{"id":59969,"date":"2025-05-05T18:53:02","date_gmt":"2025-05-05T14:53:02","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=59969"},"modified":"2026-01-08T18:39:10","modified_gmt":"2026-01-08T14:39:10","slug":"msp360-backup-for-microsoft-365-and-google-workspace-roles-and-permission","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/msp360-backup-for-microsoft-365-and-google-workspace-roles-and-permission\/","title":{"rendered":"Roles and Permissions in MSP360 Backup for Microsoft 365 and Google Workspace"},"content":{"rendered":"<p>This guide explains the types of roles and permission levels in MSP360, how they function across two services \u2014 MSP360 Backup for M365 \/ Google and MBS (Managed Backup Service) for M365 \/ Google \u2014 how to delegate access securely to admins and end-users, and which common mistakes to avoid during configuration.<br \/>\n<!--more--><br \/>\nEffective role and permission management is critical for maintaining the security and operational integrity of <a href=\"https:\/\/www.msp360.com\/saas-backup\/\">MSP360 Backup for Microsoft 365 and Google Workspace<\/a>. A well-designed access control system not only prevents excessive permissions but also simplifies administration, distributes responsibility, and ensures compliance with standards like GDPR, HIPAA, and SOC2.<\/p>\n<h2>1. General Information about Roles and Permissions<\/h2>\n<ul>\n<li><strong>Role:<\/strong> Defines the user's level of access and responsibility (e.g., admin, sub-admin, end-user).<\/li>\n<li><strong>Permission:<\/strong> Grants specific capabilities such as signing in, restoring, deleting, or managing backup data.<\/li>\n<\/ul>\n<h3>Why Roles and Permissions Matter<\/h3>\n<p>1.1. Protection against unauthorized access \u2014 each user must be granted only the level of access that is necessary for their responsibilities.<\/p>\n<p>1.2. Compliance with security standards \u2014 proper role-based access control allows you to enforce separation of access and meet the requirements of regulations such as GDPR, and HIPAA.<\/p>\n<p>1.3. Reducing the risk of errors \u2014 incorrectly assigned roles can lead to accidental restoration of outdated data or unauthorized deletion of data.<\/p>\n<p>1.4. Simplifying auditing and management \u2014 properly assigned roles help quickly localize user actions, identify responsible individuals, and improve incident analysis.<\/p>\n<h3>Architecture Overview<\/h3>\n<p>In MSP360 Backup for M365\/Google, access control is structured across three distinct levels. Each level is responsible for specific functions within its own environment. To configure access correctly, it is essential to understand where <a href=\"https:\/\/get.msp360.com\/whitepaper\/protecting-your-org-s-microsoft-365-data-why-microsoft-isn-t-doing-it-for-you\">Microsoft<\/a> or <a href=\"https:\/\/www.msp360.com\/resources\/blog\/the-ultimate-guide-to-g-suite-backup-solutions-protect-your-data-with-expert-tips\/\">Google's<\/a> responsibilities end and where MSP360\u2019s control begins.<\/p>\n<p id=\"last\">There are three levels of permissions:<\/p>\n<ul>\n<li><strong>Permissions assigned in Microsoft 365 or Google Workspace<\/strong><\/li>\n<li><strong>Permissions in MSP360 Backup for Microsoft 365 \/ Google Workspace (M365\/Google Backup)<\/strong><\/li>\n<li><strong>Permissions in MSP360 Managed Backup Service (MBS Console)<\/strong> \u2014 available only for MBS accounts, not available for <a href=\"https:\/\/www.msp360.com\/saas-backup\/\">MSP360 Backup for Microsoft 365 \/ Google Workspace<\/a>.<\/li>\n<\/ul>\n<p><!-- CTA: MBS slide-in --><\/p>\n<div id=\"slidebox\"><a class=\"close\">\u00a0<\/a><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-761dc0f3-19c9-403d-a99e-670c329ec4a1\" data-portal=\"5442029\" data-id=\"761dc0f3-19c9-403d-a99e-670c329ec4a1\"><span class=\"hs-cta-node hs-cta-761dc0f3-19c9-403d-a99e-670c329ec4a1\" id=\"hs-cta-761dc0f3-19c9-403d-a99e-670c329ec4a1\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/761dc0f3-19c9-403d-a99e-670c329ec4a1\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-761dc0f3-19c9-403d-a99e-670c329ec4a1\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/761dc0f3-19c9-403d-a99e-670c329ec4a1.