Hello,
All the restores for Entra ID (users, group, app ... https://helpcenter.veeam.com/docs/backu ... ml?ver=120) have a step in that which requires a logon to Azure step.
This step requires a user with certain permissions or a global admin.
What concerns me is the scenario (I do not hope anyone should run into this) where in for a tenancy, because of an unexpected scenario or malicious behavior, all global admin users and users with privilege access have been deleted.
We have the backup data for this tenancy, but since there are no users with global admin access or what is required by the Logon to Azure step in the restore - how is the restore to be completed?
I'm not sure how this is resolved in the scenario when there is no backup too - do the users in the tenancy reach out to Microsoft to gain access back? If yes, does this same apply in this restore scenario too?
Meaning the backup data is of no use, until a logon to Azure user is available.
Is this correct?
Thanks,
-Sumeet.
-
sumeet
- Service Provider
- Posts: 210
- Liked: 43 times
- Joined: Apr 23, 2021 6:40 am
- Full Name: Sumeet P
- Contact:
-
Mildur
- Product Manager
- Posts: 10471
- Liked: 2808 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Entra ID restore requires Logon to Azure
Hi Sumeet,
Yes, permission is required to write back objects.
If all users with these permissions have been removed from the tenant, whether accidentally or intentionally, you will need Microsoft’s assistance to regain global admin access.
I found some information from a Microsoft employee on their forum about recovering tenant access:
https://learn.microsoft.com/en-us/answe ... -my-tenant
Best,
Fabian
Yes, permission is required to write back objects.
If all users with these permissions have been removed from the tenant, whether accidentally or intentionally, you will need Microsoft’s assistance to regain global admin access.
I found some information from a Microsoft employee on their forum about recovering tenant access:
https://learn.microsoft.com/en-us/answe ... -my-tenant
Best,
Fabian
Product Management Analyst @ Veeam Software
-
sumeet
- Service Provider
- Posts: 210
- Liked: 43 times
- Joined: Apr 23, 2021 6:40 am
- Full Name: Sumeet P
- Contact:
Re: Entra ID restore requires Logon to Azure
Hi Fabian,
Thanks for the additional details.
"Yes, permission is required to write back objects." -- Is this a requirement from Microsoft or a design of EntraID restore?
Regards,
-Sumeet.
Thanks for the additional details.
"Yes, permission is required to write back objects." -- Is this a requirement from Microsoft or a design of EntraID restore?
Regards,
-Sumeet.
-
Mildur
- Product Manager
- Posts: 10471
- Liked: 2808 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Entra ID restore requires Logon to Azure
Hi Sumeet,
Having write permissions to the tenant in order to modify objects is a Microsoft requirement. If you don’t have these permissions, you cannot make changes.
Our workflow is designed with security in mind: an attacker on the backup server cannot simply "overwrite" objects in your Entra ID tenant or misuse the Entra ID application information and certificate stored on your backup server to cause harm without providing credentials with the necessary permissions.
Even if it were technically possible to adjust the restore behavior in the product code to use an application for restore without such credentials, your Entra ID application could still be deleted by an attacker in your tenant.
Best,
Fabian
Having write permissions to the tenant in order to modify objects is a Microsoft requirement. If you don’t have these permissions, you cannot make changes.
Our workflow is designed with security in mind: an attacker on the backup server cannot simply "overwrite" objects in your Entra ID tenant or misuse the Entra ID application information and certificate stored on your backup server to cause harm without providing credentials with the necessary permissions.
Even if it were technically possible to adjust the restore behavior in the product code to use an application for restore without such credentials, your Entra ID application could still be deleted by an attacker in your tenant.
Best,
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: mehmet and 20 guests