Jun 6, 2024
6 min read

Streamlining Backup Policy Assignment using Groups

Streamlining Backup Policy Assignment using Groups

We are excited to announce that Group Based Policy Management (GBPM) is being rolled out into our platform globally. As with every feature on the Alcion platform, it is easy to use, can scale across large tenancies and includes built-in guardrails in place if groups within the tenant are changed inadvertently (or via malicious attack) which may impact user protection.

What is Group Based Policy Management (GBPM)?

So what is GBPM? Perhaps you would like every licensed user in your tenancy to be protected - but, have a different policy for Informational (Microsoft 365 E3, E5 etc) users and Frontline workers. Or at a more basic level, all users in the Marketing & Sales Microsoft 365 group have a different policy to the Leadership Microsoft 365 group.

This is where GBPM comes in. You can leverage groups that already exist within your Microsoft 365 tenancy and assign an Alcion protection policy especially useful for large tenancies but there are operational wins to be had for all sizes. ย 

How does GBPM work?

There are four foundational concepts that come together to make GBPM work seamlessly and securely for our users.

  • Group-Based Actions
    As an Alcion administrator, you will create a protection policy action and assign the group from your M365 tenancy you wish to be protected with this policy. This instantly updates the policy for all members of that group.
  • Continuous Monitoring
    If selected during the action creation, Alcion continuously monitors group membership, ensuring policies are always applied to the right users based on the protection policies you set. We call this process continuous vetting.
  • Security-Focused Removal
    When a user leaves a group, their policy remains in place for security reasons, preventing potentially accidental (or malicious) removal of a protection policy. As an administrator, you can simply override any user at any time to adjust their previously inherited policy.
  • Conflict Resolution
    If a user belongs to multiple groups with protection policies, Alcion prioritizes the most recently updated or added policy. A future update to GBPM however will allow you to define a preferred application order for group policies which will be evaluated during vetting and policy updates.

How to configure your Group Based Policy

As an Alcion administrator, navigate to your users dashboard click the Set policies by Groups button at the top of the grid.

You will then be presented with a list of your groups. We also support dynamic Microsoft 365 groups giving you the ultimate freedom to define rule-based groups on your Microsoft 365 tenancy such as the license example.

You then single or multi-select the groups followed by Set Policy where you will be presented with the policy selection, such as Intelligent. Two additional options are available.

  1. Overwrite for users with a policy of excluded
    By selecting this, any user matched within these groups will have the excluded policy overwritten by your policy selection. Otherwise, all exclusions will remain as they are.
  1. Also apply to new users in the future
    This is where the continuous vetting comes into play. Alcion will now monitor these groups for new members and apply the policy you have selected.

You can now select Apply Changes. Group membership will be retrieved for each of your selected M365 groups and this new policy automatically assigned in the background - no matter how many users you have.

Backup policy updates status can be viewed in the Activity dashboard.

How we Engineered GBPM

Developing this functionality involved some detailed planning work. We struck challenges around the Graph API and how the Microsoft 365 platform imposes throttling and request limits โ€“ especially around continuous vetting and large tenancies. ย 

The engineering responded by crafting our own throttling and scaling mechanisms, some of which were learnt from developing the core backup product itself.

This ensures we can roll this feature out at scale, especially for large Microsoft 365 tenancies of multiple thousands or more - allowing us to react to changes in group membership as promptly as possible and apply the most appropriate protection policies for your users.


Protect your users at scale

Group-Based Policy Management (GBPM) is here to make data protection easier and less error prone.

With GBPM, you can:

  • Effortlessly assign policies: Leverage existing Microsoft 365 groups to automatically assign backup policies to your users.
  • Reduce operational load: Continuous monitoring ensures policies are always applied to users without protection, saving you time and manual effort.
  • Be confident: Knowing that data protection policies will be automatically applied based on your Microsoft 365 group membership

What are you waiting for? Jump in and explore the ease of Group-Based Policy Management. Design a data protection strategy designed around your organization's specific needs, get time back in your day and feel confident knowing that your Microsoft 365 backups are taken care of.ย Connect with our team and find out how we can help or start a free trial (no credit card required). You may also join our Discord community.


Bill Daws
Bill Daws
Member of Technical Staff at Alcion

Bill Daws is a Member of Technical Staff at Alcion. Prior to Alcion, he worked at Amazon Web Services, building the internal authentication and authorization services for the Training and Certification department. He holds a BS in Computer Science from Temple University.