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<h2>2.1 External Roles and Permissions in Microsoft 365 and Google Workspace<\/h2>\n<p><a href=\"https:\/\/www.msp360.com\/saas-backup\/m365\/\">Microsoft<\/a> and <a href=\"https:\/\/www.msp360.com\/saas-backup\/google-workspace\/\">Google<\/a> use their own role and access systems, which serve as the <a href=\"https:\/\/www.msp360.com\/resources\/blog\/microsoft-365-and-google-g-suite-backup-in-msp360-mbs\/\">starting point<\/a> when connecting a domain to MSP360. Once connected, MSP360 <strong>synchronizes user roles<\/strong> <strong>and permissions<\/strong> from Microsoft 365 or Google Workspace.<\/p>\n<h3><strong>Roles in Microsoft 365:<\/strong><\/h3>\n<ul>\n<li><strong>Global Administrator<\/strong> \u2014 this user has full access to all backup functions and data.He\/she can add the domain to M365\/Google Backup and perform an initial backup setup for users.<\/li>\n<li><strong>User Administrator<\/strong> \u2014 can enable or disable backups for users.<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th><strong>Function<\/strong><\/th>\n<th><strong>Level of access<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Initial Backup Setup<\/td>\n<td>&#x274c; Not allowed<\/td>\n<\/tr>\n<tr>\n<td>User Management<\/td>\n<td>&#x2705; Allowed<\/td>\n<\/tr>\n<tr>\n<td>Access to Backup Pages<\/td>\n<td>&#x26a0;&#xfe0f; Limited<\/td>\n<\/tr>\n<tr>\n<td>Access to Backup Content<\/td>\n<td>&#x274c; Not allowed<\/td>\n<\/tr>\n<tr>\n<td>Restore Function Access<\/td>\n<td>&#x26a0;&#xfe0f; Limited<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li><strong>User<\/strong> \u2014 can access the backup console. If additional permissions are granted in the M365\/Google Backup console, users can see and manage their own backups.<\/li>\n<\/ul>\n<p><strong>To view user roles in Microsoft 365:<\/strong><\/p>\n<ol>\n<li>Go to the Microsoft 365 Admin Center<\/li>\n<li>In the left navigation bar, select <strong>Users<\/strong><\/li>\n<li>Click on <strong>Active Users<\/strong><\/li>\n<li>Select any user from the list<\/li>\n<li>Open the <strong>Manage admin roles<\/strong> section to view available roles<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\" wp-image-60016\" src=\"\/wp-content\/uploads\/2025\/05\/image-79-300x192.png\" alt=\"\" width=\"1288\" height=\"824\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-79-300x192.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-79-1024x655.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-79-768x491.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-79-624x399.png 624w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-79.png 1149w\" sizes=\"auto, (max-width: 1288px) 100vw, 1288px\" \/><\/li>\n<\/ol>\n<h3><strong>Roles in Google Workspace:<\/strong><\/h3>\n<ul>\n<li><strong>Super Admin<\/strong> \u2014 can add the domain to M365\/Google Backup, install and configure the backup app, and perform initial configuration for user backups. This role provides unrestricted access to all backup features and data.<\/li>\n<li><strong>User Management Admin<\/strong> \u2014 can manage user-level settings such as enabling\/disabling user backups.<\/li>\n<\/ul>\n<table>\n<thead>\n<tr>\n<th><strong>Function<\/strong><\/th>\n<th><strong>Level of access<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Initial Backup Setup<\/td>\n<td>&#x274c; Not allowed<\/td>\n<\/tr>\n<tr>\n<td>User Management<\/td>\n<td>&#x2705; Allowed<\/td>\n<\/tr>\n<tr>\n<td>Access to Backup Pages<\/td>\n<td>&#x26a0;&#xfe0f; Limited<\/td>\n<\/tr>\n<tr>\n<td>Access to Backup Content<\/td>\n<td>&#x274c; Not allowed<\/td>\n<\/tr>\n<tr>\n<td>Restore Function Access<\/td>\n<td>&#x26a0;&#xfe0f; Limited<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li><strong>User<\/strong> \u2014 can access the M365\/Google Backup console but can only view and manage their own backups.