Veeam Backup & Replication 12
User Guide for Microsoft Entra ID
Related documents
Search

Considerations and Limitations

When you plan to deploy and configure Veeam Backup for Microsoft Entra ID, keep in mind the following limitations and considerations.

Infrastructure

  • Veeam Backup for Microsoft Entra ID can use only the default general-purpose backup proxy. This proxy is deployed during Veeam Backup & Replication installation. If you delete this proxy, Microsoft Entra ID tenant backup and log backup will not be possible. For more information on the architecture, see Solution Architecture.
  • One backup server can work only with one Microsoft Entra ID backup repository. For more information on the architecture, see Solution Architecture.

Tenant Backup and Restore

  • Veeam Backup for Microsoft Entra ID does not support the Government and China regions.
  • For one Microsoft Entra ID tenant, you can create only one tenant backup job. One tenant backup job can protect only one tenant.
  • You cannot restore Entra ID built-in roles.
  • To be able to protect Conditional Access policies, you must configure a registry key value and a set of permissions and roles:
  • On the backup server, set the value of the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\EntraIdBackupSupportsConditionalAccessPolicyRestore {DWORD} key to 1.
  • To be able to backup Conditional Access policies, assign the Policy.Read.All (application) permission to the Entra ID application used for backup. You specify this application when adding a tenant to Veeam Backup & Replication.

For more information on the permissions, see Permissions.

  • The backup copy feature does not work for tenant backups. To protect the backups, you need to protect the Microsoft Entra ID backup repository based on the PostgreSQL instance. For this, you can use the native PostgreSQL pg_dump method or create the VM or Veeam Agent backup of the machine where the Microsoft Entra ID backup repository is located.

  • By default, Veeam Backup for Microsoft Entra ID does not back up relationships between protected resources and management groups. If you want to add these relationships into the backup scope, you must perform additional configuration steps described in this Veeam KB article.

  • During one restore session, you can restore items of one type only. For example, only users or only groups, not users and groups.

  • [Entire restore of permanently deleted and linked applications and service principles] You can restore a service principle that represents an application only together with this application and within one restore session. If you restore the application in a separate restore session, the restored application gets a new AppID. The service principal will not recognize this new ID, and the restore of the service principal will fail.

  • Restore of users synchronized with Microsoft Active Directory (hybrid identities) is possible using Veeam Backup for Microsoft Entra ID. For more information, see Restoring Synchronized Users (Hybrid Identity).

Log Backup and Restore

  • You cannot back up sign-in logs with Microsoft Entra ID free license. With this license, you can back up only audit logs.
  • To create a log backup, you must have the backup of the tenant whose logs you want to protect. The latest restore point of this backup must be created within 30 days before the log backup.

Page updated 3/18/2025

Page content applies to build 12.3.1.1139

View all results across Veeam
Back to document search