Microsoft Entra ID · Security & Compliance
Microsoft 365 Backup Administrator
Manages all aspects of Microsoft 365 Backup including policies, restore operations, and backup configurations.
Scope: Full administrative control over Microsoft 365 Backup service
Permissions
- Create and manage backup policies
- Perform restore operations
- Configure backup for SharePoint, OneDrive, Exchange
- View backup status and reports
- Manage backup storage and retention
Common use cases
- Backup policy configuration
- Disaster recovery operations
- Granular restore for users
- Compliance-driven backup retention
- Business continuity planning
Best practices
- Define backup policies per workload
- Test restore procedures regularly
- Document recovery runbooks
- Monitor backup job status
- Align with business continuity requirements
Security considerations
- Restore access could expose historical data
- Backup data may contain sensitive content
- Monitor restore operations
- Consider separation from production admins
Common questions
When should I assign the Microsoft 365 Backup Administrator role?
Assign Microsoft 365 Backup Administrator when you need to: Backup policy configuration; Disaster recovery operations; Granular restore for users; Compliance-driven backup retention; and Business continuity planning. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Microsoft 365 Backup Administrator role do?
The Microsoft 365 Backup Administrator role grants permissions including: Create and manage backup policies; Perform restore operations; Configure backup for SharePoint, OneDrive, Exchange; View backup status and reports; and Manage backup storage and retention. See the Permissions section above for the full list.
What are the security risks of the Microsoft 365 Backup Administrator role?
Key considerations when assigning Microsoft 365 Backup Administrator: Restore access could expose historical data; Backup data may contain sensitive content; Monitor restore operations; and Consider separation from production admins. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.