Setting Up Entra Backup

Topic

This article explains how to set up Microsoft Entra backups in Dropsuite.

Environment

Dropsuite
Microsoft Entra ID

Description

Dropsuite Entra Backup involves three main steps, described in the sections below.

Add a Microsoft 365 (M365) Tenant
Entra ID Authorization
Entra ID Backup

This article also discusses the following workflows:

Download and Export Data
Restore Data
Frequently Asked Questions (FAQ)

Add a Microsoft 365 (M365) Tenant

You must add an M365 tenant before you can back up Microsoft Entra. First, follow the steps in Adding an M365 Tenant to Backups, then proceed with the steps below.

Microsoft Entra Authorization

There are two available authorization applications with different purposes:

Backup App: This app has read-only privileges. You will use it exclusively to perform backup operations. The Backup app is a required application.
Restore App: You can enable this app permanently to restore operations without additional authentication and authorization, or temporarily as part of a specific restore operation.

To enable the apps, follow these steps.

Authorize Microsoft Entra Backup App

Log in to the Microsoft Entra Portal. On the Organizations section of the Partner Portal, choose Access Microsoft Entra Portal. It is important to note that organizations can't access this option. Only resellers can manage Entra backups on behalf of their organizations.
The dashboard shows a list of M365 tenants you've added. Select the tenant you want to back up, and then select Activate Backup.
On the New Tenants page, select Sign in with Microsoft to authorize.
A new window will appear with the Microsoft login page. Use an administrator account to authorize the Entra Backup app.
Enable Immediate Backup to have the system start backing up immediately after authorization is granted.
Set the Backup Frequency (currently only available every 24 hours).
Choose Continue to complete authorization.
Once complete, the system will display that tenant's Backup Now, Download, and Show Detail options.

Authorize Entra Restore App

Log in to the Entra Portal.
On the dashboard, you'll see a Reauthorization Required badge for the M365 tenants. Select the tenant, and then select Update Now.
On the New Tenants page, select Sign in with Microsoft to authorize.
You'll be redirected to the Microsoft login page. Use the administrator email address to sign in.

Entra ID Backup

Log in to the Entra Portal. On the Organizations page of the Partner Portal, choose Access Entra Portal. It is essential to note that organizations are not eligible to access this option. Only resellers can manage Entra backups on behalf of their organizations.
On the dashboard, move your cursor over the tenant and select Backup Now.
Once initiated, a success banner will appear.
Visit the System Status page to monitor backup progress.

Download and Export Data

The Download button generates a download containing a .zip file with the selected data in JSON format. You can download specific objects, all objects of a particular type (such as user or group), or all currently backed-up objects.

The JSON format allows you to review data in a text editor, JSON tool, or programmatically (for example, in PowerShell or Graph API). In the event of a failed restore, you can use JSON data to perform a manual restore outside of Dropsuite Entra Backup.

Download Options

You have the following options available to you for downloading tenant data:

Tenant Level: On the dashboard, select Download.

**Figure 1**: Tenant Level (click to enlarge)

Object Type Level: Select the tenant on the dashboard, select the object type, and then choose Download.

**Figure 2:** Object type level (click to enlarge)

Object Detail Level: Select the tenant, select the object type and specific object, and then choose Download in the sidebar.

**Figure 3:** Object detail level (click to enlarge)

After initiating a download, monitor progress on the System Status page. The download link expires in seven days.

Restore Data

Unlike downloads, restores are available only at the Object Detail level.

After you choose Restore, Dropsuite will display a confirmation message. To proceed, choose Restore.

**Figure 4:** Restore (click to enlarge)

Frequently Asked Questions (FAQ)

The following questions have been asked by our customers and answered by our product specialists. Select a topic to continue.

Which Entra object types does Dropsuite currently support?
How long does the initial Entra backup take?
How often does Entra Backup run?
Can I perform an immediate backup?
Why doesn't the number of snapshots match the number of backups?
Does the restore always return success?
Why can't I choose the Restore button?
What happens if I don't complete the maximum privilege-level installation?
What does the Reauthorization Required badge on the dashboard mean?
Why can't I click the Service Principals folder?
Where do I find the BitLocker key?
Why can't I download or restore a BitLocker key?

