AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > FAQs

Export to PDF

FAQs

Refer to the frequently asked questions and answers in the following categories: consent to apps, app profile and service account profile, Microsoft 365 tenants with multi-geo capabilities, and auto discovery.

What If Your Tenant Does Not Allow Users to Consent to Apps?

If your Microsoft 365 tenant does not allow users to consent to apps on their behalf, Microsoft 365 users who are added as AvePoint Online Services users cannot sign in to AvePoint Online Services with their Microsoft 365 login IDs. Microsoft will display the Need admin approval page to them.

Follow the steps below to give consent to the app:

  1. Click the corresponding consent link for your data center and then provide your Microsoft 365 global administrator credentials.
Sign in WithCommercial Production EnvironmentU.S. Government Production Environment21VianetFedRamp Cloud
Microsoft 365 accountGo to Consent appGo to Consent appGo to Consent appGCC: Go to Consent app
Microsoft 365 U.S. Government account/Go to Consent app/GCCH: Go to Consent app

  1. Select the Consent on behalf of your organization option and click Accept.

  2. Once the consent is finished, you will be redirected to AvePoint Online Services Interface. Sign in to AOS if your global administrator has been invited into AOS.

    *Note: If your global administrator has not been invited, you may see the Join AvePoint Online Services page. You can ignore this page since you have finished obtaining your consent.

Why is Admin Consent Required to Use the AvePoint Apps?

According to Microsoft’s standard Azure app consent process, when adding an app to your Microsoft 365 environment, consent is required by your Microsoft 365 Global Administrator or Privileged Role Administrator since the Administrator must review the permissions required by the apps. For more information about admin consent, refer to the Microsoft technical article:

Note the following:

- The Engage Administrator (Yammer Administrator) can also consent to the AvePoint services’ apps for Viva Engage. - The Global Administrator, Privileged Role Administrator, or Engage Administrator (Yammer Administrator) account is not stored by AvePoint cloud services. The consent process is managed by Microsoft, so your username and password are never shared with AvePoint during the consent process. - Admin consent does not grant admin privileges to the AvePoint apps. For more details on the permissions required by apps and the instructions for creating app profiles, refer to the [Manage App Profiles](#missing-link) section.

What is the Difference between App Profile and Service Account Profile?

Auto discovery requires an authentication method, either using a service account profile or an app profile. The app profile authentication method is recommended in most cases, and auto discovery scan profiles use the app profile authentication method as the preferred option. By using the app profile authentication method, the app token will be used to back up or manage data, and the credentials of the Administrator account will not be stored by AvePoint Online Services.

However, the service account authentication is required by some services. For more information, refer to Will the App Profile Method Meet Your Data Management Requirements? If you configure a service account profile, the credentials of the account within the profile will be used to scan and manage Microsoft 365 objects. For details on configuring service account profiles, refer to Manage Service Account Profiles.

Will the App Profile Method Meet Your Data Management Requirements?

To back up or manage your Microsoft 365 data in services for Microsoft 365, you must first use AvePoint Online Services Auto discovery to scan or add Microsoft 365 objects. Auto discovery can use the app profile and service account authentication (obsolete) methods to scan objects.

*Note: For organizations that have configured Auto discovery scan profiles with the service account authentication, if these scan profiles are modified after the June 2023 release, the service account authentication methods will be absent from scan profiles. If you want to continue using the service account authentication method for Auto discovery scan jobs, you must not update your Auto discovery scan profiles.

The app profile authentication method is the default option, as the easiest way to work with your environment is by registering an app profile. This ensures that all jobs that run in your environment are tagged as AvePoint activities, and we do not need to store any service accounts or passwords. When you use the app profile authentication method to scan objects, the app token within the app profile will be used to back up or manage data, and the credentials of the Administrator account will not be stored by AvePoint Online Services — only your Administrator’s consent is recorded, and this consent can be monitored in your Microsoft Entra and can be revoked at any time from your environment.

While we do suggest you use the app profile method, there are specific instances when this method is not recommended. Refer to the information in the links below to help you determine if using the app profile method will satisfy your data management requirements.

- AvePoint Cloud Backup for Microsoft 365 - It is recommended that you configure app profiles for managing backup data in Cloud Backup for Microsoft 365 for the best performance. When the app profile authentication method in a scan profile cannot meet your data management requirements, you can apply a service account profile to the scan profile as an additional method. For additional details, refer to the . - AvePoint Cloud Management - - - AvePoint Cloud Archiving - - - Classic DocAve Backup - - - Fly:

What Should I Do If I Want to Change Classic Mode Apps to Modern Mode Apps in the AOS New UI?

If your tenant has classic mode apps and wants to switch to the modern mode apps, you can refer to the instructions below to complete the transition.

  1. Go to App management and follow the steps below to create app profiles:

    1. Click Create on the App management page.

    2. Select services which will use this app profile.

    3. Select the Modern mode.

    4. Consent to the apps under the services based on your scenario. Then, click Finish after you finish creating app profiles.

      *Note: In Cloud Backup for Microsoft 365, if your tenant only manages Exchange or SharePoint objects, you can choose to only consent to the related Exchange/SharePoint app.

  2. In Auto discovery, scan profiles use app profiles for scanning in the following priority (from high to low): Modern mode > Classic mode > Custom mode. If your tenant has scan profiles which are kept from the AOS classic UI and use classic mode apps, these scan profiles can still be used for daily scanning. After you edit one of these scan profiles, AOS will regard the operation as applying modern mode apps for the scan profile. Thus, you can edit a scan profile and save it (even though there is no change in the scan profile) to replace classic mode apps with modern mode apps.

