Barracuda Networks has launched Entra ID Backup Premium, a cloud-based backup-and-recovery service that protects 13 critical Microsoft Entra ID (formerly Azure AD) components and promises fast restoration beyond Microsoft’s native 30‑day recovery window, with centralized visibility and management through the BarracudaONE platform.
Microsoft Entra ID sits at the heart of sign-in, authorization, and policy enforcement for Microsoft 365, Azure, and scores of third‑party SaaS apps. When identities or policies go missing—by accident or design—access grinds to a halt. Microsoft’s own documentation confirms that only a subset of Entra ID objects are “soft deleted” and restorable for 30 days; many others are hard deleted immediately and cannot be recovered, underscoring the need for independent backups.
The scale of identity-targeted threat activity has surged. Microsoft’s latest reporting cites more than 600 million identity attacks per day and roughly 7,000 password attacks blocked per second—figures that frame why rapid identity configuration recovery is now a frontline requirement for cyber resilience.
Microsoft’s services agreement also recommends that customers regularly back up content stored in its services—and even calls out using third‑party apps and services—reinforcing the shared‑responsibility posture for data protection.
Source: SecurityBrief Australia Barracuda unveils Entra ID Backup Premium for secure recovery
Background
Microsoft Entra ID sits at the heart of sign-in, authorization, and policy enforcement for Microsoft 365, Azure, and scores of third‑party SaaS apps. When identities or policies go missing—by accident or design—access grinds to a halt. Microsoft’s own documentation confirms that only a subset of Entra ID objects are “soft deleted” and restorable for 30 days; many others are hard deleted immediately and cannot be recovered, underscoring the need for independent backups. The scale of identity-targeted threat activity has surged. Microsoft’s latest reporting cites more than 600 million identity attacks per day and roughly 7,000 password attacks blocked per second—figures that frame why rapid identity configuration recovery is now a frontline requirement for cyber resilience.
What Barracuda is shipping
Coverage that goes beyond the recycle bin
Entra ID Backup Premium safeguards 13 “must‑have” identity elements, spanning not just users and groups but also high‑impact configurations often overlooked by native recovery: Conditional Access policies, authentication method/strength policies, app registrations and enterprise applications, BitLocker keys, device management (Intune) policies, audit logs, named locations, roles, and administrative units. The non‑premium tier covers core objects (users, groups, roles, administrative units), while Premium adds the rest to reach the full 13. (campus.barracuda.com, barracuda.com)- Users, groups, roles, administrative units
- App registrations and enterprise applications
- Conditional Access, authentication method/strength policies
- Device management policies (Intune), named locations
- BitLocker keys and audit logs
Designed for speed and scale
As a SaaS offering, Entra ID Backup Premium deploys without software installs or patching; customers connect a Microsoft 365 tenant and can begin protection within minutes. Management lives inside the BarracudaONE platform, which provides a unified dashboard for backup status, data health, storage insights, and multi‑tenant oversight. Barracuda highlights advanced search, real‑time monitoring, detailed audit logs, and five levels of role‑based access control for operational separation of duties.Availability and packaging
The product is available globally through Barracuda’s reseller and MSP ecosystem. Organizations can buy Entra ID Backup Premium as a standalone SKU or bundle it with Barracuda Cloud‑to‑Cloud Backup; the basic Entra ID Backup (covering users/groups/roles/AUs) is included with Cloud‑to‑Cloud Backup licenses. (barracuda.com, campus.barracuda.com)Why this matters for Windows and Microsoft 365 admins
Microsoft’s 30‑day safety net isn’t enough
Native recovery in Entra ID is narrowly scoped. Only specific object types support soft delete, and even then, the recoverability window is limited to 30 days; other items (including many policy objects) are hard-deleted on removal. Microsoft explicitly advises customers to plan for recoverability—exporting configurations and building restore processes—because once the window closes, neither administrators nor Microsoft can bring hard‑deleted items back.Microsoft’s services agreement also recommends that customers regularly back up content stored in its services—and even calls out using third‑party apps and services—reinforcing the shared‑responsibility posture for data protection.
