Veritas Alta SaaS Protection : Microsoft Entra ID Restore Workflows

Article: 100062004
Last Published: 2023-12-28
Ratings: 0 0
Product(s): Veritas Alta SaaS Protection

Description

Restoration of Microsoft Entra ID workloads using Alta SaaS Protection (ASP) will have to be done differently based on how the Microsoft Entra ID environment is configured.

On a very high level, there are two types of environmental configurations that are being supported.

  • Pure Microsoft Entra ID
  • Hybrid with On-Premises Active Directory configured to sync to Microsoft Entra ID as one-way synchronization

 

Pure Microsoft Entra ID Environment

In this setup, all directory objects exist only in Microsoft Entra ID.  This means that, while restoring directory objects using ASP, nothing special needs to be done.

The normal ASP restore workflow will have to be followed to restore the directory objects back into Microsoft Entra ID using the various restore interfaces provided by ASP (Admin Portal, End User Portal, Export Utility).

 

Hybrid with On-Premises Active Directory configured to sync to Microsoft Entra ID as one-way synchronization

In the case of a Hybrid setup where sync is enabled to happen from On-Premises Active Directory to Microsoft Entra ID, restoring directory objects on the Microsoft Entra ID will be a three-step process:

  1. Restore the relevant directory objects first in On-Premises Active Directory using the On-Premises Active Directory Backup/Restore solution NetBackup.
  2. Wait for the sync from On-Premises Active Directory to Microsoft Entra ID to be completed.
  3. Restore the relevant directory objects on Microsoft Entra ID to complete the restore of Cloud native attributes of the directory objects being restored.

The following method can be used to validate if the sync to Microsoft Entra ID has been successfully completed or not before proceeding with restoring directory objects using ASP:

Using AADCloudSyncTools PowerShell module (Ref: AADCloudSyncTools PowerShell module for Microsoft Entra Cloud Sync):

  1. Get Job ID from Microsoft Entra ID:

In Microsoft Entra ID, navigate to Hybrid management  → Microsoft Entra Connect  → Cloud Sync 

From the list of Cloud sync Configurations, choose the configuration which will sync the records from affected On-Premises Active Directory.

On the Overview  page of the specific Cloud sync Configurations, copy the value from Job ID.

2. Get the status of the Sync job using the Job ID:

Note: Replace Job_ID in the command below with the Job ID retrieved from Microsoft Entra ID prior to executing in a PowerShell window.

Get-AADCloudSyncToolsJobStatus -ID Job_ID | Format-List -Property ID,lastRun_state,lastRun_timeBegan,lastRun_timeEnded

The above PowerShell command would produce an output similar to the screenshot below, which includes the lastRun_timeBegan and lastRun_timeEnded timestamp values that are represented in UTC.

 

The lastRun_timeBegan and lastRun_timeEnded timestamp values are indicative of when the last Sync started and ended.  This can then be related back to when the On-Premises Active Directory restore was done to determine if Sync is completed or not for the On-Premises Active Directory Restore operation.

 

 

The below PowerShell command can also be used to wait for the sync completion. For example:

Note: Replace Job_ID with the Job ID retrieved from Microsoft Entra ID. Following command will wait until the next sync is completed.

$startDate = Get-Date; while($startDate -gt ([DateTime](Get-AADCloudSyncToolsJobStatus -ID Job_ID | Select-Object -ExpandProperty lastRun_timeEnded))){Write-Host "Waiting for Sync to complete ...";Start-Sleep -Seconds 10;}

 

 

Was this content helpful?