    *Note: In Cloud Backup for Microsoft 365, the backup jobs use app profiles in the following priority (from high to low): Modern mode > Classic mode > Custom mode. As the backup jobs in Cloud Backup for Microsoft 365 can directly use modern apps and the priority is the same as the priority of scan profiles in AOS, no extra action is needed for the backup jobs after the app transition.

  3. If all scan jobs and service jobs such as backup jobs run successfully, you can delete the classic mode apps.

    *Note: In AOS > Auto discovery > Job monitor, you can view the Authentication information in the latest scan job details to check if the modern mode apps have been used for scanning.

Does AvePoint Online Services Support Microsoft 365 Tenants with Multi-Geo Capabilities?

With Microsoft 365 Multi-Geo, your organization can expand its Microsoft 365 presence to multiple geographic regions and/or countries within your existing tenant. You can provision and store data at rest in the geo locations that you've chosen to meet data residency requirements, and at the same time, unlock your global rollout of modern productivity experiences to your workforce.

If your Microsoft 365 tenant has , you can pair your multi-geo tenant with a similar subscription for AvePoint Cloud Backup for Microsoft 365.

*Note: While you can use a standard AvePoint Cloud Backup for a Microsoft 365 subscription to support a multi-geo Microsoft 365 tenant with no changes, all data will be protected and stored centrally in a single AvePoint Online Services tenant. To take advantage of our global network, you will need to purchase a subscription from AvePoint to leverage our multi-geo infrastructure described below.

Since your tenant will be supported by AvePoint Online Services data centers around the world, we want to make sure that you are familiar with which data centers will be supporting you.

Start by going to Administration > Data center mappings to configure mappings between the geo locations in your Microsoft 365 tenant and the data centers supported in AvePoint Online Services. For more information, refer to Manage Data Center Mappings.

*Note: The saved mappings cannot be changed, and they will be used to create boundaries between different geo locations in your environment.

Next, in Auto discovery, you‘ll want to ensure you’re using the filters provided in the advanced scan mode to separate mailboxes, OneDrives, sites, and other Microsoft 365 content by their preferred data locations. We’ll use these boundaries to help distribute the management for each of these containers around the world. For more information, refer to Auto Discovery for Microsoft 365.

Creating multi-geo scan rule for the scan profile.

Finally, you can create separate administrators for each geo location using our delegated administration in User management, which maintains segregation among geo locations. For more information, refer to Manage Users.

The setting: Available geo location

What is Throttling in Microsoft 365 Environments?

In Microsoft 365 environments, throttling may be automatically applied to ensure service stability and prevent excessive requests from negatively impacting the system.

- Throttling thresholds are determined and enforced by Microsoft. AvePoint has no control over when or how throttling is triggered. - When throttling occurs, certain operations (e.g., backup or migration) may experience temporary slowdowns. However, there is no impact on user-facing environments or data integrity. This mechanism is part of Microsoft’s commitment to maintaining a reliable cloud service. AvePoint products are designed to operate in compliance with these controls.

What Should I Do If I Want to Terminate Services for Microsoft 365 Tenants?

Once your subscription has expired, all information related to the expired subscription will be preserved for about 15 days before they are permanently deleted from AvePoint Online Services. (You can check for details. Organizations may have a different timing depending on their specific contracts with AvePoint). If you want to terminate an Enterprise subscription, no further action is required in AvePoint Online Services and following the instructions below will ensure you a clean and orphan-free environment in your Microsoft 365 tenant.

Remove AvePoint Applications from Your Microsoft Entra Applications

If you have configured app profiles in App management, you can refer to the instructions below to remove the consented applications from your Microsoft Entra environment:

  1. Go to (or ).

  2. Navigate to Identity > Applications > Enterprise applications (or Microsoft Entra ID > Enterprise applications).

  3. Enter the keyword AvePoint to search for applications by application name.

  4. Click the application that you want to remove.

  5. Click Properties in the Manage section on the left menu.

    Clicking Properties.

  6. Click Delete on the top menu.

    Clicking Delete.

  7. In the confirmation window, click Yes to confirm your action.

Remove Reserved IP Addresses from Your Microsoft Entra Access Policies

If you have configured Conditional Access policies to add the reserved IP addresses downloaded from AvePoint Online Services, you can refer to the instructions below to remove reserved IP addresses from your policies:

  1. Log in to (or ).

  2. Navigate to Protection (or Microsoft Entra ID > Security) > Conditional Access.

  3. Click Policies.

    Clicking Policies.

  4. Find the policy related to AvePoint.

  5. Edit the policy to remove the reserved IP addresses related to the cloud services that you want to terminate.

Remove the Key Used in AvePoint Online Services

If you have configured a custom encryption profile in Encryption management, you can refer to the instructions below to remove the key:

  1. In the , enter Key vaults in the search box on the top, and then select the first result to access the Key vaults page.

  2. On the Key vaults page, click Keys in Settings.

  3. Find the key used in AvePoint Online Services and click the key.

  4. Click Delete on the top menu.

    Clicking Delete.

Remove Hybrid Agents

If you have installed the hybrid agent on a machine to manage on-premises objects, you can refer to the instructions below to remove it:

  1. Find the Hybrid Agent Management installed on the machine.

  2. Run the Setup file as administrator.

  3. Select Uninstall to start the removal process.