Afi Microsoft 365 backup application has flexible and granular role model which allows to:
- delegate backup administration to a group of trusted users (referred to as Backup Operators);
- assign administrators with a limited access scope to manage specific AAD (Azure Active directory) groups;
- enable limited self-service access for domain users.
Role model granularity allows an administrator to grant only a limited set of permissions that will suit their own security and business needs - for example, the Backup Operator group can be configured to supervise backup progress and health and perform restore per user request, but with no access to browse user data. For security reasons self-service is disabled by default and organisation administrator should explicitly enable it.
How to configure Administrator group
By default, an organisation account is created with a single administrator - it's a user who has set up the account. Organisation administrators can be added or removed at Configuration -> Admins tab and have the same level of permissions.
Administrator's access to the backup data can be limited either completely by restricting users' data browse option or partially by limiting mail content preview and/or data download.
Administrators are added by email and are required to have Google Workspace, Google Apps or Microsoft 365 business account to be able to sign-in to Afi application, but they don't need to belong to any of Google Workspace / Microsoft 365 domains managed by the application. For example, one can setup an Afi account with Microsoft 365 domain and add an additional administrator with Gmail account for backup purposes. For security reasons, a new administrator is added in two steps:
1. Organisation administrator invites a new administrator(s) and Afi service sends an email invitation with a sign-up link to their emails. At this point in time an invitee doesn't have an administrator access yet and needs to accept the invitation.
2. A user who received an email invitation accepts it by clicking on a link in the invitation email and logging in Afi control panel with their Google or Microsoft 365 account.
How to configure Backup Operator group
Backup Operator group is configured per Google Workspace or Microsoft 365 data source and is comprised of domain users trusted to perform a configured set of backup/restore/administration operations in the given tenant.
To configure Backup Operator group:
- Go to Service → Settings → Access groups;
- Click on Backup Operator section, add Backup Operator users and configure permissions in the prompted window, then press Save.
The screenshot below shows a Backup Operator group with 3 members (Backup Operators) who can configure and run backups, view backup data and run recovery to the same resource, but can't run recovery to another resource (User/Shared mailbox/Sharepoint site/Group/Team) or export the data.
How to configure a custom Access group:
Afi allows configuring custom Access groups that can be used to assign operators with limited access scope who manage only specific AAD groups or resources as well as to set up access groups with different sets of permissions for different admins. For example, Backup operators might manage user backups and monitor backup health, but don't have any access to the user data and a custom Access group might be created for compliance administrators who can view the user data.
To configure a custom Access group please do the following:
- Go to Service → Settings → Access groups tab
- Click on +Group button to add a new group or select an existing group to edit its settings
- Select access scope (which resources the group members should have access to) in the prompted dialogue. The following access scopes are supported:
- All resources - access to all resources and the corresponding settings in a tenant
- AAD Groups - access to selected AAD groups
- Custom - access to selected resources
- Choose group members which will have access to groups/resources from p3
- Configure permissions to be granted to group members for groups/resources from p3
How to configure Self Service access
To configure Self Service for end-users:
- Go to Service → Settings → Access groups;
- Click on Self service section and configure permissions in a prompted window, then press Save.
This example configuration allows any domain user to login in Afi application, browse and download their backup data and recover Mail, Drive, Contacts, Calendar or Chats content.
Once you enable self-service, all end-users will be able to log in to Afi service (app.afi.ai) using their Microsoft 365 credentials. You can restrict self-service to only selected users or groups through Azure Active Directory, please see this article for more details.
Access Groups permissions explained
- Configure SLA and initiate backup - a member of Access group is able to configure per-resource (User, Shared mailbox, SharePoint site, Team or Group) protection level (see Service → Settings → SLA for a full list of configured SLA policies) and the default protection level automatically assigned by Afi application for newly discovered domain resources.
- Access to backup data - a member of Access group is able to browse backup data (Mail, Drive, Contacts, Calendars, Chats) for all backups in group's access scope, but can't export the data or preview email content without additional permissions.
- Preview email content - a member of Access group is able to preview email content in all backups in their access scope.
- Data export - a member of Access group is able to download backup data from all backups in their access scope.
- Recovery to another folder - a member of Access group is able to recover backup data to a separate folder/location inside a restore destination resource (User, Shared mailbox, Sharepoint site, Group or Team). This is the safest recovery option which guarantees that no data will be accidentally overwritten.
- In-place recovery - a member of Access group can trigger a recovery operation that restores all items (for example, emails/files) in a backup at the same paths where they were during a backup. This recovery mode should be used with caution as it will overwrite files if they have been changed since the point in time when the backup was done.
- Recover to another resource - a member of Access group is able to recover backup data in another resource (User, Shared mailbox, Sharepoint site, Group or Team). This option is enabled together with one of the options Recovery to another folder (default) or In-place recovery.
Self-service permissions explained
- Access to backup data - any domain user is able to browse their own backup data including Mail, Drive, Contacts, Calendars and Chats backup content, but can't export the data or preview email content without additional permissions.
- Preview email content - any domain user can see email content in their own backups.
- Data export - any domain user is able to download data from their own backup.
- Recover to another folder - any domain user is able to recover their own data from any selected backup point in time (for example, a month ago) in a separate folder inside their own account.
- In-place recovery - any domain user is able to recover their own data to its original location (recovery operation will reconstruct the original folder structure). This recovery mode should be used with caution as it will overwrite files if they have been changed since the point in time when the backup was done.