Setup¶
This guide explains how to authorize Afi access and set up Power Platform backup for your Microsoft 365 tenant. Afi relies on delegated permissions to synchronize Power Platform data and requires a user account with access to your Power Platform resources to impersonate during backup.
Info
Afi recommends creating a dedicated service user account for Power Platform backup so that it remains active regardless of personnel changes in your organization.
The account used for Power Platform data synchronization should be assigned at least the Application Administrator, Fabric Administrator, and Power Platform Administrator roles in Entra ID. It should also have active Power BI Pro, Power Automate for Office 365, and Power Apps for Office 365 licenses. The following sections explain how to assign the corresponding roles and licenses to the selected service user.
Configure Entra ID role assignments¶
To add the required role assignments to the service user, locate the user on the Users tab in Entra ID and go to the Assigned roles section on the user tab.
Click on the + Add assignments button and add an assignment for each of the Application Administrator, Fabric Administrator, and Power Platform Administrator roles.
Assign the licenses¶
You can review and assign the required Power BI Pro, Power Automate for Office 365, and Power Apps for Office 365 licenses to the service user in the Licenses section on the user tab.
Please note that the corresponding licenses are usually available as part of a larger product plan (for example, Microsoft 365 E3
). You can view the licenses provided by the plan by clicking on the corresponding row.
Authorize Power Platform access¶
To start protecting the Power Platform resources for your tenant, click on the Install button in the Power Platform section on the Service → Settings → Admin consent tab.
Then, sign in with the user account you want Afi to use for Power Platform data synchronization (this account can differ from your Afi administrator user) and grant consent for Afi to impersonate this user to access the Power Platform API.
Enable Power Platform backups¶
After Power Platform API access is granted, you can protect the Power Platform resource on the Service → Protection → Power Platform tab and run its first backup.
You can check the Power Platform setup status as well as the user that is used by Afi for Power Platform backup. If needed, you can reauthorize the Power Platform API access with the same or another user on the Service → Settings → Admin consent tab.
Warning
A user account used for Power Platform backup requires access to the Power Platform resources to download the Power Platform data. For this reason, Afi automatically adds this service user account as an Admin to all Power BI workspaces in your organization. When new workspaces are added or when the service user account's access to any workspace is accidentally revoked, Afi will add the missing role upon the next backup.
Grant access to personal workspaces (optional)¶
Due to Power Platform API specifics, Afi can automatically add the service user account as an Admin only to non-personal Power BI workspaces. To back up personal Power BI workspaces for the selected users as well, you need to manually grant access to their workspaces.
To do it, please log in to the Power BI Admin portal under the service user account used for Power Platform backup, go to the Workspaces tab, and manually grant access to the personal workspaces which you want to protect by clicking on the Get Access button in the workspace settings for each workspace.