How to automate Entra ID backup using EntraExporter and Azure DevOps

I was reading a Microsoft Entra article that mentioned the following: “Unintended deletions and misconfigurations will happen to your tenant.” Recoverability best practices details the shared responsibilities between Microsoft as your cloud service provider and your organisation.

A review of this shows that businesses need to prepare for Business Continuity and Disaster Recovery activities. There are many 3rd party providers that offer backup and recovery products. Entra Exporter is one such tool. It is a PowerShell module that allows you to export your Entra and Azure AD B2C configuration settings to local .json files.

Integrating Entra Exporter with DevOps ensures that you can automate and track the changes easily. In this article I will walk you through how to set this up.

Create a private Azure DevOps project

  • In Azure DevOPs (https://dev.azure.com) create a new project and give it a name.

Assign the “Contribute” permission to the Build Service account

To assign the Contribute permission to the service account perform the following steps:

  • Project Settings > Repositories > Security
  • Under Users select the Build Service account
  • On the pull out on the right, use the drop-down to select “Allow” on the Contribute permission

Create a Workload Identity Federation Service Connection

In the Project created above, navigate to the following:

Project settings > Service connections > Create service connection > Azure Resource Manager > Workload Identity federation (automatic) Recommended

The following screenshots give an idea of what it ought to look like:

Grant the following Graph permissions to the identity created

  • AccessReview.Read.All
  • Agreement.Read.All
  • APIConnectors.Read.All
  • Application.Read.All
  • Directory.Read.All
  • EntitlementManagement.Read.All
  • IdentityProvider.Read.All
  • IdentityUserFlow.Read.All
  • Organization.Read.All
  • Policy.Read.All
  • Policy.Read.PermissionGrant
  • PrivilegedAccess.Read.AzureAD
  • PrivilegedAccess.Read.AzureResources
  • User.Read.All
  • UserAuthenticationMethod.Read.All
  • AuditLog.Read.All

Setup a DevOps pipeline

To create the pipeline perform the following:

  • Repos > Files > Choose Initialize
  • Pipeline > Create Pipeline
  • Select Azure Repo Git

Conclusion

You have learnt how to automate your Entra ID backup using Entra Exporter and integrating this with Azure DevOps.