Maintain control of your Microsoft 365 data
Post Reply
Denis I
Veeam Software
Posts: 12
Liked: never
Joined: May 05, 2014 2:49 pm
Full Name: Denis Ishchishin

Restrict Backup Admin Scope in Org

Post by Denis I »

Hi guys,

Is there a way to restrict org admin scope so that he can backup only some users/o365 groups?

Thanks!
tsanfilipp
Enthusiast
Posts: 30
Liked: never
Joined: Sep 19, 2016 3:49 pm
Full Name: Tim S
Location: Dallas, Texas
Contact:

Re: Restrict Backup Admin Scope in Org

Post by tsanfilipp »

I second this. There needs to be some kind of user access control list so that you can apply some level of security to the program.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Restrict Backup Admin Scope in Org

Post by Polina »

Denis, Tim,

Are you specifically concerned in controlling an access for backing up data, or in restricting an ability to preview backed up data?
Denis I
Veeam Software
Posts: 12
Liked: never
Joined: May 05, 2014 2:49 pm
Full Name: Denis Ishchishin

Re: Restrict Backup Admin Scope in Org

Post by Denis I »

Hi Polina,

For backup. As for preview restriction, it would not mitigate security issues as I can explore any created backup anyway.

I know the current version of Veeam Backup for O365 does not allow for scope restrictions on its side.
I rather wonder if we could somehow limit admin rights on O365 side.

Thanks.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Restrict Backup Admin Scope in Org

Post by Polina »

Denis,

My apologies for the such a late response; however, I believe that later is better than never.

Can you limit admin rights on the O365 side? Yes, that's possible. To restrict backup access to certain SharePoint sites or OneDrive accounts, you can grant SharePoint site collection administrator permissions to the required sites via SharePoint Online admin center, and also uncheck SharePoint Server checkmark on the Add Organization step in VBO. Exchange Online backup can be controlled by configuring impersonation (setting up for an admin the scope of users allowed for backup).
Denis I
Veeam Software
Posts: 12
Liked: never
Joined: May 05, 2014 2:49 pm
Full Name: Denis Ishchishin

Re: Restrict Backup Admin Scope in Org

Post by Denis I »

hi Polina, thanks for reply.

My two cents here. for Exchange online, when configuring impersonation for a limited nb of users you have to create appropriate Management Scope first. this mecanism looks to have quite flexible options, among them OU based filtering and much more. more infos on Management Scopes here:
https://technet.microsoft.com/en-us/lib ... .150).aspx
https://docs.microsoft.com/en-us/powers ... xchange-ps
I will post update here if we move forward with a specific implementation and get more details.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Restrict Backup Admin Scope in Org

Post by Polina »

Thanks, Denis! Please keep us posted on the results.
josepcanyas
Lurker
Posts: 1
Liked: never
Joined: May 08, 2023 12:57 pm
Full Name: Jose Canas
Contact:

Re: Restrict Backup Admin Scope in Org

Post by josepcanyas »

Hello all,
Going a bit further on this topic I want to know if we can scope the admin rights based on the permissions that are already set per country.
We do need that our Level 1 local admins are only allowed to backup and restore the files that are under their country. We do not want to allow to Local IT managers to backup or restore any file that is not under their country.

Regards
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: Restrict Backup Admin Scope in Org

Post by Polina »

Hi Jose and welcome to Veeam Forums,

AFAIK, globally this is not possible.

For Exchange backup, there's a workaround to set an app policy that will restrict app access to certain mailboxes based on your custom selection/rules, and VB365 will only back up those mailboxes that the app allows it to access. Though this will work per-VB365 server, because only one app can be used for registering an organization in VB365.

For restores, if you use the Restore Portal, you can configure restore operator roles that will restrict access for specific admins/users to certain objects. VB365 doesn't provide automatically the information on where this or that mailbox or site is located, so you will have to do this selection manually when setting up roles.

Makes sense?
Post Reply

Who is online

Users browsing this forum: No registered users and 17 guests