backup & Replication shows all available restore points. After
you select a restore point, Veeam Backup & Replication verifies its availability for each unit.

Editing Selected Units

You can add or delete administrative units from the list of the selected units.

133 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
To add units, click Ad d and select units from the opened list. To delete units, select the necessary units and click
Remove.

Importing Selected Units

If you have a list of the administrative units to be restored, you can import it. To do that, click Up load CSV. The
imported list will be added to the list of currently selected administrative units.

NOTE

The CSV file must contain only the list of administrative unit IDs.

134 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

135 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Options
At the Op tions step of the wizard, configure the restore options, such as how to restore administrative units,
their relationships and other:

1. In the Restore mode section, specify whether to overwrite administrative units or skip restore of the
already existing units.

When you select the overwrite option, Veeam Backup & Replication updates fields present in the backup.
If a field in the backup is empty, it will be restored as empty. However, Veeam Backup & Replication does
not update read-only fields (the ID, creation date and so on) and fields that are not present in the backup.

2. In the Ad vanced options section, configure the following:

o To restore relationships of units within the current tenant, click the Keep Relationships check box.
Veeam Backup & Replication will restore the following relationships: assigned roles, group members
of the unit and user members of the unit. Note that Veeam Backup & Replication restores only
relationships — if a role, group or user does not exist, they will not be restored.

If you have selected to overwrite the units, Veeam Backup & Replication will restore the relationships
from the backup and will remove the relationships not present in the backup.

o To restore units from the Entra ID recycle bin instead of the backup, click the Restore from Entra ID
Recycle Bin check box. If units exist in both the recycle bin and the backup, they will be restored from
the recycle bin and will preserve their object IDs. Otherwise, they will be restored from the backup
and will get new object IDs.

136 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring administrative units. This information will be
saved to the session history, and you will be able to reference it later.

137 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

138 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Administrative Unit Properties
To restore Entra ID administrative unit properties, use the Restore administrative units properties wizard.

139 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Administrative Units Properties Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Ad ministrative Units tab is selected.

6. Select the administrative unit whose properties you want to restore.

TIP

To find an administrative unit by its display name, use the search field.

7. Click Restore > Metadata comparison. Alternatively, right-click the selected administrative unit and select
Restore > Metadata comparison.

140 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Point and Properties
At the Ad ministrative Units step of the wizard, do the following:

1. Select a restore point using one of the following ways:

o Find a restore point in the restore point calendar. For that, click a link with a date near the Restore
p oint field.

o Change the restore point by clicking the P revious and Next links.

o Click Jump to latest to select the latest restore point.

2. In the list of properties, select the properties you want to restore. In the Selected Restore Point, Latest
Restore Point and P roduction record columns, you can see values of the properties at different moments
of time.

By default, the list of properties shows changed properties. To show all properties, set the Show changes
only toggle to Off.

141 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

142 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring administrative unit properties. This information
will be saved to the session history, and you will be able to reference it later.

143 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

144 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Entra ID Role Restore
You can perform the following restore operations with Entra ID roles:

• Restore entire roles from a backup or Entra ID recycle bin. You can restore one or multiple roles.

• Restore individual properties of a role. You can restore one or multiple properties.

145 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Entire Roles
To restore an entire Entra ID role, use the Restore Roles wizard.

146 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Roles Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Roles tab is selected.

6. In the list of roles, select those you want to restore.

TIP

Consider the following:

• To find a role by its display name, use the search field.

• To show more role properties, click the button with three dots and select the properties you
want to show.
• You can export the list of all or filtered roles for future references and imports. To do that,
click E x port to and select the format in which you want to save the list.
Veeam Backup & Replication will export backed-up roles and their properties that can be
shown in the restore window.

7. To launch the role restore wizard, click Restore > Full Restore. Alternatively, right-click one of the
selected roles and select Restore > Full restore.

147 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Points and Edit Selected Roles
At the Roles step of the wizard, select restore points. By default, Veeam Backup & Replication uses the most
recent valid restore point for each role. However, you can restore a role to an earlier state.

Additionally, you can edit the list of roles selected for restore or import the list of roles exported earlier.

Selecting Restore Points

To select a restore point:

1. Select the roles for which you want to change the restore point.

2. Click Restore Point.

3. In the Sp ecify restore point window, choose the necessary restore point and click Done.

If you select one role, Veeam Backup & Replication shows the restore points available for this role. If you
select multiple roles, Veeam Backup & Replication shows all available restore points. After you select a
restore point, Veeam Backup & Replication verifies its availability for each role.

