Despite SaaS adoption continuing to grow (and projected to still increase in the coming years, with experts forecasting the market to reach $1.24 billion by 2036), MSPs still face a common gap. New users are created in these environments but never assigned to a backup policy. This manual assignment to a proper backup plan opens the floor for human error, inefficiency, and other security vulnerabilities.
By automating user backup coverage, MSPs can:
- Guarantee comprehensive protection across all licensed users.
- Eliminate manual tracking of new accounts.
- Ensure compliance with RTO/RPO and regulatory standards.
- Provide consistent reporting and transparency for clients.
In this guide, we detail various methods for detecting new accounts, automatically applying backup coverage, and validating assignments using scripts, APIs, and native admin workflows.
📌 Prerequisites:
- Admin or delegated admin access in Microsoft 365 and Google Workspace: You’ll need the proper level of access to read user accounts, create groups, and run API calls.
- Existing SaaS backup tool with user-policy mapping capability (e.g., NinjaOne Saas Backup): Most modern SaaS backup tools let you map users to backup policies through APIs or group assignments.
- API credentials (Microsoft Graph API / Google Admin SDK): These credentials allow your scripts to talk directly to Microsoft 365 or Google Workspace.
- PowerShell installed for Microsoft 365 automation: PowerShell is the go-to scripting language for Microsoft environments. You’ll use it to run recurring checks, export user lists, and interact with Microsoft Graph.
💡 Note: Optionally, you may also want to have a task scheduler or RMM platform to run recurring checks: A scheduler or RMM tool makes sure your detection and assignment scripts run daily (or more often), so new accounts are never left uncovered.
📌 Recommended deployment strategies:
Think of the methods below as different approaches you can mix and match. Feel free to select the ones that fit your environment. Some work best on their own, while others deliver the most value when combined.
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Standardize licensing and group-based assignment | ✓ | |
| Method 2: Automate detection of new users* | ✓ | |
| Method 3: Automate policy assignment in backup tools* | ✓ | ✓ |
| Method 4: Integrate with RMM or workflow automation* | ✓ | |
| Method 5: Validate and report backup coverage | ✓ | ✓ |
💡 Notes:
- Method 2 can be run independently (report-only) but is often paired with Method 3 for closed-loop automation.
- Method 3 can be independent if your backup vendor exposes uncovered users, but it typically relies on Method 2 to supply detection data.
- Method 4 can run standalone (as reporting/ticketing) or be layered on top of Methods 2 and 3 to embed checks into daily operations.
Method 1: Standardize licensing and group-based assignment
The most reliable way to ensure new users are covered is to tie backup policies directly to licenses or organizational groups. This way, when someone is added to the right group, they’re automatically protected.
📌 Use Cases: Ideal for MSPs onboarding new employees.
📌 Prerequisites:
- Microsoft 365: Azure AD Premium P1 or higher (for dynamic groups)
- Google Workspace: Admin rights to manage OUs or Groups
- SaaS backup tool that supports group/OU mapping
Steps:
(A) In Microsoft 365
- Create a dynamic group in Azure AD with a license-based rule in PowerShell.
Sample script:
(user.assignedPlans -any (assignedPlan.servicePlanId -eq “<ExchangeOnlinePlanID>” -and assignedPlan.capabilityStatus -eq “Enabled”))\
💡Make sure that you replace the placeholder items, such as user.assignedPlans and assignedPlan.servicePlan, with the proper ones depending on your setup.
- Map this group to your backup tool’s policy so all members are automatically protected.
(B) In Google Workspace
- Segment users into Organizational Units (OUs) or Groups (e.g., “Staff,” “Contractors”).
- Apply backup policies at the OU or Group level in your backup vendor’s portal.
Method 2: Automate detection of new users
Even with group assignments in place, exceptions can slip through. Automating regular scans helps you spot unprotected users quickly before data is at risk. This method can stand on its own if you only need visibility and reports, but it also pairs well with Method 3 for full automation.
📌Use Cases: Recommended for businesses with mixed accounts (e.g., staff vs. contractors) or MSPs managing multiple tenants with varying licensing.
📌 Prerequisites:
- PowerShell installed
- Microsoft Graph API credentials
- Google Admin SDK access
Steps:
(A) In Microsoft 365
- Connect to Microsoft Graph with permissions.
