Hi All,
Would Veeam support restore of Microsoft Entra ID to a different tenant or a new tenant ?
Thank you in advance.
-
mogan2055847
- Enthusiast
- Posts: 36
- Liked: never
- Joined: Dec 08, 2021 10:39 am
- Full Name: Mogansundram Apna
- Contact:
-
Mildur
- Product Manager
- Posts: 10367
- Liked: 2781 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Restore EntraID to different Tenant
Hello Mogansundram,
No, that scenario is not supported today. Another Entra ID tenant does not allow the creation of objects with "foreign" domain addresses. Domain addresses (e.g., @veeam.com) are assigned to a single Entra ID tenant and cannot be used in different tenants.
Additionally, there are challenges related to the relationships between different objects. In the original tenant, we have the recycle bin, which allows us to recover objects using their original unique IDs. However, in new tenants or in the original tenant after 30 days post-deletion, we have to recreate the objects from scratch. Microsoft will assign new unique IDs for each object, and these IDs are stored in properties of different objects, such as group membership in a security group. In short, we cannot restore relationships between objects when we have different IDs. We would have to build a logic to replace original ids with new ids in a restore session.
May I ask why you want to restore to a different or new tenant? Is it for testing purposes or a migration use case?
Best regards,
Fabian
No, that scenario is not supported today. Another Entra ID tenant does not allow the creation of objects with "foreign" domain addresses. Domain addresses (e.g., @veeam.com) are assigned to a single Entra ID tenant and cannot be used in different tenants.
Additionally, there are challenges related to the relationships between different objects. In the original tenant, we have the recycle bin, which allows us to recover objects using their original unique IDs. However, in new tenants or in the original tenant after 30 days post-deletion, we have to recreate the objects from scratch. Microsoft will assign new unique IDs for each object, and these IDs are stored in properties of different objects, such as group membership in a security group. In short, we cannot restore relationships between objects when we have different IDs. We would have to build a logic to replace original ids with new ids in a restore session.
May I ask why you want to restore to a different or new tenant? Is it for testing purposes or a migration use case?
Best regards,
Fabian
Product Management Analyst @ Veeam Software
-
mogan2055847
- Enthusiast
- Posts: 36
- Liked: never
- Joined: Dec 08, 2021 10:39 am
- Full Name: Mogansundram Apna
- Contact:
Re: Restore EntraID to different Tenant
Hi Midur,
It's for ransomware or disaster use cases, if the original Entra ID tenant is totally compromised (including full admin accounts), we might need to restore to another tenant or new tenant.
Thank you in advance.
It's for ransomware or disaster use cases, if the original Entra ID tenant is totally compromised (including full admin accounts), we might need to restore to another tenant or new tenant.
Thank you in advance.
-
Daniel.S
- Veeam Software
- Posts: 8
- Liked: never
- Joined: Dec 23, 2024 10:04 am
- Full Name: Daniel Schlinge
- Contact:
Re: Restore EntraID to different Tenant
Hi Team,
I have exact the same Request, same Use-Case for another huge Customer.
I have exact the same Request, same Use-Case for another huge Customer.
-
BackupBytesTim
- Service Provider
- Posts: 500
- Liked: 108 times
- Joined: Apr 29, 2022 2:41 pm
- Full Name: Tim
- Contact:
Re: Restore EntraID to different Tenant
I haven't tried using this feature, but based on the mention of restoring from the Recycle Bin functionality, it sounds like Veeam isn't actually backing things up here, instead relying on the Entra ID's record of deleted items and restoring them from that. Which would seem to be where the issue is, but definitely correct me if I'm misunderstanding that.
I would think in the event of an actual ransomware recovery situation, if you had a backup to restore, you could just delete all accounts entirely, and restore Veeam's backup. Or delete the entire tenant. Either scenario would be along the lines of creating a new tenant on Microsoft's cloud. Though of course any scenario there would involve loss of any functionally associated data like emails and OneDrive or any other Microsft 365 services being used, which would have to have been also backed up and recovered separately from the Entra ID backup, but I assume you already planned on that in the "new tenant" scenario.
I would think in the event of an actual ransomware recovery situation, if you had a backup to restore, you could just delete all accounts entirely, and restore Veeam's backup. Or delete the entire tenant. Either scenario would be along the lines of creating a new tenant on Microsoft's cloud. Though of course any scenario there would involve loss of any functionally associated data like emails and OneDrive or any other Microsft 365 services being used, which would have to have been also backed up and recovered separately from the Entra ID backup, but I assume you already planned on that in the "new tenant" scenario.
-
veremin
- Product Manager
- Posts: 20678
- Liked: 2383 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Restore EntraID to different Tenant
In general, we have two restore modes: from the recycle bin and from the backup. If the objects are no longer in the recycle bin or if you uncheck the corresponding checkbox ("Restore from Entra ID recycle bin"), the objects will be restored from the backup. However, in this case, they will get new object IDs.
Thank you.
Thank you.
-
BackupBytesTim
- Service Provider
- Posts: 500
- Liked: 108 times
- Joined: Apr 29, 2022 2:41 pm
- Full Name: Tim
- Contact:
Re: Restore EntraID to different Tenant
That makes sense now, thank you veremin!
Who is online
Users browsing this forum: Google [Bot] and 125 guests