Skip to content

Onboarding

This article will guide you how to install Afi SaaS Backup for Microsoft Azure for your tenant to protect Azure virtual machines. You can learn more about Afi's backup and recovery features here and get an overview of Afi account setup as well as product use-cases here.

Info

You need to be an Entra ID Global Administrator to install the Afi application for your tenant.

Installation Steps

Log in and create an account

Go to the Afi sign-up page and log in to the Afi portal with your Microsoft 365 or Google user account to create an Afi organization account (this user will be selected as an Afi organization administrator).

Info

An Afi account can be created by any Google or Microsoft 365 user, but later, when you add a Microsoft Azure tenant under your Afi account, you will need to log in as an Entra ID Global Administrator during the tenant onboarding.

Grant the Afi application permissions to access the admin account profile for authentication purposes:

Create an Afi organization account:

Install the application and add a Microsoft Azure tenant

After creating an Afi account, you will be redirected to the Afi portal and prompted to add your first data source (tenant). Please select the Microsoft Azure option to launch the Microsoft Azure onboarding wizard.

The first step in the Microsoft Azure onboarding wizard is to select an Entra ID Global Administrator account for the tenant being onboarded. Next, proceed with granting application permission consent to authorize the Afi application to access the tenant. Once consent is granted, the Afi application will use the corresponding permissions to provision access for the Afi service principal to the Azure subscriptions owned by the administrator account that initiated the onboarding.

Info

If the administrator performing the onboarding has permissions to access the root management group of the Azure tenant, Afi will provision service principal role assignments directly at the Azure root management group level. This ensures that all existing and new subscriptions in the tenant inherit the corresponding role assignments, making them available for discovery and backup by Afi. Otherwise, Afi will provision service principal role assignments only for subscriptions where the administrator has the Owner role.

Please note that the Afi application installation is not linked to a specific administrator account. The application acts on behalf of the service principal to access Azure data, so it does not need to impersonate an administrator or user account. For this reason, if required later, you can safely delete the Entra ID Global Administrator user previously used to onboard the corresponding Microsoft Azure tenant.

However, if this Global Administrator user is the only Afi organization administrator, please ensure that you have invited other users as Afi account administrators before deleting the old administrator user.

After the permission consent is granted, you will be redirected back to the Afi portal. The service will check the application installation (usually it takes just a few seconds), provision the service principal access, and after that the service will suggest you to select a region and a default timezone for your tenant.

Select a region

As a final step, after the consent is granted, the Microsoft Azure onboarding wizard suggests to select a region where tenant metadata and backup data for the tenant will be stored and its default timezone. At the moment, the United States and Europe (Netherlands) regions are available for Azure tenants. Time zone settings will be used for default backup schedule generation.

Info

You can check an Afi region for a tenant on the Service → Settings → Info tab in the Afi portal.

Info

An option to select several backup data locations for an Azure tenant is coming in the next Afi updates.

Wait for an initial resource synchronization with Microsoft Azure

When the tenant onboarding is finished, Afi starts an initial resource (virtual machine) discovery, which can take up to a few minutes depending on the tenant size and the infrastructure complexity. Once complete, the service redirects you back to the Afi portal and sends an email notification indicating that your tenant is ready. If anything goes wrong during this step, please contact the Afi Support.

Protect your data

Data protection and basic data access, search, export, and recovery scenarios are covered in our first steps guide.

How to add multiple tenants under an Afi account

Afi adopts a multi-tenant organizational and access model, allowing you to add and manage multiple Microsoft 365, Google Workspace, Microsoft Azure, or Kubernetes tenants under a single Afi account (organization). To add another tenant to your existing Afi account, click the +Add data source button in the dropdown at the top of the screen, select the tenant kind in the prompted dialog, and follow the wizard.