In PowerShell, run this command:
Connect-MgGraph -Scopes “User.Read.All”
- Export all active users.
In PowerShell, execute:
$allUsers = Get-MgUser -All
- Compare against your backup assignment list and export uncovered accounts to a CSV.
In PowerShell, run:
$backupList = Import-Csv “CurrentBackupAssignments.csv”
$unprotected = $allUsers | Where-Object { $_.UserPrincipalName -notin $backupList.User }
$unprotected | Export-Csv “UsersMissingBackup.csv” -NoTypeInformation
(B) In Google Workspace
- Use the Directory API users.list method to export active users.
- Compare against your backup assignment records.
- Save differences into a CSV for review or automated action.
Method 3: Automate policy assignment in backup tools
Once new users are detected, the next step is to add them to backup policies automatically. If your backup vendor’s API can already surface uncovered users, you can use this method independently. If not, combine it with Method 2 for a closed-loop solution.
📌 Use Cases: Useful for IT enterprises with strict compliance requirements around SLAs.
📌 Prerequisites:
- Vendor API credentials
- Detection script or workflow (from Method 2)
Steps:
- Detect new users with Microsoft Graph (365) or Google Admin SDK (Workspace).
- Call the vendor’s API to add each uncovered user to a backup policy.
- Log the response to confirm the assignment.
Method 4: Integrate with RMM or workflow automation
RMM platforms like NinjaOne can make backup automation part of your daily IT operations. This method doesn’t depend on Method 2 or 3. It can either run them behind the scenes or simply report results into tickets. Use it as an add-on for operational visibility, not as a mandatory step in sequence.
📌 Use Cases: Recommended for MSPs managing multiple tenants.
📌 Prerequisites:
- RMM platform (e.g., NinjaOne)
- Scripts built from Methods 2 and 3
- Backup tool API or export integration
Steps:
- Run daily PowerShell or Python scripts to check for uncovered users.
Sample PowerShell script to detect uncovered M365 users
| # Connect to Microsoft Graph # Requires Microsoft.Graph module: Install-Module Microsoft.Graph -Scope AllUsers # Export all active users from Microsoft 365 # Import list of users currently assigned to backup policies # Format: CSV should have a “User” column with UserPrincipalNames # Compare: find users not in backup list and are enabled accounts # Export results to CSV for reporting or integration |
💡 Note: What this script does:
- Connects to Microsoft Graph with delegated rights (User.Read.All)
- Pulls all tenant users (with Get-MgUser)
- Compares against a CSV (CurrentBackupAssignments.csv) containing UPNs of users already protected
- Filters out disabled accounts so you only see active, uncovered users
- Exports results to a timestamped CSV file for follow-up or integration with Method 3 (API-based assignment) or Method 4 (ticket creation in RMM)
- Auto-create a ticket if mismatches are found.
- Attach CSV or API output to the ticket for review.
Method 5: Validate and report backup coverage
Regular reporting builds trust with clients and demonstrates compliance with internal or external policies.
📌 Use Cases: Great for MSPs presenting results in Quarterly Business Reviews (QBRs) or enterprises needing compliance or audit documentation. Check out Top 5 MSP Strategies for Using Your QBR as a Sales Tool for more information.
📌 Prerequisites:
- SaaS backup tool with reporting capabilities
- Access to Microsoft 365/Google Workspace licensing exports
Steps:
- Run monthly reports from your backup tool.
- Cross-check coverage against licensing exports.
- Present results in QBRs, including:
- % of users covered
- % of restore tests successful
- Exceptions (e.g., unlicensed or excluded accounts)
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Scripts or API jobs fail silently | New users may remain unprotected without anyone noticing | Add logging, email alerts, or RMM ticketing for every run |
| Backup vendor API rate limits | Automation may skip users during bulk onboarding | Stagger jobs or implement retry logic |
| Incorrect group/OU mapping | Users may be excluded from policies unintentionally | Review mappings quarterly and run validation reports |
| Disabled or unlicensed accounts included | Wasted backup licenses and inflated costs | Filter out disabled/unlicensed accounts in scripts |
| Vendor policy changes (API updates, deprecations) | Automation scripts break without warning | Monitor vendor release notes and update scripts regularly |
Automation touchpoint example
Here’s what a daily user backup coverage automation workflow might look like in practice:
- Query Microsoft 365 and Google Workspace for new accounts: Use Microsoft Graph PowerShell (Get-MgUser) and the Google Admin SDK (users.list) to pull a list of all active accounts.
