With the release of Veeam Data Platform version 12.3.1, Veeam’s Entra ID data protection now includes the backup of conditional access policies. In this blog post, let’s discuss how to enable conditional access backup with Veeam Backup and Replication.
If not done already, please check out the Part 1 Entra ID backup blog that covers Veeam’s Entra ID data protection in detail.
Why Should I protect conditional access
With our on-premises active directory group policy is the feature that enabled admins to centrally administer the domain level policy. In Entra ID conditional access is the feature that will enable administrators to enforce security and management within the organization.
In our on-premises Active Directory, group policy is the feature that enables admins to centrally administer domain-level policies. In Entra ID, conditional access is the feature that allows administrators to enforce security and management within the organization.
With Entra ID, access to different resources like Microsoft cloud applications and Entra Integrated applications is based on user actions and/or context. Some of the reasons to protect conditional access are:
- Recover from unintended or malicious changes by comparing the changes between backup and production.
- Restore a compound conditional access policy – either only the changes or the entire policy.
- Reduce downtime to business operations, as conditional access controls how admins, internal and external users interact with resources.
- Avoid dependency breakage.
Enable Conditional access policy
To enable conditional access backup with Veeam Backup and Replication, you need to add the below registry key.
On the backup server, set the value of the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\EntraIdBackupSupportsConditionalAccessPolicyRestore {DWORD} key to 1.
You can also achieve this by running the below powershell command
New-ItemProperty -Path "HKLM:SOFTWARE\Veeam\Veeam Backup and Replication" -Name "EntraIdBackupSupportsConditionalAccessPolicyRestore" -Value "1" -PropertyType DWORD -Force
After enabling this and ran the backup, I encountered the below warning.
Conditional Access Policies will not be backed up, because of missing permissions.
To fix this warning, I need to add a few additional API permission to the graph application that connects VBR to the Azure tenancy.
In the VBR, navigate to Inventory -> Microsoft Entra ID -> Right click the tenancy -> Edit.
In the Microsoft Entra ID tenant wizard, click next until you reach authentication section and note down the application ID
Now look for the application in the Entra ID under App registration. Select the app and add the below permission under the API permission section.
Policy.Read.All (application) permission – Backup
Policy.ReadWrite.ConditionalAccess (delegated) and Agreement.Read.All (delegated) – Restore
Once done, rerun the backup and have the conditional access backedup by the Entra ID tenant job in Veeam backup and Replication.
Restore
Similar to other object restore, you need to explore the backup under Disk -> Expand “Extra ID job name” -> Right click tenant -> Restore
You will see new conditional access tab appearing under which you can all the conditional access policies backedup and ready to restore.
From the restore perspective, we can restore the entire conditional policy or just the metadata.
You can restore multiple policies at once and also search for a policy if you have too many to scroll through.
Under metadata comparison is where we can compare the changes (between production, latest restore point in the backup and the selected restore point.
From here you can restore just the changes instead of the entire policy.
When doing full conditional access restore, we authenticate using the device logon code (similar to other object restores). Note that you need to have a conditional access administrator or security administrator to be able to perform the restore
In here we have two options, either restore from backup or fro recycle bin. As we saw in the initial blog, restoring from Recycle bin will keep the properties intact where as restore from backup is effectively a recreation.
After we go through the restore, we will be able to restore the entire conditional access policy.
References:
https://helpcenter.veeam.com/docs/backup/vbr_rest/entra_id.html?ver=120
