A Global admin is needed for connector creation, but not for backups to run successfully. This means after the connector has been created, you can remove the Global admin role from the service account. You do not need to wait for the initial backup to complete. The service account can be assigned a different admin role or can be made a regular user with no admin center access.
However, you must keep in mind that Global admin rights are needed to re-authenticate a connector and to restore SharePoint or Teams data. This means if you remove the Global admin role from the service account, you will need to re-assign it each time you need to re-authenticate a connector or restore SharePoint or Teams data.
In what cases do I need a global admin?
Global admin necessary for connector creation
A dedicated Microsoft service account with the Global administrator role must be used to create a Microsoft 365 connector and to start the initial backup.
When the connector is created, the Global admin user will automatically become a member of all Microsoft 365 Groups and Teams included in the backup.
This is necessary for Keepit to access the data and include it in the backup.
Note: If All groups is selected in the Groups & Teams configuration when the connector is being created, the Global admin will be added as a member to all new groups or Teams that are created in your Microsoft 365 tenant.
Global admin necessary for connector re-authentication
If you need to re-authenticate your connector, you will need to re-assign the Global admin role to the user before you authenticate. After you authenticate you can again remove the Global admin role.
Instances when you may need to re-authenticate your connector:
- If you need to update your credentials because your Microsoft 365 session expired and authentication between Microsoft and Keepit is no longer valid
- If you re-authenticate your connector using the re-authenticate key icon on the configuration screen because you have authorized your connector with the wrong Global admin account
If Keepit updates our product to take advantage of new Microsoft product capabilities that require changes to the permissions we request from the service
Global admin necessary for SharePoint and Teams data restore
To ensure SharePoint and Teams data is properly restored, you need to re-assign the Global admin role to the user before you start the restore. Once the restore is complete, you can again remove the Global admin role. Without that permission, Keepit cannot write data back to the target SharePoint site or Team.
How to remove the Global admin role
To remove the Global admin role:
1. In the Microsoft 365 admin center, select Users > Active users.
2. From the list of users, find and select the Global admin user used to set up the backup.
3. Under Roles select Manage roles.
4. Select User (no admin center access) or desired admin role.
5. Select Save changes.
What happens to groups after I remove the GA role?
Must the service account remain as a group member?
Even if the Global admin role is removed, the service account will automatically remain a member of all groups.
The service account must stay a member for all data to be backed up.
You should remove the service account only in the case that you have authenticated a connector with the wrong account.
Will new groups be backed up even if the user is no longer a Global admin?
When the connector is created, the Global admin user grants the Keepit app in Microsoft certain permissions, including the permission to make the service account a member of all groups. We retain this permission even if the Global admin role is removed from the user. This means we can still make this user a member of all new groups that are created in Microsoft and accordingly back them up.