How to back up Microsoft Entra ID

Microsoft Entra ID is a cloud-based identity and access management (IAM) platform. It is your organization’s central trust fabric, managing authentication for Microsoft 365, Azure and thousands of third-party SaaS services. Microsoft provides built-in protection for Entra ID data, but it has serious shortfalls. For instance, groups and users have a limited protection window from permanent deletion, but security policies disappear when they are deleted, with no option of rolling back other than the use of scripts to query Graph API. Microsoft itself actually recommends backing up Entra ID data as part of the shared responsibility model for cloud services, which is why a third-party backup solution is essential. 

Ransomware groups target identity infrastructure. Without proper backups, organizations risk losing days of production to manual recovery processes. Backing up Entra ID through an automated solution protects against these risks by preserving complete snapshots of your Entra ID data. It includes information about users, groups, policies, applications and their underlying relationships, enabling granular recovery in minutes instead of days.

Policy changes take effect instantly. There are no backups of the original settings, meaning that once changes are saved, there is no way to revert back without manual reconfiguration. This creates serious problems when changes break services. Teams have to painstakingly recreate policies and reassign group memberships to restore functionality. Applications also need to be reconfigured to use the recreated policies, which extends recovery time significantly.

Most concerning is that Entra ID has become a valuable target for ransomware groups and attackers that want to cause maximum damage by gaining access to and destroying critical identity data or destroying critical identity data such as user credentials, access roles, permission assignments, token information and identity policy configurations. Without a fully featured backup service, organizations are at the mercy of the attacker and might have to pay a ransom to get their files restored in the event of a ransomware attack.

Your Entra ID backup strategy has to cover a range of components and their dependencies. Below are some of the most important elements that can be backed up.

Identity objects

Users, groups, roles, and admin units all make up the central elements of identity management. These objects control who has access to specific resources, and they contain links and relationships that have to be restored during the recovery process.

Security and access

Conditional access policies are vulnerable to accidental changes as Microsoft does not have native versioning for rollback. Identity Protection settings and Role Assignments hold information about your organization’s security posture, and if these are hard deleted or lost, a great deal of time and effort will be needed to recreate them after the fact. 

Applications

Application registrations, service principals and enterprise applications connect your organization to employee-facing applications. These handle single sign-on (SSO) and API permissions, as well as authentication workflows. Without them, applications break, and users cannot sign in until manual reconfiguration or restoration is completed.

Devices and keys 

Device configurations are responsible for controlling security policies for devices that are registered with Entra ID. Although these are not strictly traditional identity components, BitLocker does store them in Entra ID, and they can be retrieved via the Microsoft Entra Admin Center.

Audit information

Audit logs and sign-in logs keep track of every change in your environment. Microsoft only retains these for 7 days on the free tier of Entra ID, and 30 days for P1/P2 licenses. This is not enough for organizations that need to show long-term compliance with regulations like GDPR, HIPAA and SOC 2.

The components listed are all interconnected through a series of complicated relationships. Users belong to groups, groups are assigned to roles and conditional access policies determine who has access to log in. When Entra ID objects are deleted or corrupted, relationships also break. To properly protect your Entra ID, you will need both the objects and their dependencies to be included in your backup.

Organizations have two main options when it comes to backing up Entra ID: using manual methods or going the automated route. 

Manual backup approach

Microsoft’s Graph APIs allow system administrators to export the current state of Entra ID configurations. PowerShell scripts are used to query the API and retrieve data, which is then stored as a series of JSON files. 

Running scripts sounds appealing to some because it’s free, but there are limitations that you need to know about when deciding to go with a manual process.

• Complexity: Before running any scripts in a live production environment, you need to make sure that everything is correct in your configuration and that you have some type of fallback plan if you run into issues while running your script.

• Incomplete restoration: Manual exports do not capture object relationships automatically, although more advanced scripting can mitigate this by querying Graph API to explicitly save them. If relationships are not captured correctly, then you will need to manually reassign the group memberships, role assignments and license allocations after restoration, which can take a long time and introduce errors.

Automated backup solutions

Automated backups remove manual effort and potential misconfigurations introduced through human error. They connect directly to your Entra ID tenant and can retrieve the data that you need via scheduled runs.  

Some of the advantages of using an automated solution:

• Granular recovery: You can restore a single user, group or policy without affecting anything else.

• Extended retention: You decide how long you would like to retain your data as backup storage duration is up to you. 

• Preserve relationships: When the automated system performs a user backup, it captures the group memberships, role assignments and authentication settings with Entra ID data. When the data is restored, the relationships are restored at the same time — saving countless hours. 