<\/li>\n<\/ul>\n<p><strong>To view user roles in Google Workspace:<\/strong><\/p>\n<ol>\n<li>Open the <strong>Google Admin Console<\/strong><\/li>\n<li>Select <strong>Directory<\/strong> from the left navigation bar<\/li>\n<li>Click <strong>Users<\/strong><\/li>\n<li>Choose any user from the list<\/li>\n<li>In the user\u2019s profile, click <strong>Roles and Privileges<\/strong> to see the assigned roles.<img loading=\"lazy\" decoding=\"async\" class=\" wp-image-59972\" src=\"\/wp-content\/uploads\/2025\/05\/image-68-300x169.png\" alt=\"\" width=\"1338\" height=\"754\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-68-300x169.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-68-1024x576.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-68-768x432.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-68-624x351.png 624w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-68.png 1073w\" sizes=\"auto, (max-width: 1338px) 100vw, 1338px\" \/><\/li>\n<\/ol>\n<h2>2.2 Managing Roles &amp; Permissions in the M365\/Google Backup<\/h2>\n<p>The M365\/Google Backup provides role-based access control for users within a connected Microsoft 365 or Google Workspace domain. It defines who can view, configure, <a href=\"https:\/\/www.msp360.com\/resources\/blog\/google-g-suite-and-microsoft-365-recovery-with-msp360-managed-backup-service\/\">restore<\/a>, or delete backup data. Misconfigured permissions can result in data leaks, <a href=\"https:\/\/www.msp360.com\/resources\/blog\/why-slas-are-important-and-necessary\/\">SLA violations<\/a>, or complete inability to restore data during incidents. This is especially critical in multi-tenant environments or when working with external contractors.<\/p>\n<h3><strong>Roles in the M365\/Google Backup<\/strong><\/h3>\n<p>There are three main user roles in the console, synchronized from the source domain:<\/p>\n<ul>\n<li><strong>Global Administrator<\/strong> \u2014 a user with the Global Administrator role in Microsoft 365 or the Super Admin role in Google Workspace.\n<ul>\n<li><strong>Global Administrator with a star<\/strong> \u2014 in Microsoft 365 environments, the first user to log in and configure backup is marked with a star icon. In Google Workspace, all <strong>Super Admins<\/strong> are marked with a star by default in the M365\/Google Backup.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\" wp-image-60020\" src=\"\/wp-content\/uploads\/2025\/05\/image-80-300x89.png\" alt=\"Global Admin image\" width=\"667\" height=\"198\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-80-300x89.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-80-768x227.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-80-624x185.png 624w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-80.png 905w\" sizes=\"auto, (max-width: 667px) 100vw, 667px\" \/><\/li>\n<\/ul>\n<\/li>\n<li><strong>User Manager<\/strong> \u2014 corresponds to the User Administrator (Microsoft 365) or User Management Admin (Google Workspace).<\/li>\n<li><strong>User<\/strong> \u2014 a user with no administrative role.<\/li>\n<\/ul>\n<h3><strong>Permissions in the M365\/Google Backup<\/strong><\/h3>\n<blockquote><p><em><strong>Note:<\/strong> For users without Global Administrator (M365) or Super Admin (Google) roles, all permissions are disabled by default and must be manually enabled.<\/em><\/p><\/blockquote>\n<p>To find and configure permissions inside the M365\/Google Backup:<\/p>\n<ol>\n<li>In the M365\/Google Backup menu, go to <strong>Users<\/strong><\/li>\n<li>Select any users or a group of users from the list<\/li>\n<li>On the right-hand panel, click the <strong>lock icon tab<\/strong><\/li>\n<li>You will see the <strong>User Permissions<\/strong> section where you can enable\/disable:<\/li>\n<\/ol>\n<ul>\n<li><strong>Sign in<\/strong> \u2014 allows the user to log in to the M365\/Google Backup<\/li>\n<li><strong>Restore<\/strong> \u2014 allows the user to restore their own data<img loading=\"lazy\" decoding=\"async\" class=\" wp-image-59974\" src=\"\/wp-content\/uploads\/2025\/05\/image-70-300x168.png\" alt=\"\" width=\"1291\" height=\"723\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-70-300x168.