Data Backed Up in Entra ID

Microsoft Entra ID is an Identity as a Service (IDaaS) solution, a cloud-based identity and access management service that Microsoft users can use to access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications. Microsoft Entra ID also helps users access internal resources like apps on in their organizational intranet, and any cloud apps developed for their organization.

To learn the differences between Active Directory and Microsoft Entra ID, see Compare Active Directory to Microsoft Entra ID. You can also refer to Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure like Microsoft Entra ID and Microsoft 365.

Cloud-to-Cloud Backup for Entra ID supports the cloud-based version of Entra ID. Windows Server Active Directory & Hybrid environments are not currently supported.

The following tables describe the Entra ID objects protected by Barracuda Cloud-to-Cloud Backup.

Entra ID Backup

Users
Groups
Administrative Units
Roles

Entra ID Backup Premium

App Registrations
Audit Logs
Authentication Method Policies
Authentication Strength Policies
BitLocker Keys
Conditional Access Policies
Device Management
- Device Compliance Policies
- Device Configuration Policies
Enterprise Applications
Local Administrator Passwords (LAPS)
Named Locations

Entra ID Backup

Users

User objects are digital profiles that represent people in an organization. These profiles store important information about each user, such as their name, email address, job title, and permissions.

For example, a user object might include:

The user’s login credentials (username and password).
Their role (e.g., regular employee or admin).
Groups they belong to (e.g., "Sales Team").
Access permissions for apps and data.

User objects are like ID cards in the digital world, helping the system know who someone is and what they are allowed to do.

Backup:

The object and all attributed detailed below are backed up.

Restore:

The object is updated/created.

Limitation:

Photos backed up need to be exported and restored manually.

Groups

Group objects are digital collections of users, devices, or other groups that help manage access to apps, data, and resources more efficiently.

For example:

Instead of giving access to an app to 50 employees one by one, you can add all 50 to a group and assign the app to the group.
Groups can also be used to apply specific policies, like blocking access from certain locations.

There are two main types of groups in Entra ID:

Security groups: Used to control access to resources (e.g., files, apps).
Microsoft 365 groups: Used for collaboration (e.g., in Teams, SharePoint).

Mail-Enabled Groups and Distribution Groups are primarily managed in Exchange Online or the Microsoft 365 Admin Center, rather than directly in Entra ID.

Group objects are like "folders" for people and devices, making it easier to organize and manage access.

Backup:

For supported group types, the object and all attributes detailed below are backed up.
Group members for those supported group types are backed up.

Restore:

The object is updated/created.
Existing members are added/removed.

Limitations:

Mail-enabled security groups are backed up in Entra ID Backup, but they cannot be restored or exported.
Distribution groups are not backed up in Entra ID Backup, so they also cannot be restored or exported.

Group Types

Type	groupTypes	mailEnabled	securityEnabled	Created and managed via the groups APIs	Backed Up	Restored	Exported

Type	groupTypes	mailEnabled	securityEnabled	Created and managed via the groups APIs	Backed Up	Restored	Exported
Microsoft 365 groups	["Unified"]	TRUE	TRUE or FALSE	Yes	Yes	Yes	Yes
Security groups	[]	FALSE	TRUE	Yes	Yes	Yes	Yes
Mail-enabled security groups	[]	TRUE	TRUE	No; read-only through Microsoft Graph	Yes	No	No
Distribution groups	[]	TRUE	FALSE	No; read-only through Microsoft Graph	No	No	No

Group Attributes

Attribute	Description	Backed Up	Restored	Exported

Attribute	Description	Backed Up	Restored	Exported
classification	Classification for the group (such as low, medium, or high business impact).	Yes	No	Yes
deletedDateTime	Date the group object was deleted	Yes	No	Yes
description	Optional description	Yes	Yes	Yes
groupTypes	Group type and its membership	Yes	No	Yes
deducedGroupType	Type of group based on several properties (mailEnabled, securityEnabled, groupTypes)	Yes	Yes	Yes
mailEnabled	If the group is mail-enabled	Yes	Yes; note that this is the attribute indicating the mail-enabled state only, not the group itself - see Group Types table above.	Yes
mailNickname	Mail alias for the group, unique in the organization	Yes	Yes	Yes
mail	SMTP address	Yes	No	Yes
membershipRule	Rule that determines members for this group, if the group is a dynamic group	Yes	Yes	Yes
membershipRule ProcessingState	If the dynamic membership processing is on or paused	Yes	Yes	Yes
preferredDataLocation	Preferred data location	Yes	Yes	Yes
preferredLanguage	Preferred language	Yes	No	Yes
resourceBehaviorOptions	Group behaviors that can be set for a Microsoft 365 group during creation	Yes	No	Yes
resourceProvisioningOptions	Group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation.	Yes	No	Yes
securityEnabled	If the group is a security group	Yes	Yes	Yes
securityIdentifier	Security identifier of the group, used in Windows scenarios	Yes	Yes	Yes
theme	Theme for Microsoft 365 group	Yes	Yes	Yes
visibility	Group join policy and group content visibility	Yes	Yes	Yes
isAssignableToRole	If this group can be assigned to an Azure Active Directory role	Yes	Yes	Yes

