EntraID Backup conditional access policies question

[oscarm]

I've studied the documentation and found this for Conditional Access backup:

To be able to protect Conditional Access policies, you must configure a registry key value and a set of permissions and roles:

On the backup server, set the value of the HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication\EntraIdBackupSupportsConditionalAccessPolicyRestore {DWORD} key to 1.
To be able to backup Conditional Access policies, assign the Policy.Read.All (application) permission to the Entra ID application used for backup. You specify this application when adding a tenant to Veeam Backup & Replication.

To be able to restore Conditional Access policies, the user account that you specify during restore must have the following roles: Conditional Access Administrator or Security Administrator. The Entra ID application used for restore must have the following permissions: Policy.ReadWrite.ConditionalAccess (delegated) and Agreement.Read.All (delegated). You specify this application when adding a tenant to Veeam Backup & Replication.

Why do you have to set the Azure permissions manualy and put the registry setting in by hand in order to backup Conditional Access?

[Mildur]

Hi Oscar,

This is only required in v12.3.1 and v12.3.2 — the feature was backported from version 13 and isn’t enabled by default (KB4696).
Version 13 will have this functionality enabled by default (no registry key needed), and the Entra ID app permissions can be automatically configured during tenant registration in the Backup Console.

Best,
Fabian