Editing Selected Roles

You can add or delete roles from the list of the selected roles.

148 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
To add roles, click Ad d and select roles from the opened list. To delete roles, select the necessary roles and click
Remove.

Importing Selected Roles

If you have a list of the roles to be restored, you can import it. To do that, click Up load CSV. The imported list
will be added to the list of currently selected roles.

NOTE

The CSV file must contain only the list of role IDs.

149 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

150 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Options
At the Op tions step of the wizard, configure the restore options, such as how to restore roles, their relationships
and other:

1. In the Restore mode section, specify whether to overwrite roles or skip restore of the already existing
roles.

When you select the overwrite option, Veeam Backup & Replication updates fields present in the backup.
If a field in the backup is empty, it will be restored as emp ty. However, Veeam Backup & Replication does
not update read-only fields (the ID, creation date and so on) and fields that are not present in the backup.

2. In the Ad vanced options section, configure the following:

o To restore relationships of roles within the current tenant, click the Keep Relationships check box.
Veeam Backup & Replication will restore the following relationships: groups and users with the role
assigned. Note that Veeam Backup & Replication restores only relationships — if a role or group does
not exist, it will not be restored.

If you have selected to overwrite the roles, Veeam Backup & Replication will restore the relationships
from the backup and will remove the relationships not present in the backup.

o To restore roles from the Entra ID recycle bin instead of the backup, click the Restore from Entra ID
Recycle Bin check box. If roles exist in both the recycle bin and the backup, they will be restored from
the recycle bin and will preserve their object IDs. Otherwise, they will be restored from the backup
and will get new object IDs.

151 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring roles. This information will be saved to the session
history, and you will be able to reference it later.

152 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

153 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Role Properties
To restore Entra ID role properties, use the Restore role's properties wizard.

154 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Role's Properties Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click Restore on the ribbon. Alternatively, you can right-click the tenant and select
Restore.

5. In the opened window, check that the Roles tab is selected.

6. Select the role whose properties you want to restore.

TIP

To find a role by its display name, use the search field.

7. Click Restore > Metadata comparison. Alternatively, right-click the selected role and select Restore >
Metadata comparison.

155 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Point and Properties
At the Roles step of the wizard, do the following:

1. Select a restore point using one of the following ways:

o Find a restore point in the restore point calendar. For that, click a link with a date near the Restore
p oint field.

o Change the restore point by clicking the P revious and Next links.

o Click Jump to latest to select the latest restore point.

2. In the list of properties, select the properties you want to restore. In the Selected Restore Point, Latest
Restore Point and P roduction record columns, you can see values of the properties at different moments
of time.

By default, the list of properties shows changed properties. To show all properties, set the Show changes
only toggle to Off.

156 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

157 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring role properties. This information will be saved to
the session history, and you will be able to reference it later.

158 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

159 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Entra ID Application Restore
You can perform the following restore operations with Entra ID applications or service principals :

• Restore entire applications or service principals from a backup or Entra ID recycle bin. You can restore one
or multiple applications and service principals.

• Restore individual properties of a application or service principal. You can restore one or multiple
properties.

160 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Entire Applications
To restore an entire Entra ID application, use the Restore Applications wizard.

161 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Applications Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click E ntra ID Tenant Restore on the ribbon. Alternatively, you can right-click the
tenant and select Restore.

5. In the opened window, check that the Ap p lications tab is selected.

6. In the list of applications and service principals, select those you want to restore.

TIP

Consider the following:

• To find an application or service principal by its display name, use the search field.
• To show more properties, click the button with three dots and select the properties you want
to show.
• You can export the list of all or filtered applications and service principals for future
references and imports. To do that, click E x port to and select the format in which you want to
save the list. Veeam Backup & Replication will export backed-up applications and service
principals and their properties that can be shown in the restore window.

7. To launch the application restore wizard, click Restore > Full Restore. Alternatively, right-click one of the
selected applications or service principals and select Restore > Full restore.

162 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
 IMP ORTANT

[Entire restore of permanently deleted and linked applications and service principles] You can restore a
service principle that represents an application only together with this application and within one restore
session. If you restore the application in a separate restore session, the restored application gets a new
AppID. The service principal will not recognize this new ID, and the restore of the service principal will fail.

