Considerations and Limitations

When you plan to deploy and configure Veeam Backup for Microsoft Entra ID, keep in mind the following limitations and considerations.

Backup Proxies

When managing general-purpose backup proxies, consider the following:

• During Veeam Backup & Replication installation, a default general-purpose backup proxy is automatically added to the backup infrastructure. Do not assign the role of the default proxy to any other server — otherwise, you will not be able to protect Microsoft Entra ID tenants and their logs.

Backup Repositories

When connecting a remote Microsoft Entra ID backup repository to the backup infrastructure, consider the following:

• The repository must run PostgreSQL version 14 or later.
• Veeam Backup for Microsoft Entra ID supports connecting one remote Microsoft Entra ID backup repository only.
• Veeam Backup for Microsoft Entra ID supports PostgreSQL password authentication only.

Tenant Backup and Restore

• Veeam Backup for Microsoft Entra ID does not support backup and restore of Microsoft Entra ID tenants registered in China. For more information, see Microsoft Docs.
• Veeam Backup for Microsoft Entra ID does not support backup and restore of Azure Government tenants and tenants registered in the Azure Government geography. For more information, see Microsoft Docs.
• Veeam Backup for Microsoft Entra ID does not support backup and restore of external tenants. For more information, see Microsoft Docs.
• Veeam Backup for Microsoft Entra ID does not support backup and restore of Azure Active Directory B2C tenants. For more information, see Microsoft Docs.
• Veeam Backup for Microsoft Entra ID does not support restoring more than 1000 tenant items in one restore session.
• Veeam Backup for Microsoft Entra ID does not support protecting multiple tenants by one tenant backup job.
• Veeam Backup for Microsoft Entra ID does not support protecting one tenant by multiple backup jobs.
• Veeam Backup for Microsoft Entra ID does not support restore of Microsoft Entra built-in roles, distribution security groups and mail-enabled security groups.

• By default, Veeam Backup for Microsoft Entra ID does not back up relationships between protected resources and management groups. If you want to add these relationships into the backup scope, you must perform additional configuration steps described in this Veeam KB article.

• Veeam Backup for Microsoft Entra ID does not support restoring more than one type of tenant items at a time.

• You can restore a service principal that represents an application only together with this application and within one restore session. If you restore the application and the principal separately, the restored application gets a new ID assigned, and the restore of the service principal will fail.

• Restore of users synchronized with Microsoft Active Directory (hybrid identities) is possible using Veeam Backup for Microsoft Entra ID. For more information, see Appendix. Restoring Synchronized Users (Hybrid Identity).
• Veeam Backup for Microsoft Entra ID does not support restore of Intune Device Configuration of type editionUpgradeConfiguration with application permissions. You can restore this intune policy using delegated permissions only. During restore of Intune Device Configuration of type editionUpgradeConfiguration, the properties License and ProductKey are restored to predefined placeholder values. After restore, these properties must be manually updated in the Intune Admin Center.

Log Backup and Restore

• Veeam Backup for Microsoft Entra ID does not support storing backed-up sign-in and audit logs in multi-bucket repositories. For more information, see section Object Storage Repository.
• Veeam Backup for Microsoft Entra ID does not support  backup of sign-in logs with a free Microsoft Entra ID license.
• To create a log backup, you must have the backup of the tenant whose logs you want to protect. The latest restore point of this backup must be created within 30 days before the log backup.