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-70-1024x574.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-70-768x431.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-70-624x350.png 624w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-70.png 1072w\" sizes=\"auto, (max-width: 1291px) 100vw, 1291px\" \/><\/li>\n<li><strong>An alternate Account<\/strong> is created to confirm actions inside the M365\/Google Backup, for example: to delete an email.<img loading=\"lazy\" decoding=\"async\" class=\" wp-image-59975\" src=\"\/wp-content\/uploads\/2025\/05\/image-71-300x168.png\" alt=\"\" width=\"1321\" height=\"740\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-71-300x168.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-71-1024x573.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-71-768x430.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-71-624x349.png 624w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-71.png 1070w\" sizes=\"auto, (max-width: 1321px) 100vw, 1321px\" \/>If the user <strong>loses access<\/strong> to Microsoft 365 or Google Workspace, in this case, the alternate account with a password can be used to log in to the M365\/Google Backup.When selecting this type of permission, you must enter an <strong>email<\/strong> in the <strong>Alternative email<\/strong> field.After that, a confirmation email will be sent to this address with a link that <strong>needs to be clicked<\/strong>. You will also be required to create a <strong>unique password<\/strong>.<img loading=\"lazy\" decoding=\"async\" class=\" wp-image-59976\" src=\"\/wp-content\/uploads\/2025\/05\/image-72-300x168.png\" alt=\"\" width=\"1314\" height=\"736\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-72-300x168.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-72-1024x574.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-72-768x430.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-72-624x350.png 624w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-72.png 1073w\" sizes=\"auto, (max-width: 1314px) 100vw, 1314px\" \/><\/li>\n<li><strong>2-Step Verification<\/strong> \u00a0\u2014 This option adds an additional layer of protection for user access.<\/li>\n<\/ul>\n<h2>2.3 Managing Roles &amp; Permissions in MSP360 Managed Backup Service (MBS Console)<\/h2>\n<blockquote><p><em><strong>Note:<\/strong><\/em> Available only for MBS accounts, not available for <a href=\"https:\/\/www.msp360.com\/saas-backup\/managed-backup-microsoft365-google-workspace\/\">MSP360 Managed Backup for Microsoft 365 \/ Google Workspace.<\/a><\/p><\/blockquote>\n<h3><strong>Roles in the MBS Console<\/strong><\/h3>\n<p>In the MBS Console, there are two key types of users:<\/p>\n<p><strong>Backup Provider<\/strong> is the main account owner in the MBS Console. They manage client domains, assign sub-admins, and control settings. They can log in to the M365\/Google Backup and their access is marked with a <strong>Provider<\/strong> badge.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-60018\" src=\"\/wp-content\/uploads\/2025\/05\/image-77-239x300.png\" alt=\"MSP 360 Provider image\" width=\"402\" height=\"505\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-77-239x300.png 239w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-77.png 272w\" sizes=\"auto, (max-width: 402px) 100vw, 402px\" \/><\/p>\n<blockquote><p><em><strong>Note:<\/strong> Backup Provider can access the user's<\/em> M365\/Google **Backup <em>without entering domain credentials. Only after the initial setup is completed with Global Administrator credentials.