1. Microsoft 365 admin roles
1.1. Default values for already existing customers
Customers created before August 7th 2024:
Users with the following Microsoft 365 admin roles are directly granted full admin rights in the Backup portal:
- Global Admin - needed for the first sign-in, to grant admin consent for the Nexetic backup applications
- Exchange Admin
- SharePoint Admin
Users with other admin roles - or end-users - can only access and download their own backups (Mail, OneDrive, Contacts, Calendar, Teams private chats). End Users can also track the progress of their own restore tasks in the Task Manager.
On August 7th 2024 we made a major update - adding an option to assign role-based access to either users or Entra ID groups. But the above mentioned Microsoft-based roles will remain as they are for the already existing customers - so also SharePoint and Exchange Admins will have full admin rights in the customer's backup environment. However, these rights can now be disabled or limited.
Note
You can never disable or limit admin access from the tenant's Global Admins. Any Global Admin account will get full admin rights in the Backup Portal.
1.2. Default values for new customers
Customers created August 7th 2024 onwards:
Only Global Admins will get full admin rights in the customer's backup environment. Additionally, SharePoint Admins will get rights to manage the company's SharePoint backups. All other admin roles need to be assigned separately for users or Entra ID groups. Check Chapter 2. for more info.
2. Role-based access control (RBAC)
You can assign role-based access to either Users or Entra ID groups.
2.1. OPTION A) Assign Roles for Users
To assign admin roles for users, enter the Users page and click the icon for the user you want to assign user roles for. You can use filter for the Role column to view the users by their Role status. Users with any admin roles - whether they are based on Microsoft user roles or are assigned on Nexetic side - are indicated with green role icon. Users without any roles are displayed with grey role icons. Note that it is not indicated on Users page whether the user is covered by group-level role or not. Group-level roles can only be viewed on 'Role-based Access Control' page.
Next, proceed to Section 2.3. of this support article to see the available admin role options.
2.2. OPTION B) Assign Roles for Groups
Admin roles can also be assigned by Entra ID groups. Group-level roles are directly applied to all users in the group. To assign a group-level access role, click your username at the top-right corner of the page and select Role-based access control.
You can see all the Entra ID groups for your tenant. You can Search for a group, Sort by group Name column or Filter by the Roles column.
Click the the Roles icon to assign a role for the group.
Groups that have been assigned roles are indicated with green Role icon under the group roles list.
2.3. Role options
The available access roles are listed below. They can be assigned for users or Entra ID groups, as explained above.
- Tenant-Wide Admin Access: Full admin rights with access to all users and pages. Can e.g. configure backups, view and restore users' data and data from SharePoint & Teams backup; i.e. the same rights as all Global Admins have.
- Note that tenant's Global Admins will always have full M365 Admin role in the backup portal and the role cannot currently be disabled or limited.
- Tenant-Wide Admin Access - Read Only: Full viewing rights with access to all users and pages. Can search data and download SharePoint & Teams files, Teams channel posts and Planners from backup.
- Cannot configure backups or restore data.
- End User: Can view, search, download and restore their own data. Can also view the progress of their own restore tasks in the Task Manager.
- Limited Admin Access: To allow access to certain pages / actions only, you can select any of the following:
- All users and their backups. View all users and their backups.
- SharePoint. View and download SharePoint & Teams files.
- Teams Channels. View and download Teams channel posts.
- Planner. View and download Planners.
- Backup/Restore. Restore data and initiate backups manually.
- Configure backups. Enable backups for user and organization data. Access to both Settings and Users pages.
- Audit Log. View, filter and sort all events in Audit Log.
To assign a role, click one of the four radio buttons. If you select 'Limited Admin Access', also select the relevant sub-roles by clicking the slide switches.
Note
In addition to what is allowed based on the assigned admin roles, any user - incl. End Users - can always view and download their own data from backup, including: Mail, OneDrive, Contacts, Calendar, and Teams private chats. End Users can also track the progress of their own restore tasks in the Task Manager.
Every time a user signs in to the backup portal, the system will check the Microsoft user role and the existence of any assigned access roles - on user or Entra ID group level. If any assigned roles exist, the access level is granted accordingly. If e.g. Helpdesk Administrator has been granted 'Planner' role, the user can only access their own backups and the organization's Planner backups.
If there are no assigned access roles in place, access level is granted based on the Microsoft user roles. To see how the admin user roles are currently defined for older customers, and what is the default setup for new customers, check Chapter 1 of this support article.