Microsoft Entra ID is no stranger to organizations across the globe. In fact, many organizations rely upon Entra ID without even realizing it. As with anything that stores data, that data needs to be protected from threats and accidents, sometimes purely for compliance reasons.
Veeam first introduced backup capabilities for Entra ID last December, and earlier this year, Entra ID debuted on Veeam Data Cloud. Throughout all of this, we’ve heard many stories from customers, whether it be time saved via quick restores, malicious activity uncovered through point in time comparisons, or money saved by removing the need to store audit logs in expensive SIEM systems.
There is, however, one pervasive myth that keeps resurfacing: If I am syncing to Active Directory, I don’t need to backup Entra ID.
Let’s break down the most common talking points for this myth and see if they hold any weight. (Spoiler alert: They don’t).
Myth 1: Microsoft Has Backups
I’m sure they do! But probably not in the way you think. It’s a tale as old as the cloud, but it bears repeating. The Shared Responsibility Model is standard across the industry, whether it involves a SaaS product, a service offered through a Managed Service Provider (MSP), or even something that you, the reader, have within your organization.
In short, this model delineates which party is responsible for what activity. For cloud and SaaS offerings, the provider is typically responsible for the infrastructure and keeping the service running, but you, the customer, is responsible for the quality and safety of your data. In this model, you are responsible for your data, full stop.
Myth 2: All The Necessary Identify Attributes Are Synced
When it comes to syncing data between environments, Microsoft Entra Connect Sync is the workhorse that delivers. It’s the glue that keeps the attributes that exist in both places in sync, but there’s a catch. Some attributes that exist in Entra ID that don’t exist in Active Directory. If we look at the tool’s documentation, we can find a pretty comprehensive list of what attributes are synced. However, if we examine the attributes that Veeam backs up, you’ll find that some attributes that are not listed in the tool.
For example, certain cloud-only attributes like AssignedLicenses or SamlMetadataUrl don’t exist in traditional AD. If you rely on sync alone, you lose visibility into these key elements. Imagine troubleshooting an authentication failure, only to realize the synced record lacks crucial attributes that determine security access.
By backing up Entra ID, you safeguard more than just the basics, you preserve everything that makes your cloud identity functional and secure.
Myth 3: If an Object is Deleted, I Can Restore it from my Active Directory Backup
Yes, you absolutely can, but only if the object exists and is backed up in Active Directory. However, Entra ID is not the same as Active Directory in the cloud. Instead, it is an evolution and contains cloud-only constructs like application registrations, Entra ID roles, and administrative units.
Some of these items could potentially be recreated in short order, like application registrations. Of course, that would require having all the necessary information on hand, knowing which service account(s) and passwords to use, and avoiding human error, and doing all of this while your users can’t access external resources. Other constructs, such as administrative units, are trickier; you’ll want to ensure that your documentation is up to date, verified, and pristine if you plan to rebuild.
One misconfiguration when recreating these objects could be worse than a user not having the required permissions. Instead, adding a user to the wrong group and over-granting permissions could open you up to a compliance nightmare when it comes to proving what the user did or did not access during that time.
Myth 4: I’ll Have the Data I Need for Forensic Investigations
If you ever need to track down how a threat actor got in and what actions they performed, the audit logs within Entra ID will likely be one of your first stops. Audit logs track activities such as sign-ins and provisioning activities, which makes them a powerful tool when trying to piece together a puzzle.
However, there’s a few caveats that come with this. Firstly, Entra ID logs are only retained for a finite period. For customers with a P1 license, that’s seven days. For P2 license customers, that’s 30 days. As attacks become more sophisticated, it’s no secret that dwell time becomes longer and longer. Having a base of operations set up within an organization for more than 30 days is far from uncommon. In this scenario, you wouldn’t have any logs to perform a forensic audit on, unless you’re sending your logs to an external SIEM, which is likely incurring financial costs to your organization by storing data that you may never use.
On the other hand, backing up your audit logs with Veeam allows you to take this data and store it wherever suits you best; whether that be in a backup repository within your environment, or a secure and immutable solution such as Veeam Vault. Aside from the straight-up cost savings each month, you’ll be able to selectively recover the exact log files you need for the period in question. If your SIEM supports it, you can even import restored data for analysis, which allows you to be prescriptive with your SIEM capacity costs.
Myth 5: Ctrl+Z Exists in the Cloud
We all make typos; it’s bound to happen. It’s just a matter of whether we can catch them in time. Unfortunately, identifying typos, particularly in Entra ID, can be tough. It’s one thing if you possibly misspell a user’s name, but what about those errors that don’t appear on the surface? The ones you need to dig for?
With our powerful, but intuitive metadata comparison capabilities, you can quickly play a game of “spot the difference” between your backups and production. Being able to spot not only what attribute(s) have changed, but also what specifically has changed about those attributes, allows you to catch and undo mistakes quickly. We’re all human after all!
Don’t Compromise Because It’s the Cloud
Hybrid environments aren’t a new concept, nor are they disappearing overnight. However, they can extend some misplaced confidence when it comes to critical domains like data protection. Entra ID is a vital control plane for your organization’s security and access controls, and it needs to be treated as a Tier 0 asset. Backups aren’t just a best practice; they are a necessity.
Veeam Backup for Entra ID helps you reinforce your resilience and is readily available as part of Veeam Data Platform or through Veeam Data Cloud.
The post Sync Isn’t Save: Why You Still Need Entra ID Backups for Hybrid Environments appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/bdXp5L9
Share this content: