Creating Backup Jobs
      Back to home
      1. Knowledge Base
      2. Getting Started
      3. Creating Backup Jobs

      Required Permissions for Microsoft 365 Service Accounts.

      What is a Service Account?

      To run a backup of your Microsoft Organization, you'll need to create a service account under that organization so that the data you want to backup is accessible. A service account is simply a dedicated user within your Microsoft Organization that we use to gain access to the data you wish to backup.

      Depending on what you want to backup, the permissions that you need to assign to your Service Account can vary. Below we'll go over the current types of M365 backup jobs and the permission requirements for the related service accounts.

       

      Service Account Requirements

      Microsoft 365 Exchange Regular & Shared Mailboxes

      • May be an unlicensed account
      • Application Impersonation role under both Discovery & Organization Management
      • Global Admin

      Microsoft 365 Exchange Public Folders

      • Must be a licensed account
      • Application Impersonation role under both Discovery & Organization Management
      • Global Admin
      • In order to backup Public Folders, admin should be licensed, either E1 & E3 license.

      Microsoft SharePoint & OneDrive

      • Global Admin

      Microsoft Teams / Groups

      • Application Impersonation role under both Discovery & Organization Management
      • Global Admin
      • Depending on the site configuration, a Teams license might be required for the service account to allow it to access all items.
      Special Considerations - using multiple Service Accounts.

      Generally, you can get away with creating a single Service Account and using it for all of your M365 backup tasks. However, sometimes Microsoft will flag a single Service Account for requesting too much data over their API and will throttle the requests for an undisclosed amount of time. This can cause backup jobs to run for days and start to report failures since they're having to retry constantly.

      To bypass this limitation with the Microsoft API, you might need to create and configure separate Service Accounts for each task you wish to perform (Exchange backup, SharePoint, etc). This will spread out the number of requests across multiple accounts and reduce the likelihood of being throttled.

       

      If you have any questions regarding this article or need further assistance, please reach out to support@servosity.com