Global admin necessary for connector creation
A dedicated Microsoft service account with the Global administrator role must be used to create a connector and to start the backup.
When the connector is created, the Global admin user will automatically become:
- a member of all Microsoft 365 Groups and Teams included in the backup
- a member of all private channels
- a Site Collection Administrator of all SharePoint sites included in the backup
a Site Collection Administrator of users' OneDrives included in the backup
This is necessary for Keepit to access the data and include it in the backup.
Remove the Global admin role
After the connector has been created, the Global admin role can be removed from the user and the backup will continue to run successfully.
This means the user can be assigned a different admin role or can be made a regular user with no admin center access.
To remove the Global admin role:
1. In the Microsoft 365 admin center, navigate Users > Active users.
2. From the list of users, find and select the Global admin user used to set up the backup.
3. Under Roles select Manage roles.
4. Select User (no admin center access) or desired admin role.
5. Select Save changes.
Re-authenticating your connector
If you will need to re-authenticate your connector, you will need to re-assign the Global admin role to the user before you authenticate. After you authenticate you can again remove the Global admin role.
Instances when you may need to re-authenticate your connector:
- If you need to update your credentials because your Microsoft 365 session expired and authentication between Microsoft and Keepit is no longer valid
- If you re-authenticate your connector using the re-authenticate key icon on the configuration screen because you have authorized your connector with the wrong Global admin account
- If you need to update your version of Keepit
Must the user remain in groups, private channels, sites, and OneDrives?
Even if the Global admin role is removed, the user will automatically remain a member of all groups and private channels and an admin of all SharePoint sites and users' OneDrives.
The user must stay a member and admin of the above for all data to be backed up.
A user should be removed only in the case that you have authenticated a connector with the wrong account.
Will new groups be backed up even if the user is no longer a Global admin?
When the connector is created, the Global admin user grants the Keepit App in Microsoft certain permissions, including the permission to make this user a member of all groups. We retain this permission even if the Global admin role is removed from the user - meaning we can still make this user a member of all new groups that are created in Microsoft and accordingly back them up.