<\/em><\/p><\/blockquote>\n<table>\n<thead>\n<tr>\n<th><strong>Function<\/strong><\/th>\n<th><strong>Access Level<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>User management<\/td>\n<td>&#x2705;<\/td>\n<\/tr>\n<tr>\n<td>Enabling\/disabling backups<\/td>\n<td>&#x2705;<\/td>\n<\/tr>\n<tr>\n<td>Restore to the same user<\/td>\n<td>&#x2705;<\/td>\n<\/tr>\n<tr>\n<td>Restore to a different user<\/td>\n<td>&#x274c;<\/td>\n<\/tr>\n<tr>\n<td>View backup contents<\/td>\n<td>&#x274c;<\/td>\n<\/tr>\n<tr>\n<td>Export to PST<\/td>\n<td>&#x274c;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li><strong>Sub-Administrators<\/strong> \u2014 are assistants who can be granted permissions, such as access to specific companies, or they can manage only Microsoft 365\/Google domains while having no access to user data.<\/li>\n<\/ul>\n<h3><strong>Permissions in the MBS Console<\/strong><\/h3>\n<p><strong>Global admin access<\/strong> \u2014 grants administrators access to user backups and allows them to perform restore operations.<\/p>\n<blockquote><p><em><strong>Note:<\/strong> This option is disabled by default.<\/em><\/p><\/blockquote>\n<h3><strong>To find and configure permissions in the MBS Console:<\/strong><\/h3>\n<ol>\n<li>In the <strong>MBS Console<\/strong>, select the <strong>M365\/Google Backup<\/strong> tab<\/li>\n<li>Choose a domain from the list<\/li>\n<li>In the right-hand panel, click the <strong>Permission<\/strong> tab<\/li>\n<li>Check the box labeled <strong>Global admin access<\/strong><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-59978\" src=\"\/wp-content\/uploads\/2025\/05\/image-74-300x168.png\" alt=\"\" width=\"1464\" height=\"820\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-74-300x168.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-74-1024x574.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-74-768x431.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-74-624x350.png 624w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-74.png 1072w\" sizes=\"auto, (max-width: 1464px) 100vw, 1464px\" \/><\/li>\n<\/ol>\n<h3><strong>To assign permissions to Sub-Administrators:<\/strong><\/h3>\n<ol>\n<li>In the <strong>MBS Console<\/strong> menu, go to the <strong>Organizations<\/strong> tab<\/li>\n<li>From the dropdown menu, select <strong>Administrators<\/strong><\/li>\n<li>Select a user from the list of administrators<\/li>\n<li>In the right-hand panel, click the <strong>Permissions<\/strong> tab<\/li>\n<li>Check the box labeled <strong>Microsoft 365 \/ Google Workspace<br \/>\n<\/strong><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-59979\" src=\"\/wp-content\/uploads\/2025\/05\/image-75-300x168.png\" alt=\"\" width=\"1464\" height=\"820\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-75-300x168.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-75-1024x575.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-75-768x431.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-75-624x350.png 624w\" sizes=\"auto, (max-width: 1464px) 100vw, 1464px\" \/><\/li>\n<li>Click the <strong>Companies<\/strong> tab<\/li>\n<li>Choose either <strong>All Companies<\/strong> or select <strong>Specific Companies<\/strong> from the dropdown<\/li>\n<li>Click the <strong>Add<\/strong> button<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-59980\" src=\"\/wp-content\/uploads\/2025\/05\/image-76-300x224.png\" alt=\"\" width=\"1479\" height=\"1104\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-76-300x224.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2025\/05\/image-76.png 512w\" sizes=\"auto, (max-width: 1479px) 100vw, 1479px\" \/><\/p>\n<h2>3. Best Practices for Managing Roles and Permissions<\/h2>\n<ol>\n<li><strong>Principle of Least Privilege<\/strong> \u2014 assign only the necessary permissions. Avoid giving access \u201cjust in case.\u201d<\/li>\n<li><strong>Use service accounts for administration<\/strong> \u2014 create a dedicated account (e.g. <a href=\"mailto:backup.admin@company.com\">backup.admin@company.com<\/a>) and avoid using personal employee accounts.<\/li>\n<li><strong>Enable permissions manually<\/strong> \u2014 by default, users cannot access the M365\/Google Backup or perform restore operations unless the <strong>Sign-in<\/strong> and <strong>Restore<\/strong> permissions are explicitly enabled in their profile.