Recent updates to Microsoft Entra ID’s backup and restore capabilities introduce several new enumeration types and resource relationships to allow more granular control over what gets backed up, excluded, and tracked. These changes are live in the Microsoft Graph beta endpoint, giving admins new tools to refine backup policies for drives, mailboxes, and SharePoint sites—while also supporting bulk exclusion management and improved job visibility. If your organization is using or planning to leverage Entra backup storage, this article will walk you through the new capabilities, their impact, and practical admin actions.
WHAT’S CHANGING
- New Enumeration Types:
exclusionUnitBulkJobStatusandbackupPolicyProtectionMode—allowing tracking and configuration of bulk exclusion jobs and backup policy modes. - New Resource Relationships: The
backupRestoreRootresource now includes direct relationships for:- driveExclusionUnits & driveExclusionUnitsBulkAdditionJobs
- mailboxExclusionUnits & mailboxExclusionUnitsBulkAdditionJobs
- siteExclusionUnits & siteExclusionUnitsBulkAdditionJobs
- exclusionUnits (aggregate view)
- New Resource: driveExclusionUnit for fine-grained drive exclusion definitions.
These changes are available now in the Microsoft Graph beta API.
WHO’S AFFECTED
- Tenants using Microsoft Entra backup/restore features—especially those automating exclusions or using advanced backup policies for OneDrive, Exchange mailboxes, or SharePoint sites.
- Admins with permissions to configure backup policies—typically Global Administrators, Backup Administrators, or custom roles with backup management rights.
- Entra ID tenants integrating with Graph API for backup management—developers and admins using scripts or custom apps.
WHY IT MATTERS
- Granular Exclusion Control: You can now exclude individual drives, mailboxes, and sites from backup coverage, both singly and in bulk, with job status tracking.
- Bulk Operations Visibility: Track and manage the status of bulk exclusion jobs, improving operational transparency and troubleshooting.
- Backup Policy Modes: The new protection mode enumeration lets you tailor backup coverage for different organizational scenarios (e.g., selective vs. full backups).
- Operational Risk Reduction: Avoid accidental backups of unwanted or sensitive data, or optimize storage costs by excluding non-essential units.
WHAT TO DO
- Review Your Current Backup Policy: Assess if your current backup scope covers only required drives, mailboxes, and sites. Identify units to exclude.
- Update Exclusion Lists: Use the new relationships (driveExclusionUnits, mailboxExclusionUnits, siteExclusionUnits) to add or remove exclusions via the portal or Microsoft Graph API.
- Leverage Bulk Addition Jobs: For large-scale exclusions, create bulk addition jobs and monitor their
exclusionUnitBulkJobStatusto ensure completion or handle failures. - Adjust Protection Mode: Set the
backupPolicyProtectionModeto match your data protection requirements (selective, full, etc.). - Audit and Report: Use Microsoft.Graph PowerShell to inventory current exclusions, bulk job statuses, and backup policy modes.
CHECK IT YOURSELF
Audit Backup Policy and Exclusion Units via PowerShell
The following script inventories backup policies, protection modes, and exclusion units for drives, mailboxes, and sites. It supports pagination and error handling. All operations are read-only.
# Requires Microsoft.Graph.Beta
# Connect to Graph Beta
Connect-MgGraph -Scopes "Backup.Read.All"
# Helper function for paginated requests
function Get-PaginatedGraphItems {
param(
[string]$Uri
)
$results = @()
$nextLink = $Uri
do {
try {
$response = Invoke-MgGraphRequest -Method GET -Uri $nextLink
$results += $response.value
$nextLink = $response.'@odata.nextLink'
} catch {
Write-Warning "Failed to query $nextLink: $_"
break
}
} while ($nextLink)
return $results
}
# Get backup policies and their protection modes
$backupPolicies = Get-PaginatedGraphItems -Uri "https://graph.microsoft.com/beta/backupRestore/backupPolicies"
foreach ($policy in $backupPolicies) {
Write-Host "Backup Policy: $($policy.displayName)"
Write-Host "Protection Mode: $($policy.backupPolicyProtectionMode)"
# List exclusions for each policy
foreach ($exclusionType in @("driveExclusionUnits", "mailboxExclusionUnits", "siteExclusionUnits")) {
$exclusions = Get-PaginatedGraphItems -Uri "https://graph.microsoft.com/beta/backupRestore/backupPolicies/$($policy.id)/$exclusionType"
Write-Host "$exclusionType excluded count: $($exclusions.Count)"
foreach ($exclusion in $exclusions) {
Write-Host " Excluded: $($exclusion.displayName) ($($exclusion.id))"
}
}
# Check bulk addition job status
foreach ($jobType in @("driveExclusionUnitsBulkAdditionJobs", "mailboxExclusionUnitsBulkAdditionJobs", "siteExclusionUnitsBulkAdditionJobs")) {
$jobs = Get-PaginatedGraphItems -Uri "https://graph.microsoft.com/beta/backupRestore/backupPolicies/$($policy.id)/$jobType"
foreach ($job in $jobs) {
Write-Host "Bulk Job [$jobType]: $($job.id), Status: $($job.exclusionUnitBulkJobStatus)"
}
}
}
This script outputs the current backup policies, their protection modes, all exclusion units, and the status of any bulk addition jobs. It can be extended for more detailed reporting or export.
PORTAL PATH
- Entra Admin Center: Backup & Restore → Backup Policies
- Select a backup policy → Exclusion Units (for drives, mailboxes, sites)
- Bulk Addition Jobs: Exclusion Units → Bulk Jobs
- Protection Mode: Backup Policy Settings
Note: Some features may only be visible for tenants enabled for backup/restore and may require admin permissions.
BOTTOM LINE
- Priority 1: Audit your current backup exclusions—ensure only the right units are excluded.
- Priority 2: Use bulk addition jobs for large-scale exclusion updates; monitor their status for operational assurance.
- Priority 3: Tune backup policy protection modes to fit business requirements.
- Priority 4: Update automation/scripts to use new relationships and enumeration types; avoid deprecated endpoints.
Granular exclusion and bulk job tracking are now must-have capabilities for any Entra admin managing backup and restore at scale. Review your policies and exclusions immediately for optimal compliance and risk posture.