The Entra ID problem nobody plans for
A customer called me last year about a problem they had not seen coming. Someone on their team deleted an Entra ID app registration that 40 internal services depended on. The services started failing within minutes. They tried to restore the app registration from Azure backup.
Azure backup does not cover Entra ID. Microsoft has been clear about this in their documentation for years. The customer had not read it. Most teams have not. By the time they understood what they had lost, they had spent two days reconstructing the app registration manually from configuration files scattered across different teams.
That call shaped how I think about Azure protection. The native services Microsoft ships are useful primitives. They are not complete protection, and the gaps are in the places most teams assume are covered by default.
Where Azure's native services stop
Microsoft provides several native protection services and they are good at what they do. Azure Backup handles VM-level snapshots and file-level recovery. Azure Site Recovery handles failover orchestration. Azure SQL has automated backups with point-in-time recovery. Azure Blob Storage has versioning and immutability options. For many workloads these are the right starting point.
The gaps show up in five specific places that matter most when you actually need recovery.
Application consistency across complex workloads. Native VM snapshots are typically crash-consistent. For application-aware backup of multi-tier workloads, SAP HANA, or apps with custom quiesce requirements, you need a pre- and post-application framework that ensures filesystems and applications are properly quiesced. Not just snapshotted at whatever state the kernel happens to be in.
SaaS coverage. Azure native backup does not cover Microsoft 365 or Entra ID. Microsoft itself states explicitly that retention and recovery of these tenant-level objects is the customer's responsibility. Lose an Entra ID app registration or delete a SharePoint site and Microsoft will apply the action with no recovery path from Microsoft itself.
Cross-tenant and cross-subscription recovery. Native services work within a single Azure subscription. Recovering into a different subscription, tenant, or back to on-premises is operationally harder than it should be, especially during an incident when the source environment cannot be trusted.
Policy management at scale. Once hundreds of VMs span multiple resource groups and subscriptions, manually assigning backup policies becomes coverage-gap-by-attrition. The workloads that get missed are the ones an attacker or careless administrator will eventually destroy.
Cost predictability outside expected scenarios. Egress charges, retention tier transitions, and hidden costs of running native services across regions can surprise you on the wrong month, the one when you actually need to recover something significant.
Going beyond native does not mean abandoning native. It means treating native primitives as the foundation and adding coverage, consistency, and operational scale on top.
What complete Azure protection has to cover
| Azure Workload | Backup requirement |
| Azure VMs | Application-consistent snapshots, vDisk-level granular recovery |
| Managed Disks | Independent disk snapshots, cross-region restore |
| Azure SQL / SQL MI | Point-in-time recovery, retention beyond Azure defaults |
| Azure Blob Storage | Versioning, immutability, cross-region copies |
| Azure Files | File-level granular restore, snapshot-based incremental protection |
| Azure Kubernetes Service | Container, persistent volume, and namespace-level backup |
| SAP HANA on Azure | Application-aware backup, log integration, point-in-time restore |
| Microsoft 365 | Granular item recovery, cross-tenant restore, long-term retention |
| Microsoft Entra ID | Object-level recovery of users, groups, and app registrations |
What 'purpose-built for Azure' actually means
Vendors love the phrase. Four concrete tests separate the marketing from the architecture.
Native Azure VM-level snapshots. The backup service should use Azure's native snapshot mechanism, not vendor-side snapshots layered on top, so production impact stays near zero.
Microsoft Entra ID authentication. Authentication flows through Entra ID and inherits existing RBAC. A separate user database means parallel infrastructure to keep in sync.
Azure Marketplace distribution and Azure billing. Subscription flows through the Marketplace and bills against existing Azure commitments. Not a separate procurement and invoicing relationship.
Resource Group awareness for multi-tenancy. Different teams and business units live in different Resource Groups. The service should discover and honor that structure automatically, giving each team visibility only into their own resources.
What separates basic backup from operational-grade
Deploying backup is the easy part. The features that determine whether protection still works two years in, after dozens of new VMs and at least one organizational restructuring, are operational rather than functional. Four specific capabilities matter.
A custom application consistency framework. Standard Azure VM snapshots handle common apps. For SAP HANA, custom applications, or multi-tier workloads, a pre- and post-application framework lets you define how the filesystem or application should be prepared for backup. Without it, backups exist but the recovery story is brittle.
