Backing up and Restoring Microsoft Entra ID

The REST API allows you to backup and restore entire Microsoft Entra ID items (users, groups, administrative units, applications and roles) and item properties as well as audit and sign-in logs.

Adding Microsoft Entra ID Tenant

Before you can back up Microsoft Entra ID data, you must a Microsoft Entra ID tenant to your backup infrastructure. When adding a Microsoft Entra ID tenant, you need to specify an existing Microsoft Entra ID app registration or let Veeam Backup & Replication create a new one.

If you choose to create a new app registration, you must generate a verification code and register the new application before you start adding a tenant:

1. To generate a code, use the Get Microsoft Entra ID Verification Code request.
2. To register the new application, use the Register Microsoft Entra ID Application request.

To add a tenant, use the Add Microsoft Entra ID Tenant request.

Creating Backup Jobs

You can create the following types of backup jobs:

• Microsoft Entra ID tenant backup job, which backs up tenant items such as users, groups, administrative units, applications and roles.
• Microsoft Entra ID audit log backup job, which backs up Microsoft Entra ID audit and sign-in logs.

To create a backup job, use the Create Job request. In the request body, specify a job type: EntraIDTenantBackup or EntraIDAuditLogBackup.

Restoring Microsoft Entra ID Items and Logs

Restoring Microsoft Entra ID Items and Item Properties

To restore entire Microsoft Entra ID items or item properties, take the following steps:

1. To get a backup ID of the Microsoft Entra ID tenant backup that you want to use for restore, send the Get All Backups request.
2. To start a mount session and mount the tenant backup to the mount point, use the Mount Microsoft Entra ID Tenant request. In response, you receive a mount session ID that you will need later. You can also get existing mount sessions using the Get Mount Points for All Entra ID Tenants request.
3. To browse the Microsoft Entra ID tenant backup for the items that you want to restore, send the Get Microsoft Entra ID Items request.
4. Choose the restore points from which to restore your items:

• To choose a restore point from the list of all tenant's restore points, send the Get Restore Points of Microsoft Entra ID Tenant request.
• To check that the selected restore point contains all the items that you want to restore, sent the Validate Microsoft Entra ID Tenant Items request. In the response body, you receive an array of items that are missing in the restore point. To browse restore points that are available for each of the missing items, use the Get Restore Points of Microsoft Entra ID Item request.
• If you want to check if there are any differences between two restore points for a specific item, you can either synchronous or asynchronous request:

• When you send a synchronous request, the client will stop execution until comparison results are ready. For details, see Compare Microsoft Entra ID Item Properties.

• When you send an asynchronous request, you receive a comparison session immediately so the client can continue execution, and you can process the comparison results later when the session changes its state to Success. For details, see Start Comparing Microsoft Entra ID Item Properties and Get Comparison Results for Microsoft Entra ID Items.

5. If you want to check if a backed up item exists in the production environment, send the Check Microsoft Entra ID Items in Production request.
6. If you restore users, send the Generate Microsoft Entra ID User Passwords request, to generate custom passwords for restored Microsoft Entra ID users. Alternatively, you can specify one default password for all restored users.
7. [Delegated restore] If you perform the restore operation under the Restore Operator role, you must obtain credentials to connect to the production Microsoft Entra ID tenant:

1. Obtain a user code. For details, see Get User Code for Delegated Restore of Microsoft Entra ID Items.
2. To get the credentials required for restore, send the Get Credentials for Delegated Restore of Microsoft Entra ID Items request. Use the obtained credentials ID in the request body oh the restore requests.

8. To restore Microsoft Entra ID items, send the Restore Microsoft Entra ID Items request. The request starts a restore session.
9. To restore item properties, send the Restore Microsoft Entra ID Item Properties request.
10. To stop restore sessions, send the Stop Restore Session of Microsoft Entra ID Tenant request.
11. To stop the mount session and unmount the tenant backup from the mount point, send the Unmount Microsoft Entra ID Tenant request.

Restoring Microsoft Entra ID Audit Logs

To restore Microsoft Entra ID audit and sign-in logs, take the following steps:

1. To get the ID of the Microsoft Entra ID log backup that you want to use for restore, send the Get All Backups request.
2. To start a mount session and mount log files to the mount point, use the Start Microsoft Entra ID Audit Log Restore request. In response, you receive a mount session ID that you will need later. You can also get existing mount sessions using the Get All File Restore Mount Points request.
3. To browse the hierarchy tree of the mounted log files, use the Compare Files and Folders request. If you specify an empty path in the request body, you will browse the root folder, and then you can go deeper into the tree.
4. If you want to search for a specific file or folder, use the Search for Files and Folders and Browse Search Results requests.
5. To restore log files, send the Copy Files and Folders to Specific Folder request.
6. To stop the mount session and unmount the log files from the mount point, send the Unmount Microsoft Entra ID Audit Logs request.