163 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Points and Edit Selected Roles
At the Ob jects step of the wizard, select restore points. By default, Veeam Backup & Replication uses the most
recent valid restore point for each application or service principal. However, you can restore an application or
service principal to an earlier state.

Additionally, you can edit the list of applications and service principals selected for restore or import the list of
applications and service principals exported earlier.

Selecting Restore Points

To select a restore point:

1. Select the applications and service principals for which you want to change the restore point.

2. Click Restore Point.

3. In the Sp ecify restore point window, choose the necessary restore point and click Done.

If you select one application or service principal, Veeam Backup & Replication shows the restore points
available for this application or service principal. If you select multiple applications,
Veeam Backup & Replication shows all available restore points. After you select a restore point,
Veeam Backup & Replication verifies its availability for each application and service principal.

Editing Selected Applications

You can add or delete applications and service principals from the list of the selected applications and service
principals.

164 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
To add applications or service principals, click Ad d and select items from the opened list. To delete applications
and service principals, select the necessary items and click Remove.

Importing Selected Applications

If you have a list of the applications and service principals to be restored, you can import it. To do that, click
Upload CSV. The imported list will be added to the list of currently selected app lications and service principals.

NOTE

The CSV file must contain only the list of application and service principal IDs.

165 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

166 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Options
At the Op tions step of the wizard, configure the restore options, such as how to restore applications and service
principals, their relationships and other:

1. In the Restore mode section, specify whether to overwrite applications and service principals or skip
restore of the already existing items.

When you select the overwrite option, Veeam Backup & Replication updates fields present in the backup.
If a field in the backup is empty, it will be restored as empty. However, Veeam Backup & Replication does
not update read-only fields (the ID, creation date and so on) and fields that are not present in the backup.

2. In the Ad vanced options section, configure the following:

o To restore relationships of applications and service principals within the current tenant, select the
Keep Relationships check box. Veeam Backup & Replication will restore the following relationships:
for applications — user owner of the application; for service principals — user owner of the service
principal, assigned users and groups, and the related application. Note that
Veeam Backup & Replication restores only relationships — if a user, group or application does not
exist, it will not be restored.

If you have selected to overwrite the applications and service principals, Veeam Backup & Replication
will restore the relationships from the backup and will remove the relationships not present in the
backup.

o To restore applications and service principals from the Entra ID recycle bin instead of the backup, click
the Restore from Entra ID Recycle Bin check box. If applications or service principals exist in both the
recycle bin and the backup, they will be restored from the recycle bin and will preserve their object
IDs. Otherwise, they will be restored from the backup and will get new object IDs.

167 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring applications and service principals. This
information will be saved to the session history, and you will be able to reference it later.

168 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

169 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Application Properties
To restore Entra ID application properties, use the Restore applications properties wizard.

170 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Applications Properties Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click E ntra ID Tenant Restore on the ribbon. Alternatively, you can right-click the
tenant and select Restore.

5. In the opened window, check that the Ap p lications tab is selected.

6. Select the application or service principal whose properties you want to restore.

TIP

To find an application or service principal by its display name, use the search field.

7. Click Restore > Metadata comparison. Alternatively, right-click the selected application or service
principle and select Restore > Metadata comparison.

171 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Point and Properties
At the Ap p lication or Service Principle step of the wizard, do the following:

1. Select a restore point using one of the following ways:

o Find a restore point in the restore point calendar. For that, click a link with a date near the Restore
p oint field.

o Change the restore point by clicking the P revious and Next links.

o Click Jump to latest to select the latest restore point.

2. In the list of properties, select the properties you want to restore. In the Selected Restore Point, Latest
Restore Point and P roduction record columns, you can see values of the properties at different moments
of time.

By default, the list of properties shows changed properties. To show all properties, set the Show changes
only toggle to Off.

172 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

173 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring application properties. This information will be
saved to the session history, and you will be able to reference it later.

174 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

175 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Entra ID Conditional Access Policies
You can perform the following restore operations with Entra ID Conditional Access policies:

• Restore entire Conditional Access policies from a backup or Entra ID recycle bin. You can restore one or
multiple policies.

• Restore individual properties of a Conditional Access policy. You can restore one or multiple properties.

176 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Entire Conditional Access Policies
To restore an entire Entra ID Conditional Access policy, use the Restore Conditional Access Policies wizard.

177 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Policies Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click E ntra ID Tenant Restore on the ribbon. Alternatively, you can right-click the
tenant and select Restore.