<\/li>\n<li><strong>Alternate Email<\/strong> \u2014 add an alternate email with a password to enable emergency access or allow for data deletion when needed.<\/li>\n<li><strong>Regular audits<\/strong> \u2014 check roles regularly, disable outdated user accounts, and monitor who has restore permissions. Leaving former employees' accounts active can result in unauthorized access by attackers.<\/li>\n<\/ol>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 40%;\"><img decoding=\"async\" class=\"aligncenter\" src=\"\/wp-content\/uploads\/2025\/05\/without-shadow-1.png\" alt=\"Whitepaper Microsoft 365 icon\" \/><\/div>\n<div class=\"call-to-action__right\" style=\"width: 60%;\">\n<div class=\"call-to-action__title\">Microsoft 365 Data Loss in 2025: Statistics and Strategic Insights<\/div>\n<div class=\"call-to-action__text\">\n<p>You will learn:<\/p>\n<ul>\n<li>The current state of data loss in Microsoft 365<\/li>\n<li>The financial impact of data breaches<\/li>\n<li>The primary causes behind Microsoft 365 data loss<\/li>\n<\/ul>\n<\/div>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-3fcf08e0-5881-452e-b134-eefba147cbf1\" data-portal=\"5442029\" data-id=\"3fcf08e0-5881-452e-b134-eefba147cbf1\"><span class=\"hs-cta-node hs-cta-3fcf08e0-5881-452e-b134-eefba147cbf1\" id=\"hs-cta-3fcf08e0-5881-452e-b134-eefba147cbf1\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/3fcf08e0-5881-452e-b134-eefba147cbf1\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-3fcf08e0-5881-452e-b134-eefba147cbf1\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/3fcf08e0-5881-452e-b134-eefba147cbf1.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<\/div>\n<h2>Conclusion<\/h2>\n<p>Properly configured roles and permissions in MSP360 Backup for Microsoft 365\/Google Workspace are the foundation of a secure and reliable backup infrastructure. Whether you're operating in a multi-tenant MSP environment or a single-tenant company setup, clearly defined access levels help protect data, reduce risks, and ensure compliance with audit and security standards.<\/p>\n<p>MSP360 offers flexible tools for managing access \u2014 from granular user-level permissions to administrative delegation at the domain or company level. Use these tools responsibly: limit access, monitor restore permissions, review roles periodically, and always configure <strong>Alternate Email<\/strong> for recovery and emergency cases.<\/p>\n<p><!-- notionvc: 38fdf3fc-bd94-4c1d-939f-a2fc94545d1d --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide explains the types of roles and permission levels in MSP360, how they function across two services \u2014 MSP360 Backup for M365 \/ Google and MBS (Managed Backup Service) for M365 \/ Google \u2014 how to delegate access securely to admins and end-users, and which common mistakes to avoid during configuration.<\/p>\n","protected":false},"author":106,"featured_media":60001,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[878,1005,931],"tags":[944],"class_list":["post-59969","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-msp-university","category-msp360-managed-backup-for-microsoft-365-and-google-workspace","category-msp360-product-guides","tag-microsoft-365-and-google-g-suite-backup-in-msp360-mbs"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/59969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/106"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=59969"}],"version-history":[{"count":37,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/59969\/revisions"}],"predecessor-version":[{"id":61641,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/59969\/revisions\/61641"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/60001"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=59969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=59969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=59969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}