AvePoint Learn
Request article
Contact support
Request article
Contact support
English

    Home > Get Started > Enable Backup for Microsoft Entra ID or Admin Portal Settings

    Export to PDF

    Enable Backup for Microsoft Entra ID or Admin Portal Settings

    To back up the Microsoft Entra ID or Admin Portal Settings, you can choose to create a service app, or use a custom Azure app with required permissions. For details on creating a custom Azure app, refer to Create a Custom Azure App. You can go to the Default Permissions Granted to the Service App section to find the permissions that you can grant to your custom app.

    Complete the steps below:

    1. Before you enable the backup service for Microsoft Entra ID or Admin Portal Settings, go to AvePoint Online Services to configure a service app profile for that Microsoft 365 tenant. For detailed instructions on creating a service app profile, refer to Create a Service App and Grant Consent.

    2. After the service app is ready, go to the Backup page of the Cloud Backup for IaaS + PaaS to configure the backup scope for the Microsoft Entra ID or Admin Portal Settings. Note that if you have multiple tenants to protect, you must create a service app for each of them.

      For details on configuring the backup scope, refer to:

      NOTE
      • If you want to back up and restore distribution lists or mail-enabled security groups in Microsoft Entra ID, or back up and restore the Microsoft 365 Defender or Exchange settings through Admin Portal Settings service, you can choose to configure a service account profile for this tenant with a Global Administrator or Exchange Administrator user role, or you can go to the Azure portal to add this service app as Exchange Administrators role. For details on assigning an app the Exchange administrator role, refer to How to Assign the Exchange Administrator Role to an App?. For details on configuring a service account profile, refer to Create a Service Account Profile.
      • A service account with MFA enabled is currently not supported. In addition, due to API limitations, the backup service of Microsoft Entra ID will perform full backups on the distribution lists and mail-enabled security groups each time. This can be determined by the number of successful objects in each backup job.

      • If you are using a custom Azure app for Microsoft Entra ID or Admin Portal Settings service and you do not want to assign a Global administrator or Exchange administrator role to the app, refer to the instructions in Create a Custom Role Group to create a role group with the minimum permissions. This configuration is only applicable to the custom app.

      • If you want to restore a temporarily deleted user or group, the service account or the service app must be assigned with the Global administrator role.

      • If you want to back up and restore the Self Service Group Management property of the Groups General settings for Microsoft Entra ID > Groups, you must configure a service account profile in the AvePoint Online Services interface with the service account in Cloud Application Administrator role. Note that if you only want to back up this property, the Cloud Application Administrator role is not required.

      • To back up and restore the Attributes and Claims, Identifier (Entity ID), currentSingleSignOnMode, ParentAppId, or IsCustomApp of the SSO configuration for the enterprise applications, you must have a service account profile configured in the AvePoint Online Services interface and the service account you use must have the Application Administrator role. Note that if you only want to back up this property, the Application Administrator role is not required.

    For details on the support list, refer to Microsoft Entra ID and Admin Portal Settings.