5. In the opened window, check that the Cond itional Access Policies tab is selected.

6. In the list of Conditional Access policies, select those you want to restore.

TIP

Consider the following:

• To find a policy by its display name, use the search field.

• To show more properties, click the button with three dots and select the properties you want
to show.
• You can export the list of all or filtered policies for future references and imports. To do that,
click E x port to and select the format in which you want to save the list.
Veeam Backup & Replication will export backed-up policies and their properties that can be
shown in the restore window.

7. To launch the Conditional Access policy restore wizard, click Restore > Full Restore. Alternatively, right-
click one of the selected policies and select Restore > Full restore.

178 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Points and Edit Selected Policies
At the Cond itional Access Policies step of the wizard, select restore points. By default,
Veeam Backup & Replication uses the most recent valid restore point for each Conditional Access policy.
However, you can restore a policy to an earlier state.

Additionally, you can edit the list of policies selected for restore or import the list of policies exported earlier.

Selecting Restore Points

To select a restore point:

1. Select the Conditional Access policies for which you want to change the restore point.

2. Click Restore Point.

3. In the Sp ecify restore point window, choose the necessary restore point and click Done.

If you select one Conditional Access policy, Veeam Backup & Replication shows the restore points
available for this policy. If you select multiple policies, Veeam Backup & Replication shows all available
restore points. After you select a restore point, Veeam Backup & Replication verifies its availability for
each policy.

Editing Selected Policies

You can add or delete Conditional Access policies from the list of the selected policies.

179 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
To add Conditional Access policies, click Ad d and select items from the opened list. To delete policies, select the
necessary items and click Remove.

Importing Selected Applications

If you have a list of the Conditional Access policies to be restored, you can import it. To do that, click Up load
CSV. The imported list will be added to the list of currently selected policies.

NOTE

The CSV file must contain only the list of Conditional Access policy IDs.

180 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

181 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Options
At the Op tions step of the wizard, configure the restore options:

1. In the Restore mode section, specify whether to overwrite Conditional Access policies or skip restore of
the already existing items.

When you select the overwrite option, Veeam Backup & Replication updates fields present in the backup.
If a field in the backup is empty, it will be restored as empty. However, Veeam Backup & Replication does
not update read-only fields (the ID, creation date and so on) and fields that are not present in the backup.

2. In the Restore options section, select the Restore from Entra ID Recycle Bin check box to restore
Conditional Access policies from the Entra ID recycle bin instead of the backup. If policies exist in both the
recycle bin and the backup, they will be restored from the recycle bin and will preserve their object IDs.
Otherwise, they will be restored from the backup and will get new object IDs.

182 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring Conditional Access policies. This information will
be saved to the session history, and you will be able to reference it later.

183 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

184 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Conditional Access Policy Properties
To restore Entra ID Conditional Access policy properties, use the Restore Conditional Access Policy's Properties
wizard.

185 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Restore Policy Properties Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups node.

3. In the working area, expand the backup job that protects the tenant data you want to restore.

4. Select the tenant and click E ntra ID Tenant Restore on the ribbon. Alternatively, you can right-click the
tenant and select Restore.

5. In the opened window, check that the Cond itional Access Policies tab is selected.

6. Select the Conditional Access policy whose properties you want to restore.

TIP

To find a Conditional Access policy by its display name, use the search field.

7. Click Restore > Metadata comparison. Alternatively, right-click the selected policy and select Restore >
Metadata comparison.

186 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Restore Point and Properties
At the Cond itional Access Policy step of the wizard, do the following:

1. Select a restore point using one of the following ways:

o Find a restore point in the restore point calendar. For that, click a link with a date near the Restore
p oint field.

o Change the restore point by clicking the P revious and Next links.

o Click Jump to latest to select the latest restore point.

2. In the list of properties, select the properties you want to restore. In the Selected Restore Point, Latest
Restore Point and P roduction record columns, you can see values of the properties at different moments
of time.

By default, the list of properties shows changed properties. To show all properties, set the Show changes
only toggle to Off.

187 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Log on to Microsoft Azure
At the Log on step of the wizard, specify a Microsoft Entra ID account associated with the tenant.

To specify the account, do the following:

1. Click Cop y Code to Clipboard to copy the verification code.

2. Click the https://microsoft.com/devicelogin link.

3. On the Microsoft Azure device authentication page, do the following:

a. Paste the code that you have copied and click Nex t. Note that the code will expire in 15 minutes.

b. Specify a Microsoft Entra ID user account that is associated with the tenant selected for restore. The
user name must be specified in the user principal name format (username@domain). The account
must have permissions described in the Permissions, Restoring Tenant Data section.

