Exclude ENTRA ID USERS from backup

[sdv]

Can we exclude the ENTRA ID USERS from this backup too?

Only select the other options like: Enterprise apps (for its configuration) and CAD or does it count users inside enterprise apps (even if they are assigned within groups)?

[Mildur]

Hi Stefan,

Please always create a "new topic" for each "new question." Only use existing topics if the same question has already been discussed.

Exclusion is not possible with Entra ID backup; it's an all-or-nothing approach. The reason for including everything is due to the relationships between different objects.
For example, if you want to protect a security group, you would typically also need to restore every user associated with that group.

Regarding your mention of CAD, I'm not sure what you're referring to. Licensing is based on enabled Member users.



Best,
Fabian

[sdv]

Hello Mildur,

Thanks, I found it relevant to the same topic as its an addition but this is okay too.

I do not want the backup tool to backup the users part (all or nothing approach) as the licensing is excessive (its 1,5x our current VULs for VMs) and it does not make sense to me when we work with AD SYNC to Entra ID and have AD Groups assigned to the APPS.

Therefore a very nice to have is to backup only the enterprise apps and Conditinial Access Policies (=CAD).
Especially if it contains the 'compare' functionality.

Can you elaborate - Does this mean we cannot exclude 'all users' to its backup?

And/or how does it calculate the users?
- 'Standalone' members of an Enterprise App = added to the VUL count?
- Also Groups (reading the members of it?) of an Enterprise app?

[Mildur]

Hi Stefan,

<Full User> protection is required. There is no "Exclude" button.

And/or how does it calculate the users?
'Standalone' members of an Enterprise App = added to the VUL count?

Could you please share a screenshot or a link to Microsoft documentation? I’m not sure what a standalone member of an enterprise app refers to.

Also Groups (reading the members of it?) of an Enterprise app?

As mentioned in my previous comment, licensing is based on the number of accounts with type "member" in the protected tenant. If the protected Entra ID tenant has 100 "member" accounts, you will need 10 VULs.
It does not matter how your Enterprise Apps or Security Groups are configured; it will still be 10 VULs for 100 "member" accounts.

I do not want the backup tool to backup the users part (all or nothing approach) as the licensing is excessive (its 1,5x our current VULs for VMs)

I recommend to reach out to our sales teams in your region. I believe they can offer you discounts on really large tenants.

Best,
Fabian

[sdv]

Thanks for clarifying.
=> <Full User> protection is required. There is no "Exclude" button.
With this topic, please include this in the feature requests, built an Exclude users option! .

Standalone is what I personally mean: 'manually assign a user to an enterprise application' instead of using 'assigning Active Directory groups to an enterprise application'.
Hence no need for users to be backed up. We can always manually assign too.

I cannot imagine big discounts in the same VUL model as VM backups (e.g. 6000 user accounts including service accounts = 600 VULs).
But I'll pick this up with support and licensing dept.