- Compare results against current backup assignment records: Cross-check your export against the user list from your SaaS backup tool to identify accounts not yet protected.
- Automatically assign users to backup policies: Call your backup vendor’s API (Acronis, Dropsuite, Veeam, Datto, etc.) to enroll uncovered accounts. This creates a closed-loop automated backup assignment workflow.
- Generate alerts or tickets for uncovered accounts: If some users can’t be auto-assigned (e.g., license mismatch), trigger an alert in your RMM platform like NinjaOne. The system can generate a support ticket with the CSV of affected users attached.
- Archive the results for compliance and audit readiness: Store daily CSVs or logs showing which accounts were checked, assigned, or flagged. These reports help demonstrate regulatory compliance and restore readiness during audits or client QBRs.
💡 Tip: Many MSPs run this job every 24 hours through an RMM scheduler. Some even add restore test automation once per quarter, so coverage validation and restore success rates are built directly into the workflow.
Best practices for backup automation
- Use group-based assignment for automated backup coverage: Dynamic groups in Microsoft 365 and Organizational Units (OUs) in Google Workspace ensure every new licensed user is automatically added to a backup policy. This reduces manual effort and guarantees comprehensive SaaS user backup coverage from day one.
- Leverage API and PowerShell scripts for user detection: Automated detection scripts using the Microsoft Graph API or Google Admin SDK make it easy to identify unprotected accounts. This proactive approach helps MSPs prevent gaps in coverage and supports compliance with data retention and regulatory requirements.
- Automate policy assignment with vendor APIs: Many backup vendors provide APIs that let you assign policies to uncovered users automatically. Pairing detection with assignment creates a closed-loop backup automation workflow that eliminates human error and improves reliability.
- Integrate user backup coverage checks with RMM platforms: Running scheduled PowerShell or Python scripts through NinjaOne or another RMM tool embeds checks into your daily IT workflows. This ensures backup monitoring and alerting for SaaS users happen automatically, with uncovered accounts generating tickets for review.
- Validate coverage with automated reporting and restore testing: Monthly reports from your SaaS backup platform should be cross-checked with Microsoft 365/Google Workspace licensing exports. Including backup validation and restore readiness testing in these reports provides transparency, builds client trust, and supports audit readiness.
How NinjaOne can help with backup coverage automation
NinjaOne can enhance user backup coverage automation by embedding your detection and assignment scripts directly into daily IT workflows. Instead of running these checks manually, NinjaOne handles them on a schedule, generates alerts when issues appear, and provides built-in tracking for compliance.
Here’s how MSPs and IT admins can use NinjaOne in practice:
- Run scheduled scripts for Microsoft 365 and Google Workspace: Deploy PowerShell scripts (for Microsoft Graph) and Python scripts (for the Google Admin SDK) through NinjaOne’s automation engine.
- Store CSV exports and logs in NinjaOne Docs: Every time the detection script runs, results can be automatically saved in NinjaOne Docs.
- Create automated tickets for uncovered accounts: If new accounts are found without backup coverage, NinjaOne can automatically open a service ticket. The ticket can include a direct link to the CSV export or API response so the technician knows exactly who needs coverage.
- Track remediation actions against SLAs: Each ticket can be linked to client SLAs, making it easy to measure how quickly uncovered users are brought under protection.
- Present coverage insights in QBR dashboards: NinjaOne’s reporting can be customized to show backup coverage metrics (e.g., percentage of protected users, restore test success rates).
💡 Expert tip: By combining NinjaOne with your SaaS backup vendor’s API, you create a single pane of glass for user backup coverage management, from detection to remediation to reporting.
Protect business-critical data with a proper user backup process
By implementing user backup coverage automation, you ensure that every account is protected from day one. Group-based assignments provide a solid foundation, while API detection and automated policy assignment close any remaining gaps.
Adding RMM integration and validation reporting takes it a step further, embedding backup oversight directly into daily operations and client-facing reviews.
Related topics:
