To ensure that your Keepit backup is performed correctly and to avoid problems down the line, we recommend the following when setting up your Microsoft 365 account:


Create a unique account for the backup

Set up a dedicated Microsoft 365 service account to handle the backup. This will prevent future problems. For example, if the employee responsible for backup leaves the company, the backup account can be passed on to someone else. We recommend you name the account and email as descriptively as possible (e.g., Keepit Backup / keepit_backup@company.com). This will avoid confusion as this user will be made a member of all groups.


Assign the Global admin role to the service account

When creating the new service account, assign it the Global admin role. This is necessary when creating a new connector because only through a user with this role can Keepit obtain full access to data and include it in the backup. 


The Global admin will automatically become a member of all groups and teams that are being backed up. 


A global admin is also necessary to re-authenticate a connector and for certain types of restore. For more information, see Removing the Global admin role from the backup service account.


Assign a license to the service account

You must assign the service account a license. This will ensure that all your data is properly backed up.


The license is also what grants the service account access to Microsoft Groups and Teams, which in turn will allow the Keepit software to make the user a member of all Microsoft 365 Groups and Teams. This is vital because Keepit can only back up Microsoft 365 Groups and Teams that the service account is a part of.

The following license plans give the Global admin access to Microsoft Groups and Teams: Microsoft 365 Business Basic; Microsoft 365 Business Standard; Microsoft 365 Apps for business; Microsoft 365 Apps for enterprise; Office 365 E1, E3, or E5; E4 (for anyone who purchased this plan prior to its retirement). For more information about license plans, see How do I get access to Microsoft Teams?

The service account must also have a license for the backup of Public Folders. (One of the licenses mentioned above.)


(Optional) Include the service account in Conditional Access Policies 

If you use Azure AD conditional access (CA) policies, and want the service account to be included in any conditional access policies, add it to these policies before you set up the backup. This will ensure that the connector authentication process will meet all necessary requirements. A CA policy that requires MFA or applies other restrictions may prevent Keepit from authenticating using the service account, so setting up the policies first will help you catch that potential issue. After the initial connector setup, if there are changes to the CA policies or if the service account is added to more CA policies, the connector will need to be reauthenticated.


(Optional) Grant the service account Owner level permissions

If you want to back up Public Folders, ensure that the service account has Owner level permissions on all folders.

If you have existing Public Folders, make sure to grant the service account Owner level permissions at the root level, as well as check that the service account has these permissions on all sub-folders down the entire hierarchy. To set Owner permissions, you can either set them manually for each subfolder, or you can use the client permissions script (https://aka.ms/PFPermissionScript) to apply permissions to subfolders.

If you create a new Public Folder, any public folders created after this one will inherit the permissions of the parent public folder.


(Optional) Create AD groups for easier and better organized backup configuration

Create dedicated groups of users from your Active Directory (your company directory in Microsoft). You will then be able to choose these AD groups in the Keepit configuration when selecting what accounts to back up, making it easy to configure the backup of multiple users at a time. This will also bring you more control over what users are being automatically added to the backup. For more information, see Selecting users for Exchange and OneDrive backups.


Keepit supports the backup of users in different types of Microsoft 365 groups, including unified groups, security groups, mail-enabled security groups, distribution lists, and dynamic groups (security group type). For more information about groups in Microsoft, see: Compare Groups.


In Microsoft 365, you can create groups by selecting Groups > Active groups in the left navigation pane, and then choosing Add a group. For a full guide on how to create groups, see Create a group in Microsoft 365 admin center.