Issues with Backup for Microsoft EntraID

[FrancWest]

Case # 07534745

We had an issue creating a Backup Microsoft EntraID job. The setup wizard hung on the applying state. It just froze with a blank screen and never continued. Support was able to see an error message in the logs that Veeam couldn't find a general purpose proxy, we only had VMware backup proxies. After creating such a proxy, I was able to create a backup Microsoft EntraID job.

I have a couple of question though:
- is a general purpose proxy something new in v12.3? I never heard of it before, but that could be just me
- If a general purpose proxy is needed why doesn't the Backup Microsoft EntraID wizard check for the existence of this type of proxy instead of just hanging indefinitely when creating such a job?
- why doesn't Veeam create such a proxy itself during the update or install of VBR?

Further more, after creating the job and running it we got the error 'Job has been stopped with failures. Error: Unable to process the workload: your license has been exceeded.' According to support you need a VUL license to Backup EntraID. We only have sockets licenses and some instance licenses. Every instance allows the backup of 10 users in Microsoft EntraID. So that isn't enough for us. We do have Backup for Microsoft 365 licenses though for every user.

To be honest, I would expect this backup functionality to be part of Backup for Microsoft 365 since they have more similarities than VBR. Or at least allow, besides a VUL license, also a Backup for Microsoft 365 license to be able to backup EntraID. Now you have to purchase two types of licenses to backup EntraID and Microsoft 365, since VUL, after searching on the Veeam website, doesn't include a Backup for Microsoft 365 license (yet).

Just my two cents

[veremin]

General-purpose backup proxies are not a new concept; they were introduced when we launched support for Unstructured Data backup and are mainly used there.

Part of the Entra ID backup functionality, such as audit and sign-in log backup, is built on top of the Unstructured Data backup engine, which is why it requires a general-purpose backup proxy to operate. Typically, such a proxy is always present, as the backup server itself assumes this role by default.

However, after the release of 12.3, we discovered a bug where the process of adding a tenant freezes if the default proxy server (which by default is assigned to the backup server) has been removed from the console. We will aim to fix this in upcoming releases and add clear checks so that users won't have to guess what went wrong.

Regarding licensing, the Microsoft Entra ID backup functionality is part of Veeam Backup & Replication and is licensed under Veeam Universal License —protecting 10 users requires 1 VUL. Therefore, if you're short of the complimentary instances included with your socket license for backing up the entire tenant, you will need to purchase a separate VUL license (covering the backup of the entire tenant) and merge it with your existing socket license.

Thanks!

[FrancWest]

Will there be a known issues topic just with previous versions where this kind of issue will be mentioned?

Regarding licensing, I know how it works now, but I'm just giving my thoughts on what I think of it

[lando_uk]

Crikey, that's a lot of dosh to backup 50,000 users...

[FrancWest]

And why is it based on users, since it also backs up Groups, Roles, Administrative units and Applications?

And what about guest accounts? Do they also consume a license? Here: https://helpcenter.veeam.com/docs/backu ... ml?ver=120, it mentions 'if the tenant to whom this user belongs', but do guest accounts belong to our tenant or not? They are listed so....

[Gostev]

Crikey, that's a lot of dosh to backup 50,000 users...

For large directories it is best to contact sales, they have a special SKU they can use - just like there's a special SKU for backing up large NAS deployments.

[veremin]

And why is it based on users, since it also backs up Groups, Roles, Administrative units and Applications?

And what about guest accounts? Do they also consume a license? Here: https://helpcenter.veeam.com/docs/backu ... ml?ver=120, it mentions 'if the tenant to whom this user belongs', but do guest accounts belong to our tenant or not? They are listed so....

We decided to license the feature based on the number of protected users because we determined that this is the primary operational unit in Entra ID and because Microsoft also licenses the feature based on the number of users.

Guest users are considered regular users by us and therefore are also subject to licensing rules.

Thanks!

[veremin]

Will there be a known issues topic just with previous versions where this kind of issue will be mentioned?

