MSP360 Products
Roles and Permissions in MSP360 Backup for Microsoft 365 and Google Workspace
Effective role and permission management is critical for maintaining the security and operational integrity of MSP360 Backup for Microsoft 365 and Google Workspace. A well-designed access control system not only prevents excessive permissions but also simplifies administration, distributes responsibility, and ensures compliance with standards like GDPR, HIPAA, and SOC2.
This guide explains the types of roles and permission levels in MSP360, how they function across two services — MBS (Managed Backup Service) and Standalone — how to delegate access securely to admins and end-users, and which common mistakes to avoid during configuration.
1. General Information about Roles and Permissions
- Role: Defines the user's level of access and responsibility (e.g., admin, sub-admin, end-user).
- Permission: Grants specific capabilities such as signing in, restoring, deleting, or managing backup data.
Why Roles and Permissions Matter
1.1. Protection against unauthorized access — each user must be granted only the level of access that is necessary for their responsibilities.
1.2. Compliance with security standards — proper role-based access control allows you to enforce separation of access and meet the requirements of regulations such as GDPR, and HIPAA.
1.3. Reducing the risk of errors — incorrectly assigned roles can lead to accidental restoration of outdated data or unauthorized deletion of data.
1.4. Simplifying auditing and management — properly assigned roles help quickly localize user actions, identify responsible individuals, and improve incident analysis.
Architecture Overview
In MSP360 Backup for M365/Google, access control is structured across three distinct levels. Each level is responsible for specific functions within its own environment. To configure access correctly, it is essential to understand where Microsoft or Google's responsibilities end and where MSP360’s control begins.
There are three levels of permissions:
- Permissions assigned in Microsoft 365 or Google Workspace
- Permissions in MSP360 Backup for Microsoft 365 / Google Workspace (M365/Google Backup)
- Permissions in MSP360 Managed Backup Service (MBS Console) — available only for MBS accounts, not available for MSP360 Standalone Backup for Microsoft 365/Google Workspace.
2.1 External Roles and Permissions in Microsoft 365 and Google Workspace
Microsoft and Google use their own role and access systems, which serve as the starting point when connecting a domain to MSP360. Once connected, MSP360 synchronizes user roles and permissions from Microsoft 365 or Google Workspace.
Roles in Microsoft 365:
- Global Administrator — this user has full access to all backup functions and data.He/she can add the domain to M365/Google Backup and perform an initial backup setup for users.
- User Administrator — can enable or disable backups for users.
Function | Level of access |
---|---|
Initial Backup Setup | ❌ Not allowed |
User Management | ✅ Allowed |
Access to Backup Pages | ⚠️ Limited |
Access to Backup Content | ❌ Not allowed |
Restore Function Access | ⚠️ Limited |
- User — can access the backup console. If additional permissions are granted in the M365/Google Backup console, users can see and manage their own backups.
To view user roles in Microsoft 365:
- Go to the Microsoft 365 Admin Center
- In the left navigation bar, select Users
- Click on Active Users
- Select any user from the list
- Open the Manage admin roles section to view available roles
Roles in Google Workspace:
- Super Admin — can add the domain to M365/Google Backup, install and configure the backup app, and perform initial configuration for user backups. This role provides unrestricted access to all backup features and data.
- User Management Admin — can manage user-level settings such as enabling/disabling user backups.
Function | Level of access |
---|---|
Initial Backup Setup | ❌ Not allowed |
User Management | ✅ Allowed |
Access to Backup Pages | ⚠️ Limited |
Access to Backup Content | ❌ Not allowed |
Restore Function Access | ⚠️ Limited |
- User — can access the M365/Google Backup console but can only view and manage their own backups.
To view user roles in Google Workspace:
- Open the Google Admin Console
- Select Directory from the left navigation bar
- Click Users
- Choose any user from the list
- In the user’s profile, click Roles and Privileges to see the assigned roles.
2.2 Managing Roles & Permissions in the M365/Google Backup
The M365/Google Backup provides role-based access control for users within a connected Microsoft 365 or Google Workspace domain. It defines who can view, configure, restore, or delete backup data. Misconfigured permissions can result in data leaks, SLA violations, or complete inability to restore data during incidents. This is especially critical in multi-tenant environments or when working with external contractors.
Roles in the M365/Google Backup
There are three main user roles in the console, synchronized from the source domain:
- Global Administrator — a user with the Global Administrator role in Microsoft 365 or the Super Admin role in Google Workspace.
