Menu
Products
Products
Backup
M365/Google Backup
RMM
Connect
Other Products:
CloudBerry Explorer CloudBerry Drive
Contact Us Request a Quote Request a Demo All Products
Products
Products
Backup and recovery
Backup
Innovative backup software and cloud-based disaster recovery for strong data protection.
Free Backup
Personal Backup
Standalone Backup
For Business
Managed Backup
For MSPs and IT Departments
M365/Google Backup
Secure and reliable data protection for Microsoft 365 and Google Workspace
Microsoft 365
from $1.1/month per user
Google Workspace
from $1.1/month per user
Remote Monitoring and Management
RMM
A reliable remote monitoring and management solution designed to streamline IT administration.
RMM
from $59.99/month per admin
BUILT-IN
Managed Connect Included
MSP360 RMM includes the MSP360 Managed Connect license at no extra cost, allowing you to remotely access Windows devices directly from the web console.
Remote Access
Connect
A powerful tool to securely connect to desktops and servers and provide remote support.
Free Connect
Personal Use
Standalone Connect
One license is tied to one device for initiating remote connections.
For Business
Managed Connect
For MSPs and IT Departments
Other Products:
CloudBerry Explorer CloudBerry Drive
Contact Us Request a Quote Request a Demo All Products
MSP Platform
Pricing
Pricing
Business type
MSPs
Advanced backup, recovery, and endpoint management platform for MSPs to automate processes, proactively manage devices, and ensure reliable client data protection.
Internal IT
Reliable backup, recovery, and endpoint management for internal IT to safeguard business data, streamline device management, and maintain business continuity.
Products
Managed Backup
from $2.5 per month
M365/Google Backup
from $1.1/month per user
RMM
from $59.99/month per admin
Managed Connect
from $34.99/month per admin
Desktop
Backup
$5 $2.5/MONTH
Try Now
Resources
Resources
MSP360 Script Library
MSP University
Blog
Whitepapers and Assets
Videos
Webinars
Events
Customer Stories
Forum
Partners
Partners
Technology partners
AWS
Wasabi
Backblaze
Google Cloud
Microsoft Azure
Partners
Advantage Partner Program
Resellers
Distributors
Become a Partner
Company
Company
About
Legal Information
Careers
Contact Us
Trust Center
Events
Free Trial
MSP360 Backup MSP360 Connect MSP360 RMM
Downloads Free Backup CloudBerry Explorer CloudBerry Drive
Support US-Based Support My Cases Open a Case Knowledge Base Online Help
Contact Us 1-866-4-MSP360 1-415-301-7773
Sign In MSP360 Managed Backup Login CloudBerry Central
Other Guides

MSP360 Products

HIDE BAR SHOW BAR
LESSON 1
Set up MSP360 Managed Backup for Microsoft 365 and Google Workspace
LESSON 2
Set up MSP360 Standalone Backup for Microsoft 365 and Google Workspace
LESSON 3
Recover Microsoft 365 and Google Workspace with MSP365 Managed Backup
LESSON 4
Retention Policies in MSP360 Managed Backup for Microsoft 365 and Google Workspace
LESSON 5
Back up Microsoft 365 and Google Workspace with MSP360 Managed Backup
LESSON 6
How to Delete Data for Microsoft 365 or Google Workspace in MSP360 Managed Backup
LESSON 7
Roles and Permissions in MSP360 Backup for Microsoft 365 and Google Workspace
ON-DEMAND CONTENT
Downloadable Assets

Roles and Permissions in MSP360 Backup for Microsoft 365 and Google Workspace

Effective role and permission management is critical for maintaining the security and operational integrity of MSP360 Backup for Microsoft 365 and Google Workspace. A well-designed access control system not only prevents excessive permissions but also simplifies administration, distributes responsibility, and ensures compliance with standards like GDPR, HIPAA, and SOC2.

This guide explains the types of roles and permission levels in MSP360, how they function across two services — MBS (Managed Backup Service) and Standalone — how to delegate access securely to admins and end-users, and which common mistakes to avoid during configuration.

1. General Information about Roles and Permissions

  • Role: Defines the user's level of access and responsibility (e.g., admin, sub-admin, end-user).
  • Permission: Grants specific capabilities such as signing in, restoring, deleting, or managing backup data.