4. Go back to the E ntra ID Tenant Restore wizard.

188 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Specify Restore Reason
At the Rea son step of the wizard, enter a reason for restoring Conditional Access policy properties. This
information will be saved to the session history, and you will be able to reference it later.

189 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

190 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Entra ID Log Restore
Entra ID log restore allows restoring folders containing log files or individual log files.

191 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Restoring Logs
To restore folders with audit and sign-in logs or individual log files, use the Microsoft E ntra ID Audit Restore
wizard.

192 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 1. Launch Microsoft Entra ID Audit Restore Wizard
To launch the restore wizard, do the following:

1. Open the Home view.

2. In the inventory pane, select the Ba ckups > Disk node.

3. In the working area, expand the backup job that protects the logs that you want to restore.

4. Select the tenant whose logs are protected and click E ntra ID Logs Restore on the ribbon. Alternatively,
you can right-click the tenant and select Restore.

193 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 2. Select Files and Folders to Restore
In the Ba ckup Browser window, select files or folders that you want to restore, right-click one of them and
select Cop y to. Alternatively, you can use Cop y to on the ribbon.

194 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 3. Select Restore Mode
This step is available if you restore one or multiple folders. A log file itself plays the role of a restore point as it
contains data for a certain period of time.

In the Microsoft Entra ID Audit Restore wizard, select if you want to restore folders to the latest state or to an
earlier restore point. If you select the E a rlier restore point option, the wizard will include the Restore Point step.

195 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 4. Select Restore Point
This step is available if you restore folders and you have selected E a rlier restore p oint at the Restore Mode step
of the wizard.

At the Restore P oint step of the wizard, select the point in time to restore folders and files to. To select the
required restore point, do one of the following:

• Use the Restore point slider.

• Click the date link under the Restore point slider. In the calendar in the left pane of the Restore points
window, select the date when the required restore point was created. The list of restore points in the right
pane displays restore points created on the selected date. Select the point to which you want to restore
the files and folders.

In the Files in backup tree, you can see what folders and files are covered by the selected restore point and the
date when files and folders were modified.

196 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 5. Specify Destination for File Restore
At the Destination step, specify the destination where the restored files and folders must be stored:

1. In the Restore files and folders to field, select a file share to which the files must be restored.

All file shares added to the inventory of Veeam Backup & Replication are available in the drop-down list. If
the required file share is missing, click Ad d and add a new file share to Veeam Backup & Replication. For
more information on how to add a new file share, see the Adding Unstructured Data Source section in the
Veeam Backup & Replication User Guide.

2. In the P a th to folder field, specify a path to the folder on the selected file share where files must be
restored. You can enter the path or specify it using Browse.

197 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Step 6. Finish Working with Wizard
At the Summary step of the wizard, review the summary information and click Finish.

198 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Getting Technical Support
If you have any questions or issues with Veeam Backup for Microsoft Entra ID, you can search for a resolution on
Veeam R&D Forums or submit a support case in the Veeam Customer Support Portal.

When you submit a support case, it is recommended that you provide the Veeam Customer Support Team with
the following information:

• Version information for the product and its infrastructure components

• The error message or an accurate description of the problem you are facing

• Log files

Viewing Product Details

To view the product details, do the following:

1. Log in to the machine where the backup server is installed.

2. Right-click the Sta rt menu and select Ap p s and Features (or Installed Apps).

3. In the program list, check the version of Veeam EntraId P lugin.

199 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139
Downloading Logs
To export the product logs, do the following:

1. In the Veeam Backup & Replication console, open the main menu and navigate to Help > Support
Information.

2. In the E x port Logs wizard, do the following:

a. At the Scop e step, do the following:

i. Select the E x p ort all logs for selected components option.

ii. In the Ma naged servers list, select the backup server.

iii. If you use installed Veeam Backup & Replication with the PostgreSQL database and the same
database is used to store tenant backups, select Collect local P ostgreSQL instance logs.

b. At the Da te Range step, specify the time interval for which logs must be collected.

c. At the Loca tion step, specify the destination folder to which the logs will be exported.

d. Wait for the export process to complete, review the results and click the Op en folder link to browse to
exported log files and log package.

200 | V eeam Backup & Replication | User Guide for Microsoft Entra ID | 12.3.1.1139