Tag-based automatic policy assignment. Define policies once, aligned to SLAs, then apply them automatically based on tags assigned during provisioning. A workload tagged production-tier-1 gets the tier-1 policy. A workload tagged dev gets the dev policy. Untagged workloads catch the default safety-net policy. Maximum coverage, minimum administrative burden.
Granular recovery. Recovery should let you choose what to restore at file, folder, VM, vDisk, or full application level, and where to restore it: original location, alternate VM, different Resource Group, different subscription, different region. The granularity matters most in compromise scenarios where you cannot trust the original environment.
Webhook-driven notifications into your existing ops stack. Critical backup events land in tools your team already uses: Slack, Microsoft Teams, ServiceNow. Not a separate console nobody monitors. Real-time alerting on protection failures is the difference between catching a problem early and discovering it during the restore.
Azure Government and regulated workloads
Federal agencies, defense contractors, and regulated industries have requirements beyond standard Azure backup. Three capabilities matter most.
Azure Government Cloud support. Protection has to operate within Azure Government, not just commercial Azure. For US federal customers this includes backing up on-premises data to Azure Government Blob Storage as archive or primary backup, from centralized data centers, edge sites, remote locations, and mobile infrastructure.
WORM-based ransomware protection with cloud-efficient deduplication. WORM storage prevents ransomware from encrypting backup copies. The cost challenge is that traditional dedupe appliances need significant compute and memory, which is expensive in cloud. We store only unique blocks on the cloud, which saves network, storage, and compute. Because retrieval does not require rehydration, restore performance is limited by network bandwidth alone.
FIPS 140 certification and customer-controlled data sovereignty. HYCU achieved FIPS 140-3 certification in 2025, meeting federal cryptographic module standards. Combined with the architectural commitment that customer data never leaves customer control, this matters for any organization under FedRAMP, ITAR, CMMC, or similar regulatory frameworks.
Common questions on Azure backup
Does Azure already include backup, or do I need a separate solution?
Azure includes native protection services that handle VM snapshots, file recovery, and DR orchestration for many scenarios. They do not cover Microsoft 365, Entra ID, or many enterprise application consistency requirements, and they have limitations around cross-tenant recovery and policy management at scale. Most enterprise environments need a layered approach: native primitives plus a third-party platform for full coverage.
How does Azure backup handle Microsoft 365 and Entra ID?
It does not. Microsoft's shared responsibility model places retention and recovery of Microsoft 365 data and Entra ID objects on the customer. Granular recovery of Exchange mailboxes, SharePoint sites, OneDrive content, Teams data, and Entra ID app registrations or users requires a third-party platform built for those workloads.
Can I use Azure as a DR target without paying for always-on infrastructure?
Yes. With cloud-native BaaS, backup copies sit continuously in Azure Blob Storage at low cost. Compute and high-performance storage only consume when a DR scenario is declared. Most of the year you pay for storage. On the rare day disaster strikes you pay for compute. A fraction of fully-provisioned standby cost.
What's the difference between Azure Backup and a dedicated BaaS platform?
Azure Backup is Microsoft's native service for protecting Azure VMs, Azure Files, and SQL workloads within Azure. A dedicated BaaS platform layers on top to add application-consistent backup across enterprise apps, SaaS coverage (Microsoft 365, Entra ID), centralized policy management across subscriptions and tenants, webhook integration, and cross-cloud DR. The two are complementary.
If you only do one thing
Audit your Microsoft 365 and Entra ID coverage today. List what is backed up, by what tool, and what would be required to recover an accidentally-deleted app registration, SharePoint site, or critical user. If the answer to any of those is "we'd reconstruct from scratch," you have a gap worth fixing before someone makes the mistake the customer in my opening did.
Get the newest insights and updates
By submitting, I agree to the HYCU Subscription Agreement , Terms of Usage , and Privacy Policy .
Thank you for submitting the form!
The file should open in a new tab. If it doesn't, click the button below for direct download.
You're all set!
Thanks for registering. The on-demand replay is ready to watch below.
Watch the replayThank you for subscribing!
You have successfully subscribed to our newsletter. You will receive a confirmation email shortly. Stay tuned for the latest insights and updates!