Why Roles and Permissions Matter

1.1. Protection against unauthorized access — each user must be granted only the level of access that is necessary for their responsibilities.

1.2. Compliance with security standards — proper role-based access control allows you to enforce separation of access and meet the requirements of regulations such as GDPR, and HIPAA.

1.3. Reducing the risk of errors — incorrectly assigned roles can lead to accidental restoration of outdated data or unauthorized deletion of data.

1.4. Simplifying auditing and management — properly assigned roles help quickly localize user actions, identify responsible individuals, and improve incident analysis.

Architecture Overview

In MSP360 Backup for M365/Google, access control is structured across three distinct levels. Each level is responsible for specific functions within its own environment. To configure access correctly, it is essential to understand where Microsoft or Google's responsibilities end and where MSP360’s control begins.

There are three levels of permissions:

  • Permissions assigned in Microsoft 365 or Google Workspace
  • Permissions in MSP360 Backup for Microsoft 365 / Google Workspace (M365/Google Backup)
  • Permissions in MSP360 Managed Backup Service (MBS Console) — available only for MBS accounts, not available for MSP360 Standalone Backup for Microsoft 365/Google Workspace.

2.1 External Roles and Permissions in Microsoft 365 and Google Workspace

Microsoft and Google use their own role and access systems, which serve as the starting point when connecting a domain to MSP360. Once connected, MSP360 synchronizes user roles and permissions from Microsoft 365 or Google Workspace.

Roles in Microsoft 365:

  • Global Administrator — this user has full access to all backup functions and data.He/she can add the domain to M365/Google Backup and perform an initial backup setup for users.
  • User Administrator — can enable or disable backups for users.
Function Level of access
Initial Backup Setup ❌ Not allowed
User Management ✅ Allowed
Access to Backup Pages ⚠️ Limited
Access to Backup Content ❌ Not allowed
Restore Function Access ⚠️ Limited
  • User — can access the backup console. If additional permissions are granted in the M365/Google Backup console, users can see and manage their own backups.

To view user roles in Microsoft 365:

  1. Go to the Microsoft 365 Admin Center
  2. In the left navigation bar, select Users
  3. Click on Active Users
  4. Select any user from the list
  5. Open the Manage admin roles section to view available roles

Roles in Google Workspace:

  • Super Admin — can add the domain to M365/Google Backup, install and configure the backup app, and perform initial configuration for user backups. This role provides unrestricted access to all backup features and data.
  • User Management Admin — can manage user-level settings such as enabling/disabling user backups.
Function Level of access
Initial Backup Setup ❌ Not allowed
User Management ✅ Allowed
Access to Backup Pages ⚠️ Limited
Access to Backup Content ❌ Not allowed
Restore Function Access ⚠️ Limited
  • User — can access the M365/Google Backup console but can only view and manage their own backups.

To view user roles in Google Workspace:

  1. Open the Google Admin Console
  2. Select Directory from the left navigation bar
  3. Click Users
  4. Choose any user from the list
  5. In the user’s profile, click Roles and Privileges to see the assigned roles.

2.2 Managing Roles & Permissions in the M365/Google Backup

The M365/Google Backup provides role-based access control for users within a connected Microsoft 365 or Google Workspace domain. It defines who can view, configure, restore, or delete backup data. Misconfigured permissions can result in data leaks, SLA violations, or complete inability to restore data during incidents. This is especially critical in multi-tenant environments or when working with external contractors.

Roles in the M365/Google Backup

There are three main user roles in the console, synchronized from the source domain:

  • Global Administrator — a user with the Global Administrator role in Microsoft 365 or the Super Admin role in Google Workspace.
    • Global Administrator with a star — in Microsoft 365 environments, the first user to log in and configure backup is marked with a star icon. In Google Workspace, all Super Admins are marked with a star by default in the M365/Google Backup.
      Global Admin image
  • User Manager — corresponds to the User Administrator (Microsoft 365) or User Management Admin (Google Workspace).
  • User — a user with no administrative role.

Permissions in the M365/Google Backup

Note: For users without Global Administrator (M365) or Super Admin (Google) roles, all permissions are disabled by default and must be manually enabled.

