Discussions related to Microsoft 365 protection.
Post Reply
warrenwh
Novice
Posts: 3
Liked: never
Joined: May 21, 2025 1:49 am
Full Name: Warren Jones
Contact:

Feature Request: Define what other "admin" users can access/browse

Post by warrenwh »

Hi Team,

Currently to allow another M365 user to access Outlook backups that are not their own, you create a role and either select "access user backups for entire tenancy" or "access user backups for selected groups" (or exclude specific groups). This level of role granularity is not convenient and doesn't accommodate security.

The scenario:
One of my branch managers wants to browse through the emails of a past employee. This employee left long ago and is no longer backed up. Therefore, the former employee no longer belongs to any current M365 group. How do you give the branch manager access to the mailbox backup without giving access to the entire tenancy backups? You can't.

Giving a user access to search the entire tenancy is very dangerous as it includes viewing emails of current employees and even senior management.

Having another security option to "Access to user backups for specific mailboxes" would be very helpful. Then when the picker box displays it can show ALL mailboxes in the entire Veeam repository to choose from.

Same should be available for old SharePoint sites or Teams.

Please consider.

Thanks,
Warren Jones
micoolpaul
VeeaMVP
Posts: 286
Liked: 136 times
Joined: Jun 29, 2015 9:21 am
Full Name: Michael Paul
Contact:

Re: Feature Request: Define what other "admin" users can access/browse

Post by micoolpaul »

Hi Warren,

Thank you for the feedback, this is noted. In the meantime as a workaround for such scenarios you could choose 'access user backups for selected groups' and include a group with only the specific ex-employees.
-------------
Michael Paul
Veeam Data Cloud Solution Engineer - M365 & Entra ID
mjr.epicfail
Veeam Legend
Posts: 518
Liked: 145 times
Joined: Apr 22, 2022 12:14 pm
Full Name: Danny de Heer
Contact:

Re: Feature Request: Define what other "admin" users can access/browse

Post by mjr.epicfail »

Maybe add something like VBR 13 security office role to still allow that employee access if needed
VMCE / Veeam Legend 2*
warrenwh
Novice
Posts: 3
Liked: never
Joined: May 21, 2025 1:49 am
Full Name: Warren Jones
Contact:

Re: Feature Request: Define what other "admin" users can access/browse

Post by warrenwh »

Hi Michael,

Remember in this scenario the domain user object doesn't exist, so it's not possible to put them into a new group.

Yes, for an existing employee you could create a group and add them to it. Not ideal to be making temporary groups and wouldn't do for this access - if at all.

If an employee needed access to a current user's mailbox, they would be delegated access in M365. If an email was deleted, the current target user could self-service and find it themselves.


Regards,
Warren
micoolpaul
VeeaMVP
Posts: 286
Liked: 136 times
Joined: Jun 29, 2015 9:21 am
Full Name: Michael Paul
Contact:

Re: Feature Request: Define what other "admin" users can access/browse

Post by micoolpaul »

Hi Warren,

It was ambiguous if the Entra ID object remained in a disabled state, which some organisations due for a period of time.

I've passed your feedback along as it's an interesting point you make!
-------------
Michael Paul
Veeam Data Cloud Solution Engineer - M365 & Entra ID
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest