We've been busy setting up Single Sign-On (SSO) for various third-party applications, resulting in a lot of Enterprise Applications created in Entra. I'm curious about the best way to back this up - is it actually possible? I know there are PowerShell commands like Get-Mg Application and Get-MgServicePrincipal that seem to pull most of the info we need, but how effective would it be if we can't export associated certificates or secrets? Are others just taking the risk and documenting that instead?
2 Answers
Unfortunately, you can't export the private key, which means there's no way to "restore" SSO Applications meaningfully. You can document backups of the claims and other configurations, but you'll need to reconfigure everything from scratch if something goes wrong. While you could upload custom certificates, that could increase risks of leaks. Fortunately, the risk is low unless someone decides to go on a deletion spree. Once everything is set up, Microsoft's SRM offers good coverage, but it won't save you if Microsoft faces a major outage. A solid plan would be to document each application's purpose and have a disaster recovery strategy in place.
Exactly, as mentioned, the private keys and secrets can't be backed up or restored, so it's crucial to have a solid documentation and creation automation plan.
Totally agree. Documentation and, if possible, automating the creation process would be my go-to to cover losses. If things go haywire, running a script to recreate everything can save a lot of headaches.
You can set permissions so that only 'application administrators' or application owners can make modifications, which adds a layer of security. Just ensure you have a 'break glass' account as a backup, or invite multiple trusted individuals to this role in case you need to make urgent changes.
What about tools like Veeam Entra ID backup? I have it configured, and it shows all applications in Entra. Can it restore them? Are you saying sensitive data might not be included in those backups?