- Global Administrator with a star — in Microsoft 365 environments, the first user to log in and configure backup is marked with a star icon. In Google Workspace, all Super Admins are marked with a star by default in the M365/Google Backup.
- Global Administrator with a star — in Microsoft 365 environments, the first user to log in and configure backup is marked with a star icon. In Google Workspace, all Super Admins are marked with a star by default in the M365/Google Backup.
- User Manager — corresponds to the User Administrator (Microsoft 365) or User Management Admin (Google Workspace).
- User — a user with no administrative role.
Permissions in the M365/Google Backup
Note: For users without Global Administrator (M365) or Super Admin (Google) roles, all permissions are disabled by default and must be manually enabled.
To find and configure permissions inside the M365/Google Backup:
- In the M365/Google Backup menu, go to Users
- Select any users or a group of users from the list
- On the right-hand panel, click the lock icon tab
- You will see the User Permissions section where you can enable/disable:
- Sign in — allows the user to log in to the M365/Google Backup
- Restore — allows the user to restore their own data
- An alternate Account is created to confirm actions inside the M365/Google Backup, for example: to delete an email.
If the user loses access to Microsoft 365 or Google Workspace, in this case, the alternate account with a password can be used to log in to the M365/Google Backup.When selecting this type of permission, you must enter an email in the Alternative email field.After that, a confirmation email will be sent to this address with a link that needs to be clicked. You will also be required to create a unique password.
- 2-Step Verification — This option adds an additional layer of protection for user access.
2.3 Managing Roles & Permissions in MSP360 Managed Backup Service (MBS Console)
Note: Available only for MBS accounts, not available for MSP360 Standalone Backup for Microsoft 365/ Google Workspace.
Roles in the MBS Console
In the MBS Console, there are two key types of users:
Backup Provider is the main account owner in the MBS Console. They manage client domains, assign sub-admins, and control settings. They can log in to the M365/Google Backup and their access is marked with a Provider badge.
Note: Backup Provider can access the user's M365/Google **Backup without entering domain credentials. Only after the initial setup is completed with Global Administrator credentials.
Function | Access Level |
---|---|
User management | ✅ |
Enabling/disabling backups | ✅ |
Restore to the same user | ✅ |
Restore to a different user | ❌ |
View backup contents | ❌ |
Export to PST | ❌ |
- Sub-Administrators — are assistants who can be granted permissions, such as access to specific companies, or they can manage only Microsoft 365/Google domains while having no access to user data.
Permissions in the MBS Console
Global admin access — grants administrators access to user backups and allows them to perform restore operations.
Note: This option is disabled by default.
To find and configure permissions in the MBS Console:
- In the MBS Console, select the M365/Google Backup tab
- Choose a domain from the list
- In the right-hand panel, click the Permission tab
- Check the box labeled Global admin access
To assign permissions to Sub-Administrators:
- In the MBS Console menu, go to the Organizations tab
- From the dropdown menu, select Administrators
- Select a user from the list of administrators
- In the right-hand panel, click the Permissions tab
- Check the box labeled Microsoft 365 / Google Workspace
- Click the Companies tab
- Choose either All Companies or select Specific Companies from the dropdown
- Click the Add button
3. Best Practices for Managing Roles and Permissions
- Principle of Least Privilege — assign only the necessary permissions. Avoid giving access “just in case.”
- Use service accounts for administration — create a dedicated account (e.g. backup.admin@company.com) and avoid using personal employee accounts.
- Enable permissions manually — by default, users cannot access the M365/Google Backup or perform restore operations unless the Sign-in and Restore permissions are explicitly enabled in their profile.
- Alternate Email — add an alternate email with a password to enable emergency access or allow for data deletion when needed.
- Regular audits — check roles regularly, disable outdated user accounts, and monitor who has restore permissions. Leaving former employees' accounts active can result in unauthorized access by attackers.

Conclusion
Properly configured roles and permissions in MSP360 Backup for Microsoft 365/Google Workspace are the foundation of a secure and reliable backup infrastructure. Whether you're operating in a multi-tenant MSP environment or a single-tenant company setup, clearly defined access levels help protect data, reduce risks, and ensure compliance with audit and security standards.
MSP360 offers flexible tools for managing access — from granular user-level permissions to administrative delegation at the domain or company level. Use these tools responsibly: limit access, monitor restore permissions, review roles periodically, and always configure Alternate Email for recovery and emergency cases.