Global admin necessary for connector creation
A dedicated Microsoft service account with the Global administrator role must be used to create a Microsoft 365 connector and to start the backup.
When the connector is created, the Global admin user will automatically become:
- a member of all Microsoft 365 Groups and Teams included in the backup
- a member of all private channels
This is necessary for Keepit to access the data and include it in the backup.
Note: If All groups is selected in the Groups & Teams configuration when the connector is being created, the Global admin will be added as a member to all new groups that are created in Microsoft.
Remove the Global admin role
After the connector has been created, the Global admin role can be removed from the user and the backup will continue to run successfully. You do not need to wait for the initial backup to complete to remove the Global admin role.
This means the user can be assigned a different admin role or can be made a regular user with no admin center access.
Important: After the GA role is removed, the service account will no longer be automatically added to all newly created private channels. To ensure that these channels are backed up, this service account should be manually added as a member to these channels.
To remove the Global admin role:
1. In the Microsoft 365 admin center, select Users > Active users.
2. From the list of users, find and select the Global admin user used to set up the backup.
3. Under Roles select Manage roles.
4. Select User (no admin center access) or desired admin role.
5. Select Save changes.
Re-authenticating your connector
If you will need to re-authenticate your connector, you will need to re-assign the Global admin role to the user before you authenticate. After you authenticate you can again remove the Global admin role.
Instances when you may need to re-authenticate your connector:
- If you need to update your credentials because your Microsoft 365 session expired and authentication between Microsoft and Keepit is no longer valid
- If you re-authenticate your connector using the re-authenticate key icon on the configuration screen because you have authorized your connector with the wrong Global admin account
Must the user remain in groups and private channels?
Even if the Global admin role is removed, the user will automatically remain a member of all groups and private channels.
The user must stay a member of the above for all data to be backed up.
A user should be removed only in the case that you have authenticated a connector with the wrong account.
Will new groups be backed up even if the user is no longer a Global admin?
When the connector is created, the Global admin user grants the Keepit App in Microsoft certain permissions, including the permission to make this user a member of all groups. We retain this permission even if the Global admin role is removed from the user - meaning we can still make this user a member of all new groups that are created in Microsoft and accordingly back them up.