To ensure that your Keepit backup is performed correctly and to avoid problems down the line, we recommend the following when setting up your Microsoft 365 account:
Create a unique account for the backup
Set up a dedicated Microsoft 365 service account to handle the backup. This will prevent future problems. For example, if the employee responsible for backup leaves the company, the backup account can be passed on to someone else. We recommend you name the account and email as descriptively as possible (e.g., Keepit Backup / keepit_backup@company.com). This will avoid confusion as this user will be made a member of all groups.
Assign the Global admin role to the service account
When creating the new service account, assign it the global admin role. This is necessary when creating a new connector because only through a user with this role can Keepit obtain full access to data and include it in the backup.
The service account will automatically become a member of all groups and teams that are being backed up. For dynamic groups, you must make sure that the service account meets all the membership rules that are applied to the group so that it becomes a member. For more info, see Not all of my dynamic group data is being backed up.
A global admin is also required to reauthenticate a connector and for certain types of restore, but is not required for backups to run successfully. For more info, see Removing the Global admin role from the backup service account.
Assign a license to the service account
You must assign the service account a license. This will ensure that all your data is properly backed up.
The license is also what grants the service account access to Microsoft Groups and Teams, which in turn will allow the Keepit software to make the user a member of all Microsoft 365 Groups and Teams. This is vital because Keepit can only back up Microsoft 365 Groups and Teams that the service account is a part of.
The following license plans give the Global admin access to Microsoft Groups and Teams: Microsoft 365 Business Basic; Microsoft 365 Business Standard; Microsoft 365 Apps for business; Microsoft 365 Apps for enterprise; Office 365 E1, E3, or E5; E4 (for anyone who purchased this plan prior to its retirement). For more info about license plans, see How do I get access to Microsoft Teams?
The service account must also have a license for the backup of Public Folders. (One of the licenses mentioned above.)
(Optional) Add the service account to Conditional Access Policies
Include the service account in your Microsoft Entra ID conditional access (CA) policies before setting up the backup. This step guarantees that the connector authentication process meets all necessary requirements.
Adding the service account to the CA policies allows us to proactively identify any potential authentication issues. If a CA policy requires multi-factor authentication (MFA) or imposes other restrictions, it may impact the service account's authentication. Configuring the policies beforehand helps you catch and address such issues.
Remember, if there are any changes to the CA policies or if the service account is added to more policies after the initial connector setup, the connector will need to be reauthenticated.
(Optional) Grant the service account Owner level permissions
If you want to back up Public Folders, ensure that the service account has Owner level permissions on all folders.
If you have existing Public Folders, make sure to grant the service account Owner level permissions at the root level, as well as check that the service account has these permissions on all sub-folders down the entire hierarchy. To set Owner permissions, you can either set them manually for each subfolder, or you can use the client permissions script (https://aka.ms/PFPermissionScript) to apply permissions to subfolders.
If you create a new Public Folder, any public folders created after this one will inherit the permissions of the parent public folder.
(Optional) Create AD groups for easier and better organized backup configuration
Create dedicated groups of users from your Active Directory (your company directory in Microsoft). You will then be able to choose these AD groups in the Keepit configuration when selecting what accounts to back up, making it easy to configure the backup of multiple users at a time. This will also bring you more control over what users are being automatically added to the backup. For more info, see Selecting users for Exchange and OneDrive backups.
Keepit supports the backup of users in different types of Microsoft 365 groups, including unified groups, security groups, mail-enabled security groups, distribution lists, and dynamic groups (security group type). For more info about groups in Microsoft, see: Compare Groups.
In Microsoft 365, you can create groups by selecting Groups > Active groups in the left navigation pane, and then choosing Add a group. For a full guide on how to create groups, see Create a group in Microsoft 365 admin center.