To keep your organization’s identity infrastructure secure, you need to start using an Entra ID backup and recovery strategy that covers all of the essentials that your current solution may be missing. Below are some best practices that you should follow to ensure that your Entra ID data is properly protected in the event of misconfiguration or data loss.

Define recovery objectives

Recovery objectives determine how much time a recovery has to complete as well as how much data loss is acceptable. These are defined with Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Most organizations need a daily Entra ID backup at minimum, but frequent policy updates may require multiple snapshots during the day to cover all the potential changes.

Embrace automation 

Manual backups are not reliable. If key personnel are unavailable, there is a substantial risk of a backup not being completed. Automation does away with this risk and will run whenever it has been scheduled.

Enable encryption

Encryption is essential for data protection. Data needs to be protected in transit to prevent it from being easily intercepted, and at rest to prevent unauthorized access to your backup storage contents if it is ever compromised. 

Audit backups 

As your organization changes over time, you will need to regularly verify that all of your critical Entra ID components are actually included in your backups. You need to update your backup procedures and include new components as your needs change.

Test recovery procedures

Schedule regular recovery tests in non-production environments. Practice during quiet times ensures that support teams know exactly how to restore missing objects and policies. 

Document recovery process 

Support teams must have a set of up-to-date, detailed procedures outlining the exact steps needed to restore Entra ID data in the event of a misconfigured policy, accidentally deleted object, or cyberattack. This removes any guesswork and ensures that the restoration process follows the defined steps established during testing.

Monitor logs and alerts

Backup logs need to be created and reviewed regularly to ensure the process is working correctly. Alerts for failures or unusual situations are also needed so that teams know when a backup has failed or has had issues. 

Barracuda Entra ID backup protects your Entra ID data and lets you restore it quickly when a major outage occurs. Here are some of the benefits you can expect: 

• Fast deployment: Getting started with Barracuda Entra ID Backup takes minutes, not hours. Connect your Entra ID tenant, grant the necessary permissions and configure your backup schedule. After those steps, you’re ready to run your first backup.

• Unlimited storage and retention: Store backup data for as long as your organization needs it. You can store it for months, years, or forever — you decide. 

• Advanced encryption: AES-256 encryption secures data both when it is in transit and at rest, ensuring that even if your backup storage is compromised, your identity data stays protected. This level of encryption also helps meet compliance standards for SaaS security.

• Comprehensive audit logging: Track every action that has been taken within the backup system. Quickly find out who initiated a backup, when it completed and what was restored. Detailed logs support security investigations, compliance audits and troubleshooting without any guesswork.

• Scalable support: Whether you manage a single tenant or multiple environments, Barracuda scales with you. IT teams and managed service providers benefit from simplified identity protection management across all their clients.

• Simple per-user pricing: Pay based on the number of users you're protecting. If you already use Cloud-to-Cloud Backup for Microsoft 365, the basic version of Entra ID Backup is included at no extra charge.

Connecting your tenant

Start by connecting your Entra ID tenant to Barracuda’s platform through Microsoft’s standard consent framework. The connection requires read-only permissions, and Barracuda never requests write permission to your production environment. 

Automatic backup scheduling

Barracuda configures backup schedules to run at the most optimal time for each tenant. Users can view the next scheduled backup time on the dashboard and trigger manual on-demand backups at any time to capture the environment state before a policy change is implemented.  

What gets backed up

Once you have configured the service, scheduled backups run automatically. Barracuda queries Microsoft Graph API during each backup run and captures a complete snapshot of your tenant’s current state. This includes objects like users, groups, policies, applications and devices — as well as the relationships binding them together. Group memberships, role assignments, policy applications and authentication settings are all preserved as they existed at the time of the backup.

Restoring your data

The restoration interface lets you search by object type, name, or date range. From here, you can preview any object before you restore it, letting you verify that you are recovering the correct version that you need. You can compare your current configurations against your old snapshots to see what has changed so that you can find specific issues and pinpoint problems. When you restore, you choose the scope — recover a single misconfigured policy or restore a deleted user with all its memberships intact, or roll back multiple objects all at the same time. These changes will take effect within a few minutes of initiating the restoration. 

Managing multiple tenants

The unified interface allows you to switch between tenants and compare configurations from a single dashboard, allowing you to manage multiple environments easily without needing to log in to multiple accounts. Learn more about how Entra ID data is vulnerable and needs protection. 

When Entra ID configurations break, manual recovery can cost days of productivity. Barracuda Entra ID Backup automates protection and enables recovery in minutes, not hours. 

Start your free trial today and get protection before you need it. Download the Barracuda Entra ID Backup technical datasheet to learn more about what this solution can do for your business.