Microsoft has added two new Entra ID admin roles for Microsoft 365 Backup.
- SharePoint Backup Administrator
- Exchange Backup Administrator
Back in September 2024, Microsoft already introduced the Microsoft 365 Backup Administrator role.
There are also some notes about this role in the documentation.
Only tenant-level admins can create and manage backups using Microsoft 365 Backup for their users. End users don’t have the ability to enable backup or restores for their user account, distribution lists, mailboxes, or sites. It’s important to note that your admin role determines which products you can manage with Microsoft 365 Backup. We have also introduced a new dedicated role for this tool, the Microsoft 365 Backup Administrator, that can control the entire tool.
Additionally, Microsoft provides a table that outlines the capabilities of each admin role.
The advantage of the new roles is that you can now assign backup and restore responsibilities directly to a dedicated backup team or specific accounts. This removes the need for support from SharePoint, Exchange, or Global admins. I also expect Microsoft to expand the permissions table to fully cover these new roles.
Note:
These two backup roles are new and may take some time to become fully active, as Microsoft has not yet officially communicated their availability.
To summarize all Microsoft 365 Backup roles.
Content
SharePoint Backup Administrator
The SharePoint Backup Administrator role is intended for users who manage and protect content in SharePoint and OneDrive using Microsoft 365 Backup.
With this role, they can create, edit, and manage backup configuration policies, as well as perform both full and granular backup and restore operations. This ensures content can be quickly recovered when needed.
The role grants the necessary permissions to safeguard organizational data in SharePoint and OneDrive while maintaining control over backup policies and restore processes.
Template ID: 9d3e04ba-3ee4-4d1b-a3a7-9aef423a09be
Role permissions:
microsoft.azure.serviceHealth/allEntities/allTasks
microsoft.azure.supportTickets/allEntities/allTasks
microsoft.backup/oneDriveForBusinessProtectionPolicies/allProperties/allTasks
microsoft.backup/oneDriveForBusinessRestoreSessions/allProperties/allTasks
microsoft.backup/restorePoints/sites/allProperties/allTasks
microsoft.backup/restorePoints/userDrives/allProperties/allTasks
microsoft.backup/sharePointProtectionPolicies/allProperties/allTasks
microsoft.backup/sharePointRestoreSessions/allProperties/allTasks
microsoft.backup/siteProtectionUnits/allProperties/allTasks
microsoft.backup/siteRestoreArtifacts/allProperties/allTasks
microsoft.backup/userDriveProtectionUnits/allProperties/allTasks
microsoft.backup/userDriveRestoreArtifacts/allProperties/allTasks
microsoft.office365.network/performance/allProperties/read
microsoft.office365.serviceHealth/allEntities/allTasks
microsoft.office365.supportTickets/allEntities/allTasks
microsoft.office365.usageReports/allEntities/allProperties/read
microsoft.office365.webPortal/allEntities/standard/read
Exchange Backup Administrator
The Exchange Backup Administrator role is designed for users who manage and safeguard Exchange Online data with Microsoft 365 Backup.
They can create, edit, and manage backup configuration policies for Exchange Online, as well as perform both full and granular backup and restore operations. This ensures mailbox content can be efficiently recovered when needed.
The role grants the required permissions to protect and restore organizational email data while maintaining control over backup policies and recovery processes.
Template ID: 49eb8f75-97e9-4e37-9b2b-6c3ebfcffa31
Role permissions:
microsoft.azure.serviceHealth/allEntities/allTasks
microsoft.azure.supportTickets/allEntities/allTasks
microsoft.backup/exchangeProtectionPolicies/allProperties/allTasks
microsoft.backup/exchangeRestoreSessions/allProperties/allTasks
microsoft.backup/restorePoints/userMailboxes/allProperties/allTasks
microsoft.backup/userMailboxProtectionUnits/allProperties/allTasks
microsoft.backup/userMailboxRestoreArtifacts/allProperties/allTasks
microsoft.office365.network/performance/allProperties/read
microsoft.office365.serviceHealth/allEntities/allTasks
microsoft.office365.supportTickets/allEntities/allTasks
Microsoft 365 Backup Administrator
Available since September 2024
The Microsoft 365 Backup Administrator role is intended for users who need full control over Microsoft 365 Backup across core services. With this role, they can manage all aspects of the backup solution, including creating, editing, and maintaining backup configuration policies for SharePoint, OneDrive, and Exchange Online. They are responsible for performing both full and granular backup and restore operations, ensuring organizational data can be quickly and securely recovered when needed.
Template ID: 1707125e-0aa2-4d4d-8655-a7c786c76a25
Role permissions:
microsoft.azure.serviceHealth/allEntities/allTasks
microsoft.azure.supportTickets/allEntities/allTasks
microsoft.backup/allEntities/allProperties/allTasks
microsoft.office365.network/performance/allProperties/read
microsoft.office365.serviceHealth/allEntities/allTasks
microsoft.office365.supportTickets/allEntities/allTasks
microsoft.office365.usageReports/allEntities/allProperties/read
microsoft.office365.webPortal/allEntities/standard/read
