Skip to content

Access management

Afi Microsoft Azure backup has a flexible and granular role model that allows you to:

  • delegate backup administration to a group of trusted users (referred to as Backup Operators);
  • assign administrators with a limited access scope to manage and access specific Azure resource groups.

Role model granularity allows an administrator to grant only a limited set of permissions tailored to their specific security and business needs. For example, the Backup Operator group can be configured to supervise backup progress and health, as well as perform data recovery operations per user request, but without access to volume content preview.

Afi access model

Afi adopts a multi-tenant organizational and access model, allowing you to add and manage multiple tenants (e.g., Microsoft Azure, Microsoft 365) under a single Afi account (organization). The Afi access model is fully explicit and enables granular configuration of access at any level, whether for an entire organization, specific tenants, resource groups, or selected resources within a tenant, adhering to the principle of least privilege.

Organizational access settings are managed on the Configuration → Admins tab, granting access to the entire Afi organization and all tenants within it. Per-tenant access settings are managed on the Service → Settings → Access groups tab.

By default, an Afi organization account is created with a single administrator, the user who set up the account. Organization administrators can be added or removed on the Configuration → Admins tab (see the Organization Administrators group) and have full access to the organization and all its tenants. Organization-level settings are described in the following article, while this article focuses on tenant-level access settings specific to Microsoft Azure tenants.

Access groups

To manage access to resources and settings within a tenant, you can either use the default access groups (Administrators and Backup operators) or configure custom access groups with limited access scope based on your use cases. The below sections describe access group types and available configuration options.

An administrator can invite any Microsoft 365 or Google (business or personal) user account as an access group member and, after accepting the invitation, they will be able to access the tenant and resources that they were granted access to.

How to invite a member to a group?

An Afi administrator with access management permission can invite a user to an access group by clicking on the group tile, posting the primary user email in the input field in the Group members section, clicking on the + icon, and then pressing Save.

After a user is invited, the Afi service will send an email invitation to this user to join the corresponding access group by the link provided in the email. Each link is valid for 7 days and, once you delete and add a user to this group again, the old invitation link becomes no longer valid. To join the group, the user should follow the link and log in to the Afi portal with an account specified in the invitation.

Administrators group

Tenant Administrators have full access to the tenant; however, even in a single-tenant Afi organization, they do not have access to organization-level settings such as licensing, organization-level access management, or the organization-level Afi audit log.

Info

Organization and tenant administrator access to backup data can be restricted either entirely by disabling the data browse permission for a tenant or partially by limiting volume content preview and/or data download.

Backup operators group

The Backup Operators group is a default access group for each Afi tenant and can be used to provide limited tenant-wide access to backup management, data access, recovery, and export. The screenshot below shows the Backup Operators group with a single member who can manage backups and backup SLA policies, browse backup data, and perform data recovery.

Custom access groups

Custom access groups allow the creation of multiple administrator groups with limited permissions for a tenant, as well as the ability to grant granular access to resources that belong to a specific Azure resource group or a manually selected set of resources. Custom access groups can also be configured to have a fixed lifetime, which is unlimited by default.

To configure a custom access group, please follow these steps:

  1. Go to the Service → Settings → Access groups tab.
  2. Click the + Group button to add a new group, or select an existing group to edit its settings.
  3. In the prompted dialog, select the access scope (i.e., the resources that group members should have access to). The following access scopes are supported:
    • All resources - Grants access to all resources and the corresponding settings within a tenant.
    • Resource Groups - Grants access to resources within the selected Azure resource groups. For convenience, resource groups are organized by the Azure subscription to which they belong.
    • Custom - Grants access to the selected resources.
  4. Choose group members who will have access to the groups/resources within the access scope.
  5. Configure permissions to be granted to group members for the groups/resources within the access scope.

Access groups with limited lifetime

In some cases, it is useful to configure an access group with a limited lifespan to provide access only for a specified time period. For example, you might want to grant temporary access to a set of resources during an internal investigation or audit. The lifespan of an access group can be modified using the Expiration date control at the bottom of the access group configuration dialog.

Permissions explained

PermissionDescription
Manage access Any access group member is able to change access settings within the tenant by creating new access groups or editing settings and members for existing ones.
Configure SLA Any access group member is able to create, modify or delete backup SLA policies within the tenant on the Service → Settings → SLA tab.
Assign SLA and initiate backup An access group member is able to assign backup SLA policies to resources within the group's access scope and configure auto-protection settings.
Browse backup data An access group member is able to browse backup data for all backups within the group's access scope, but can't export the data or preview volume content without additional permissions.
Preview volume content An access group member is able to preview volume content for all backups in the group's access scope.
Recovery to another resource An access group member is able to recover a virtual machine from backup to a new one.
Data export An access group member is able to download backup data from all backups in the group's access scope.