Which Entra object types does Dropsuite currently support?

The following table lists all object types and supported features.

Object Type	Backup	Restore	Download
Users	Yes	Yes	Yes
Groups	Yes	Yes	Yes
Roles and Admins	Yes	Yes	Yes
App Permissions	Yes	Yes	Yes
Service Principals	Yes	Yes	Yes
Security and Compliance Policies Authentication Method Authentication Strength Conditional Access Named Location	Yes	Yes	Yes
Device Management Policies	Yes	Yes	Yes
Bitlocker Recovery Keys	Yes	No	No
Device	Yes	No	Yes
InTune	Yes	No	Yes

Currently, the device object only complies with Microsoft Windows operating systems.

How long does the initial Entra backup take?

The duration varies based on data volume and network speed.

How often does Entra Backup run?

Backups run based on the frequency set during authorization (currently every 24 hours).

Can I perform an immediate backup?

Yes, but only during the Entra authorization process. Immediate backups are not permitted afterward.

Why doesn't the number of snapshots match the number of backups?

Graph API only creates snapshots for objects that have changed since the last snapshot date. It will not create a new snapshot if no changes occur, even if the system backup completes successfully. As a result, successful backups may exceed the number of snapshots.

Does the restore always return success?

Dropsuite may skip certain items during the restoration process. The Download Skipped Items feature allows you to review skipped items. Navigate to the System Status page, select the Restore tab, and choose Download.

Why can't I choose the Restore button?

When trying to click the Restore button, you might see the following message: "This restore operation requires additional privileges to be assigned to the Entra Backup Application in the target tenant."

This message means that the restore process requires delegated permissions, which are missing. You must install the app with maximum privileges to allow restore operations. Follow the prompt, and then choose Proceed to continue. Input the required credentials to grant the necessary permissions.

Note that some objects, like BitLocker recovery keys, cannot be restored as they are read-only in Entra.

What happens if I don't complete the maximum privilege-level installation?

Without granting maximum privileges, restore functionality will not work, and you won't be able to recover data.

You must install the application with maximum privileges to allow restore operations. Follow the prompt and then choose Proceed to continue. Input the required credentials to grant the necessary permissions.

What does the Reauthorization Required badge on the dashboard mean?

This badge generally indicates that a new object has been added. This badge can also mean the application is corrupted in Entra. Move your cursor over the tenant listing and then select Show Detail. Select Update Now to be redirected to the authorization page. Complete the authorization, and the badge will disappear.

Why can't I click the Service Principals folder?

This issue occurs when Dropsuite fails to reauthorize the folder successfully. To resolve this issue, select Update Now on the page banner. You'll be redirected to the reauthorization page to complete the process.

Where do I find the BitLocker key?

To locate the BitLocker key, perform the following steps:

Log in to the Entra portal.
On the dashboard, select the tenant.
Select the BitLocker Key folder in the object type column.
Dropsuite shows the key in an obfuscated format to prevent unauthorized users from seeing BitLocker recovery keys.

**Figure 5:** BitLocker key (click to enlarge)

Can I get the BitLocker key?

Yes, though the restore app needs to be enabled first. You can enable it temporarily by following the steps below or permanently by completing the preceding Entra authorization steps.

This requirement ensures that only users authorized to view these keys in the target Entra environment can view them in the Entra Backup application.

On the BitLocker key panel, choose the view icon.

**Figure 6:** Activating the restore application (click to enlarge)

Dropsuite will show a privilege elevation modal. Choose Proceed.

**Figure 7:** Elevated Privleges Required modal (click to enlarge)

Input the required credentials and click Enter. Dropsuite will now display the BitLocker key.

Why can't I download or restore a BitLocker key?

To mitigate the leakage of BitLocker recovery keys, they are not available for download. Similarly, Microsoft prevents this data from being overwritten, making it impossible to restore BitLocker recovery keys.

Search