Administrative Units

User objects are digital profiles that represent people in an organization. These profiles store important information about each user, such as their name, email address, job title, and permissions.

For example, a user object might include:

The user’s login credentials (username and password).
Their role (e.g., regular employee or admin).
Groups they belong to (e.g., "Sales Team").
Access permissions for apps and data.

User objects are like ID cards in the digital world, helping the system know who someone is and what they are allowed to do.

Backup:

The object and all attributed detailed below are backed up.
Members are backed up.

Restore:

The object is updated/created.
Existing members are added/removed.

Attribute	Description	Backed Up	Restored	Exported

Attribute	Description	Backed Up	Restored	Exported
displayName	Display name	Yes	Yes	Yes
description	Optional description	Yes	Yes	Yes
visibility	If the administrative unit and its members are hidden or public	Yes	Yes	Yes

Roles

Roles are like job titles that define what someone is allowed to do in your organization’s systems.

For example:

If you want someone to manage user accounts but not have access to billing information, you can assign them a User Administrator role. If someone needs full control over all settings, you can assign them the Global Administrator role.

Roles come with specific permissions that determine what tasks a person can perform, helping you control access and responsibilities.

Roles are how you assign the right level of access to people, so they can do their job without having unnecessary permissions.

Backup:

The object and all attributes as detailed below are backed up.
The users are backed up.

Restore:

The object is updated/created.
Existing users are added/removed.

Attribute	Description	Backed Up	Restored	Exported

Attribute	Description	Backed Up	Restored	Exported
description	Description	Yes	Yes (if not built-in)	Yes
isBuiltIn	If the role is part of the default set included with the product or custom	Yes	No	Yes
isEnabled	If the role is enabled for assignment	Yes	Yes (if not built-in)	Yes
rolePermissions	List of permissions included in the role	Yes	Yes (if not built-in)	Yes
templateId	Custom template identifier that can be set when isBuiltIn is false	Yes	Yes (if not built-in)	Yes
version	Version of the role	Yes	Yes (if not built-in)	Yes
visibility	If the role is hidden or public.	No	No	No

Entra ID Backup Premium Objects

The Entra ID Backup Premium tier supports the backup and restore of the following attributes for each object type, where possible.

In order to back up the objects within Entra ID, you must have a P1 or P2 license applied to your tenant. For more information on Entra ID and the license types, see https://learn.microsoft.com/en-us/entra/fundamentals/whatis.
Backing up Windows LAPS credentials also requires that your Entra ID Backup connection is configured for Entra ID Backup Premium and reauthorized with the additional permissions needed to read device local credentials.

App Registrations

App registrations are like creating a digital ID for an app so it can securely connect to your organization's systems or other services. This process allows apps to access resources, like user data or APIs, in a controlled and secure way.

For example:

If your company has a custom app that needs to access Microsoft 365 data (like calendars or emails), you’d register the app in Entra ID.
During registration, the app gets credentials (like a username and password for apps) and permissions (what the app is allowed to do).

App registrations are how you let apps "log in" and securely interact with your organization’s data, just like users have to.

Backup:

The object and all attributes as detailed below are backed up.
The owners (users) are backed up.

Restore:

The object is updated/restored (see details under Enterprise Applications).
Existing owners are added/removed.

Limitations:

For hard deleted app registrations, the following attributes cannot be restored, so they must be added by the user after restore:
1. Redirect URI Settings
2. Identifier URIs
See notes under Enterprise Applications.
Secrets and Certificates need to be created manually after restoration.
Photos for internal applications are backed up, however, they currently cannot be exported or restored.

Attribute

Attribute