Identity is in attackers’ crosshairs
Password‑based attacks remain the dominant technique, and adversaries increasingly tamper with identity infrastructure to maintain persistence. Rapid rollback of directory objects and policy baselines—especially Conditional Access and app registrations—can be the difference between prolonged outage and quick restoration of business access.How Entra ID Backup Premium works (at a glance)
- Connect the Microsoft 365 tenant and authorize required Graph permissions for directory, application, audit, and device policy coverage.
- Choose protection scopes for users, groups, apps, policies, and logs; BarracudaONE tracks backup health and storage.
- Use advanced search and granular restore to recover specific objects or configurations; audit logs provide a trace of every action.
- Apply RBAC to segment duties between tenant admins, security teams, and MSP operators across single or multi‑tenant estates.
Competitive landscape and alternatives
Veeam and Keepit both offer cloud‑based backup for Microsoft Entra ID, with broad object coverage and unlimited retention options. Quest’s On Demand Recovery emphasizes granular recovery of Entra ID and Microsoft 365 objects, including Conditional Access and application principals. Barracuda’s differentiator is its tight integration with BarracudaONE—consolidating email security, data protection, and XDR telemetry into a single, MSP‑friendly console. (veeam.com, keepit.com, quest.com, barracuda.com)Strengths
- End‑to‑end identity coverage: Protects the 13 components that matter most for tenant operability—well beyond the recycle bin.
- Operational simplicity: SaaS delivery, no agents to manage, quick time‑to‑value, plus centralized oversight in BarracudaONE for single and multi‑tenant estates.
- Resilience beyond 30 days: Long‑term, scalable preservation of identity data and policies where Microsoft’s native recoverability stops. (barracuda.com, learn.microsoft.com)
- MSP alignment: Unified dashboarding and RBAC levels suit service providers consolidating protection across many customers.
Watch‑outs and open questions
- Restore semantics and object IDs: In Entra ID, some restores (especially after hard delete) can yield new object IDs, which may break app bindings, role assignments, or scripts expecting stable identifiers. Admins should plan for post‑restore remediation and validation.
- Permission footprint: Any identity backup platform requires broad Graph permissions to read and restore sensitive objects and policies. Apply least‑privilege, isolate credentials, and enforce MFA/Conditional Access for the backup operator accounts. (General best practice; verify in your tenant.)
- Audit and sign‑in log realities: Native log retention is constrained by license (often 7–30 days by default), prompting many organizations to export to Sentinel/Log Analytics. Backing up audit data may fill gaps, but teams should still design SIEM pipelines for advanced hunting and correlation.
- Pricing transparency: Barracuda positions Premium as a separate SKU while including the basic Entra ID Backup with Cloud‑to‑Cloud Backup. Evaluate total cost versus competitors claiming unlimited retention and confirm storage/egress terms and recovery SLAs.
Practical next steps for Windows admins
- Map your tenant’s “break‑glass” dependencies: list Conditional Access policies, named locations, app registrations/service principals with delegated app permissions, BitLocker and device policy stores. Prioritize these in any backup and recovery plan.
- Validate soft‑delete coverage: identify which objects are recoverable within 30 days and which are hard‑deleted on removal; structure backups accordingly.
- Pilot multi‑object restores in a lab: rehearse restoring users, app registrations, and CA policies to understand ID continuity, downstream impacts, and required clean‑up.
- Harden the backup plane: enforce RBAC separation, privileged access workstations (PAWs), and Conditional Access around the backup console and service principals. (General best practice.)
- Decide on platform consolidation: if your organization already uses Barracuda Email Protection or Cloud‑to‑Cloud Backup, leveraging BarracudaONE’s unified dashboard could reduce tool sprawl and operational overhead.
The WindowsForum.com take
For enterprises standardizing on Microsoft 365 and Entra ID, Barracuda’s Entra ID Backup Premium lands at the right moment. The product directly targets the recovery blind spots that Microsoft leaves—particularly policy and application configurations—and wraps them in a single, MSP‑ready console. With identity attacks intensifying and native recoverability capped at 30 days, locking in a dedicated Entra ID backup is fast becoming table stakes for business continuity. The remaining homework lies in understanding restore side effects, tightening operator permissions, and pressure‑testing recovery runbooks before an identity outage makes those plans more than academic. (barracuda.com, itpro.com, learn.microsoft.com)Source: SecurityBrief Australia Barracuda unveils Entra ID Backup Premium for secure recovery
