Onboarding¶
This article will guide you through installing Afi SaaS Backup for Microsoft Azure for your tenant to protect Azure virtual machines, Azure SQL databases, and Azure PostgreSQL servers. You can learn more about Afi's backup and recovery features here and get an overview of Afi account setup as well as product use-cases here.
Info
You need to be an Entra ID Global Administrator to install the Afi application for your tenant.
Installation Steps¶
Log in and create an account¶
Go to the Afi sign-up page and log in to the Afi portal with your Microsoft 365 or Google user account to create an Afi organization account (this user will be selected as an Afi organization administrator).
Info
An Afi account can be created by any Google or Microsoft 365 user, but later, when you add a Microsoft Azure tenant under your Afi account, you will need to log in as an Entra ID Global Administrator during the tenant onboarding.
Grant the Afi application permissions to access the admin account profile for authentication purposes:
Create an Afi organization account:
Install the application and add a Microsoft Azure tenant¶
After creating an Afi account, you will be redirected to the Afi portal and prompted to add your first data source (tenant). Please select the Microsoft Azure option to launch the Microsoft Azure onboarding wizard.
The first step in the Microsoft Azure onboarding wizard is to select an Entra ID Global Administrator account for the tenant being onboarded. Next, proceed with granting application permission consent to authorize the Afi application to access the tenant. Once consent is granted, the Afi application will use the corresponding permissions to provision access for the Afi service principal to the Azure subscriptions owned by the administrator account that initiated the onboarding.
Info
If the administrator performing the onboarding has permissions to access the root management group of the Azure tenant, Afi will provision service principal role assignments directly at the Azure root management group level. This ensures that all existing and new subscriptions in the tenant inherit the corresponding role assignments, making them available for discovery and backup by Afi. Otherwise, Afi will provision service principal role assignments only for subscriptions where the administrator has the Owner role.
Please note that the Afi application installation is not linked to a specific administrator account. The application acts on behalf of the service principal to access Azure data, so it does not need to impersonate an administrator or user account. For this reason, if required later, you can safely delete the Entra ID Global Administrator user previously used to onboard the corresponding Microsoft Azure tenant.
However, if this Global Administrator user is the only Afi organization administrator, please ensure that you have invited other users as Afi account administrators before deleting the old administrator user.
After the permission consent is granted, you will be redirected back to the onboarding wizard. The service will check the application installation (usually it takes just a few seconds), provision the service principal access, and then suggest that you select a region and a default time zone for your tenant.
Select a region¶
As a final step, select the region where the tenant’s backup data will be stored and the default time zone. The following backup regions are available: the United States, Europe (Netherlands), the United Kingdom, Canada, and Australia. The selected time zone will be used for default backup schedule generation.
Info
You can check a tenant’s Afi region on the Service → Settings → Info tab in the Afi portal.
Info
An option to select several backup data locations for an Azure tenant is coming in the next Afi updates.
Wait for the initial Microsoft Azure resource discovery¶
After onboarding, Afi starts an initial discovery of Microsoft Azure resources. This can take up to a few minutes depending on the tenant size and the infrastructure complexity. When complete, you’ll be redirected to the Afi portal and receive an email notification that your tenant is ready. If anything goes wrong during this step, please contact the Afi Support.
Protect your data¶
Data protection and basic data access, search, export, and recovery scenarios are covered in our first steps guide.
How to add multiple tenants under an Afi account¶
Afi adopts a multi-tenant organizational and access model, allowing you to add and manage multiple Microsoft 365, Google Workspace, Microsoft Azure, Amazon Web Services, or Kubernetes tenants under a single Afi account (organization).
To add another tenant to your existing Afi account, click + Add data source in the dropdown at the top of the screen, select the tenant kind in the prompted dialog, and follow the wizard.