If this or any other problem results in a large number of support cases, we will indeed consider creating a separate thread with the descriptions of the most pressing issues and their solutions.

For now, it seems that there is no such necessity.

Thanks!

[harbinger]

Will it be possible to configure the MS Entra ID feature to just backup only cloud users? We're synchronizing quite a lot of onprem users through Entra ID Connect for which the SOA is still AD, so it won't bring much value to backup these users if they cannot be restored.
What I also do not understand is why can't the VBM licenses be used for this? It would make sense since all the resources being backed up are technically Entra ID users.

BR
Philipp

[veremin]

Currently, we do not support any exclusions; we may add support for this in a future product version.

Thanks!

[veremin]

What I also do not understand is why can't the VBM licenses be used for this? It would make sense since all the resources being backed up are technically Entra ID users.

Unfortunately, we cannot comment on this decision - the team behind this forum is from R&D, while decisions regarding how a particular feature will be licensed are made by Pricing & Packaging.

Thanks!

[CoLa]

We decided to license the feature based on the number of protected users because we determined that this is the primary operational unit in Entra ID and because Microsoft also licenses the feature based on the number of users.

Guest users are considered regular users by us and therefore are also subject to licensing rules.

Thanks!

The fact that external users and guests are counted is actually wrong. These are not counted for all licences at Microsoft either.

[veremin]

This is, after all, the first version of this functionality, and it's often challenging to get everything perfect on the first try. We are carefully gathering feedback to improve the situation in the future.

So here's a question: What approach would you personally prefer? Should the feature, by default, exclude external and guest users, not back them up, and consequently not allow their restoration later?

Thanks!

[veremin]

The fact that external users and guests are counted is actually wrong. These are not counted for all licences at Microsoft either.

I don't think that's quite right—by default, no users in Entra ID are licensed at all. However, in such a scenario, you'll have almost nothing beyond the account and the ability to log in with it.

To obtain full functionality for the user (both for a member and a guest), you need to manually assign a license to them or to a group they belong to in the Entra ID portal.

And, of course, in such a scenario, even guest users will consume a Microsoft Entra ID license.

Thanks!

[CoLa]

That's why I wrote that they are not always and generally counted (depending on the assigned licence). VEEAM really wants to use a licence for every user.

But guests or external users should definitely be able to be excluded. Because in case of doubt they are quickly invited again (and where not, you can backup them and use up licences).

Because in smaller deployments in particular, a lot of licences are needed which are not always absolutely necessary. In Veeam365 I can also select the mailboxes and don't just have to back up all of them (and thus consume licences). It would be good to have more options here.

[veremin]

Alright, we understand your request. We will consider the possibility of excluding users from backup activity in one of the future releases.

Thanks!

[CoLa]

Thanks, for the moment, it would be enough to filter for user types. Member or Guest.

[colsztyn]

I agree that, at a minimum, you should be able to exclude guest users from the backup and not consume licenses for users who are completely secondary to the business process (likely) and many of whom are created at some point in time for a particular Teams channel or project collaboration never to be heard from again.

I understand why it would be problematic to exclude users who are not external users because it would get messy. Example: you are backing up a group that has a member you don't want to backup? Do you backup partial groups in this case? Just one example but it could quickly become unwieldy.

[CoLa]

Quite simply, all users are backed up and the guests are simply not counted. As described, these are not the main target of the backup.

[veremin]

Thank you for your comments. We have received a large amount of feedback regarding the current licensing model of Entra ID backup. The suggestions have been communicated to higher management, which is currently assessing the possibility of altering the licensing scheme according to the feedback received. I cannot promise that changes will happen immediately, but I am confident that they will certainly occur in the future.

[SnakeSK]

So just to be clear since I tested this functionality with existing license - the Entra ID actually requires free VULs to function, they are not "gifted" on actual VULs x 10?

[Gostev]

I'm not sure I fully understand your question but having said that, Entra ID is not different from ANY other workload as it comes to its licensing with VUL.