Skip to content

Access model and Self-service

Afi Microsoft 365 backup has flexible and granular role model which allows to:

  • delegate backup administration to a group of trusted users (referred to as Backup Operators);
  • assign administrators with a limited access scope to manage and access specific resource groups;
  • enable limited self-service access for Microsoft 365 tenant users.

Role model granularity allows an administrator to grant only a limited set of permissions that will suit their own security and business needs - for example, the Backup Operator group can be configured to supervise backup progress and health as well as perform data recovery operations per user request, but with no access to export backup data. For security reasons, self-service is disabled by default and administrators should explicitly enable it if needed.

Afi access model

Afi adopts multi-tenant organizational and access model so you can add and manage several Microsoft 365, Google Workspace, or Kubernetes tenants under a single Afi account (organization). Afi access model is fully explicit and allows you to granularly configure access on any level (for an entire organization, for specific tenants, for resource groups or selected resources inside a tenant) thus following the principle of least privilege. Organizational access settings are managed on the Configuration → Admins tab and provide access to the entire Afi organization as well as all tenants in the organization, while per-tenant access settings are managed on the Service → Settings → Access groups tab.

By default, an Afi organization account is created with a single administrator - it's a user who set up the account. Organization administrators can be added or removed on the Configuration → Admins tab (see the Organization Administrators group) and have full access to the organization and all its tenants. Organization-level settings are described in the following article, while the current one focuses on tenant-level access settings specific for Microsoft 365 tenants.

Tenant Administrators group

Tenant Administrators have full access to a tenant, but, even with a single-tenant Afi organization, don't have access to organization-level settings such as licensing or organization-level access management or to the organization-level Afi audit log.

Info

Organization and tenant administrator access to the backup data can be limited either completely by disabling the data browse permission for a tenant or partially by limiting mail content preview and/or data download.

Backup operators group

Backup Operators group is a default access group for each Afi tenant and can be used to provide limited tenant-wide access to backup management, data access, recovery, and export. The screenshot below shows the Backup Operators group with a single member who can manage backups and backup SLA policies, browse backup data, and run in-place recovery.

Custom access groups

Custom access groups allows to create several administrator groups with limited permissions for a tenant as well as grant granular access to resources that belong to a specific Azure Active Directory group or to a manually selected set of resources. Access group members (users who are granted access through an access group) can either be configured manually by selecting users from the tenant scope or can be synchronized from an Azure Active Directory group inside the tenant. Custom access groups can also be configured to have a fixed lifetime (unlimited by default).

To configure a custom Access group please do the following:

  1. Go to the Service → Settings → Access groups tab
  2. Click on the +Group button to add a new group or select an existing group to edit its settings.
  3. Select the access scope (which resources the group members should have access to) in the prompted dialog. The following access scopes are supported:
    • All resources - Grants access to all resources and the corresponding settings within a tenant.
    • AAD Groups - Grants access to resources in selected AAD groups.
    • Custom - Grants access to selected resources.
  4. Choose group members which will have access to groups/resources from the access scope.
  5. Configure permissions to be granted to group members for groups/resources from the access scope.

Access groups with limited lifetime

In some cases, it is useful to configure an access group with a limited lifespan to provide access only during a specified time period. For example, you might want to grant temporary access to a set of resources during an internal investigation or audit. An access group lifetime can be changed via the Expiration date control in the botton of the access group configuration dialog.

Synchronizing access group members from an Azure Active Directory (Entra ID) group

Access group members can be synchronized from an Azure Active Directory group, thus enabling centralized access permissions management on the Azure Active Directory side with changes propagation to Afi. To create an access group and grant access to members from an Azure Active Directory group, select the AAD Group option in the dropdown in the Group members section and specify the group name. After such access group is created, you will need to trigger group members synchronization with Microsoft 365 for Afi to discover the group members (otherwise, members will be populated during a periodic synchronization performed by the service every 24 hours):

Once group members are synchronized from Microsoft 365, you will see them in the Group members section. Group membership changes are propagated to Afi once per 24 hours during periodic synchronizations with Microsoft 365.

Self-service access

Afi allows organization/tenant administrators to enable self-service for end-users in a tenant so that they can access their own backups in the Afi portal and perform data export/recovery on their own, without involving the administrators. Self-service users can access the Afi portal via Microsoft SSO with the corresponding user accounts from the Microsoft 365 tenant. Actions performed by self-service users, including backup data access, search queries, export and recovery jobs, are audited in the same way as for administrators/access group operators.

Self-service access can also be extended to SharePoint as well as to Group/Team sites owned by a user (sites where a user has the Site Collection Administrator role on the Microsoft 365 side).

Info

Self-service access for Afi tenants is disabled by default.

You can restrict self-service only to selected users or groups through the Azure Active Directory (Entra ID), please see this article for more details.

Permissions explained

Access Group permissions explained

PermissionDescription
Manage access Any access group member is able to change access settings within the tenant by creating new access groups or editing settings and members for existing ones.
Configure SLA Any access group member is able to create, modify or delete backup SLA policies within the tenant on the Service → Settings → SLA tab.
Assign SLA and initiate backup An access group member is able to assign backup SLA policies to resources within the group's access scope and configure auto-protection settings.
Browse backup data An access group member is able to browse backup data for all backups within the group's access scope, but can't export the data or preview email and chats content without additional permissions.
Preview email and chats content An access group member is able to preview email and chats content in all backups in the group's access scope.
In-place recovery An access group member can trigger a recovery operation that restores all selected items (for example, emails/files) from a backup to the same resource and to the same paths where they were during a backup. This recovery mode should be used with caution as it will overwrite files if they have been changed since the time when the backup was done.
Recovery to another folder An access group member is able to recover backup data to a separate folder/location inside a restore destination resource. This is the safest recovery option which guarantees that no data will be accidentally overwritten.
Recovery to another resource An access group is able to recover backup data to another resource. This option is enabled together with one of the following options: Recovery to another folder (default) or In-place recovery.
Data export An access group member is able to download backup data from all backups in the group's access scope.

Self-service permissions explained

PermissionDescription
Browse backup data Any user in a tenant is able to browse their own backup data, but can't export the data or preview email and chats content without additional permissions.
Preview email and chats content Any user in a tenant can preview email and chats content in their own backups.
Data export Any user in a tenant is able to download data from their own backup.
In-place recovery Any user in a tenant is able to recover their own data to its original location (recovery operation will reconstruct the original folder structure). This recovery mode should be used with caution as it will overwrite files if they have been changed since the time when the backup was done.
Recovery to another folder Any user in a tenant is able to recover their own data from any selected backup snapshot (for example, a month ago) to a separate folder inside their own account.
Recovery to another resource Any user in a tenant is able to recover their own data from any selected backup snapshot to another resource which they have access to on the Afi side (or to a new resource in case of a SharePoint site recovery to a new site).