Restrict Backup Admin Scope in Org

[Denis I]

Hi guys,

Is there a way to restrict org admin scope so that he can backup only some users/o365 groups?

Thanks!

[tsanfilipp]

I second this. There needs to be some kind of user access control list so that you can apply some level of security to the program.

[Polina]

Denis, Tim,

Are you specifically concerned in controlling an access for backing up data, or in restricting an ability to preview backed up data?

[Denis I]

Hi Polina,

For backup. As for preview restriction, it would not mitigate security issues as I can explore any created backup anyway.

I know the current version of Veeam Backup for O365 does not allow for scope restrictions on its side.
I rather wonder if we could somehow limit admin rights on O365 side.

Thanks.

[Polina]

Denis,

My apologies for the such a late response; however, I believe that later is better than never.

Can you limit admin rights on the O365 side? Yes, that's possible. To restrict backup access to certain SharePoint sites or OneDrive accounts, you can grant SharePoint site collection administrator permissions to the required sites via SharePoint Online admin center, and also uncheck SharePoint Server checkmark on the Add Organization step in VBO. Exchange Online backup can be controlled by configuring impersonation (setting up for an admin the scope of users allowed for backup).

[Denis I]

hi Polina, thanks for reply.

My two cents here. for Exchange online, when configuring impersonation for a limited nb of users you have to create appropriate Management Scope first. this mecanism looks to have quite flexible options, among them OU based filtering and much more. more infos on Management Scopes here:
https://technet.microsoft.com/en-us/lib ... .150).aspx
https://docs.microsoft.com/en-us/powers ... xchange-ps
I will post update here if we move forward with a specific implementation and get more details.

[Polina]

Thanks, Denis! Please keep us posted on the results.

[josepcanyas]

Hello all,
Going a bit further on this topic I want to know if we can scope the admin rights based on the permissions that are already set per country.
We do need that our Level 1 local admins are only allowed to backup and restore the files that are under their country. We do not want to allow to Local IT managers to backup or restore any file that is not under their country.

Regards

[Polina]

Hi Jose and welcome to Veeam Forums,

AFAIK, globally this is not possible.

For Exchange backup, there's a workaround to set an app policy that will restrict app access to certain mailboxes based on your custom selection/rules, and VB365 will only back up those mailboxes that the app allows it to access. Though this will work per-VB365 server, because only one app can be used for registering an organization in VB365.

For restores, if you use the Restore Portal, you can configure restore operator roles that will restrict access for specific admins/users to certain objects. VB365 doesn't provide automatically the information on where this or that mailbox or site is located, so you will have to do this selection manually when setting up roles.

Makes sense?