To find and configure permissions inside the M365/Google Backup:

  1. In the M365/Google Backup menu, go to Users
  2. Select any users or a group of users from the list
  3. On the right-hand panel, click the lock icon tab
  4. You will see the User Permissions section where you can enable/disable:
  • Sign in — allows the user to log in to the M365/Google Backup
  • Restore — allows the user to restore their own data
  • An alternate Account is created to confirm actions inside the M365/Google Backup, for example: to delete an email.If the user loses access to Microsoft 365 or Google Workspace, in this case, the alternate account with a password can be used to log in to the M365/Google Backup.When selecting this type of permission, you must enter an email in the Alternative email field.After that, a confirmation email will be sent to this address with a link that needs to be clicked. You will also be required to create a unique password.
  • 2-Step Verification  — This option adds an additional layer of protection for user access.

2.3 Managing Roles & Permissions in MSP360 Managed Backup Service (MBS Console)

Note: Available only for MBS accounts, not available for MSP360 Standalone Backup for Microsoft 365/ Google Workspace.

Roles in the MBS Console

In the MBS Console, there are two key types of users:

Backup Provider is the main account owner in the MBS Console. They manage client domains, assign sub-admins, and control settings. They can log in to the M365/Google Backup and their access is marked with a Provider badge.

MSP 360 Provider image

Note: Backup Provider can access the user's M365/Google **Backup without entering domain credentials. Only after the initial setup is completed with Global Administrator credentials.

Function Access Level
User management
Enabling/disabling backups
Restore to the same user
Restore to a different user
View backup contents
Export to PST
  • Sub-Administrators — are assistants who can be granted permissions, such as access to specific companies, or they can manage only Microsoft 365/Google domains while having no access to user data.

Permissions in the MBS Console

Global admin access — grants administrators access to user backups and allows them to perform restore operations.

Note: This option is disabled by default.

To find and configure permissions in the MBS Console:

  1. In the MBS Console, select the M365/Google Backup tab
  2. Choose a domain from the list
  3. In the right-hand panel, click the Permission tab
  4. Check the box labeled Global admin access

To assign permissions to Sub-Administrators:

  1. In the MBS Console menu, go to the Organizations tab
  2. From the dropdown menu, select Administrators
  3. Select a user from the list of administrators
  4. In the right-hand panel, click the Permissions tab
  5. Check the box labeled Microsoft 365 / Google Workspace
  6. Click the Companies tab
  7. Choose either All Companies or select Specific Companies from the dropdown
  8. Click the Add button

3. Best Practices for Managing Roles and Permissions

  1. Principle of Least Privilege — assign only the necessary permissions. Avoid giving access “just in case.”
  2. Use service accounts for administration — create a dedicated account (e.g. backup.admin@company.com) and avoid using personal employee accounts.
  3. Enable permissions manually — by default, users cannot access the M365/Google Backup or perform restore operations unless the Sign-in and Restore permissions are explicitly enabled in their profile.
  4. Alternate Email — add an alternate email with a password to enable emergency access or allow for data deletion when needed.
  5. Regular audits — check roles regularly, disable outdated user accounts, and monitor who has restore permissions. Leaving former employees' accounts active can result in unauthorized access by attackers.
Whitepaper Microsoft 365 icon
Microsoft 365 Data Loss in 2025: Statistics and Strategic Insights

You will learn:

  • The current state of data loss in Microsoft 365
  • The financial impact of data breaches
  • The primary causes behind Microsoft 365 data loss
New call-to-action

Conclusion

Properly configured roles and permissions in MSP360 Backup for Microsoft 365/Google Workspace are the foundation of a secure and reliable backup infrastructure. Whether you're operating in a multi-tenant MSP environment or a single-tenant company setup, clearly defined access levels help protect data, reduce risks, and ensure compliance with audit and security standards.

MSP360 offers flexible tools for managing access — from granular user-level permissions to administrative delegation at the domain or company level. Use these tools responsibly: limit access, monitor restore permissions, review roles periodically, and always configure Alternate Email for recovery and emergency cases.

MSP360 Backup for M365/Google
Сloud to cloud data protection for Microsoft 365 and Google Workspace
New call-to-action
Backup for M365/Google image