-
- Novice
- Posts: 7
- Liked: never
- Joined: Sep 19, 2023 11:55 am
- Full Name: Joshua Wood
- Contact:
Restore Operators not activated when moving users to security group via PIM
Is anyone aware of anything that could be preventing restore operator access from activating when users are added to an Azure Security Group via PIM? When members of the group are managed manually, the restore operator access works fine, but when using PIM, it doesnt work. Any ideas?
-
- Product Manager
- Posts: 10110
- Liked: 2696 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
Hello Joshua
I'm not aware of any limitations.
But I can also see the same behavior. Let me ask our QA team if this is a limitation or not.
Best,
Fabian
I'm not aware of any limitations.
But I can also see the same behavior. Let me ask our QA team if this is a limitation or not.
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Novice
- Posts: 7
- Liked: never
- Joined: Sep 19, 2023 11:55 am
- Full Name: Joshua Wood
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
Thanks Fabian,
Ok, so you can confirm that when you use PIM, you experience the same issue?
We are finding it takes over 8 hours to sync, just wondering if this is customer specific? When the customer adds the member to the security group directly they still have a sync/delay issue that takes about over 8 hours for the restore portal to recognise the group membership has updated. Just wondering where the bottleneck could be regarding what is causing the delay between Azure and the restore portal recognising who should have restore operator access?
The use-case is that this customer wants to only elevate permissions for someone to perform a restore for specific time periods/reasons, hence using PIM to elevate access temporarily.
Ok, so you can confirm that when you use PIM, you experience the same issue?
We are finding it takes over 8 hours to sync, just wondering if this is customer specific? When the customer adds the member to the security group directly they still have a sync/delay issue that takes about over 8 hours for the restore portal to recognise the group membership has updated. Just wondering where the bottleneck could be regarding what is causing the delay between Azure and the restore portal recognising who should have restore operator access?
The use-case is that this customer wants to only elevate permissions for someone to perform a restore for specific time periods/reasons, hence using PIM to elevate access temporarily.
-
- Novice
- Posts: 7
- Liked: never
- Joined: Sep 19, 2023 11:55 am
- Full Name: Joshua Wood
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
Further update, even when adding an individual user in the Veeam console for the individual to be defined as a restore operator, the user does not receive restore operator privileges when they log in - wondering what the delay is in the sync between Veeam and the customer environment.
-
- Service Provider
- Posts: 73
- Liked: 10 times
- Joined: Sep 19, 2018 12:11 pm
- Full Name: Frank Wijmans
- Location: The Netherlands
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
We're experiencing a similar issue when using Security Groups. We've got 2 organizations we're using to test the Veeam Restore Portal. Both have created a security group in Azure or Entra and added a global admin to this group. When we add this group to the Restore Operators in the Veeam backend, those global admins can login without issues, but can't change the scope whatsoever. After I tried to add the global admin account as an individual user, they are able to change the scope. Is this also related to that 8 hour sync?
-
- Product Manager
- Posts: 10110
- Liked: 2696 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
Hi guys
I'm still checking the situation with our teams.
For now it seems that for restore operator groups we are using cached values instead of connecting to Azure to get the group members every time. I come back to this topic as soon we have confirmed this behavior in our lab.
Best,
Fabian
I'm still checking the situation with our teams.
For now it seems that for restore operator groups we are using cached values instead of connecting to Azure to get the group members every time. I come back to this topic as soon we have confirmed this behavior in our lab.
Best,
Fabian
Product Management Analyst @ Veeam Software
-
- Service Provider
- Posts: 73
- Liked: 10 times
- Joined: Sep 19, 2018 12:11 pm
- Full Name: Frank Wijmans
- Location: The Netherlands
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
After some testing on my end, I found that when I use a Microsoft 365 group, the accounts inside this group are able to change the scope. So that fixes our issue at the moment.
But I do find it strange that a standard security group is supposed to be supported (a dynamic security group isn't by design according to support), but that doesn't seem to be working for us.
But I do find it strange that a standard security group is supposed to be supported (a dynamic security group isn't by design according to support), but that doesn't seem to be working for us.
-
- Product Manager
- Posts: 10110
- Liked: 2696 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
Hi Frank
I got an answer regarding the caching for security groups. We use the cache for restore operators because querying the information from Entra ID directly could lead to logon delays of 15 min or more in some situations.
There is some additional behavior we are checking with QA. It seems that for backup jobs we don't rely on organization cache. At least in my tests, PIM assigned users were immediately protected by a backup job, while the restore portal didn't assigned them operator permissions.
Best,
Fabian
PS:
The organization cache for all organizations can be updated on the server by the following command:
I got an answer regarding the caching for security groups. We use the cache for restore operators because querying the information from Entra ID directly could lead to logon delays of 15 min or more in some situations.
There is some additional behavior we are checking with QA. It seems that for backup jobs we don't rely on organization cache. At least in my tests, PIM assigned users were immediately protected by a backup job, while the restore portal didn't assigned them operator permissions.
Best,
Fabian
PS:
The organization cache for all organizations can be updated on the server by the following command:
Code: Select all
$organizations = Get-VBOOrganization
Foreach ($organization in $organizations)
{
Start-VBOOrganizationSynchronization -Organization $organization -Full:$true
}
Product Management Analyst @ Veeam Software
-
- Service Provider
- Posts: 132
- Liked: 12 times
- Joined: May 15, 2012 9:06 am
- Full Name: Martin Broaders
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
Hi just jumping in on this one as we have a similar issue. We have tried forcing the organization update which hasn't helped. When using PIM for the Exchange Admin role it seems fine but when using PIM for a group that has the Exchange Admin role we get the same issue. Is this issue due to be resolved in an update?
-
- Lurker
- Posts: 1
- Liked: never
- Joined: May 19, 2022 10:08 am
- Contact:
Re: Restore Operators not activated when moving users to security group via PIM
Same here, just found out that role assigned using PIM with group ownership (group that has the required roles obviously) is seen from VBO as "no role assigned" whereas direct role assignment on user is working. Strange
Who is online
Users browsing this forum: No registered users and 26 guests