Home > Required Permissions > Service Account Authentication (Obsolete)
Export to PDFService Account Authentication (Obsolete)
Note:* If you want to use Cloud Backup for Project Online, you can use an app profile to scan the Project Online site collections*.* In this way, the service account does not require the Site Collection Administrator role. **However, the Project Online data cannot be protected in the app context (using app profile authentication). Therefore, a service account with enough permissions is still required for the backup and restore for Project Online.
After June 2023 release, if your Auto Discovery scan profiles are modified*, the service account authentication method* and the service account pool users will be obsolete from Auto discovery. For site collections (of SharePoint Online, Microsoft 365 Groups, Teams, or Viva Engage), the hybrid mode is now provided. In the hybrid mode, Cloud Backup for Microsoft 365 jobs will, by default, use an app profile in backup and restore. For the data types that are unsupported in the app context, service account authentication will be used automatically. Note that the use of service accounts is not the recommended method as it attracts an increased potential for throttling issues. To learn more and enable the mode, contact the AvePoint support team.
Effective February 2025, Microsoft will be retiring Role Based Access Control (RBAC) Impersonation in Exchange Online. Please note that if you are leveraging Service Account (SA) configurations across AvePoint Online Services (AOS) for Cloud Backup for Microsoft 365, successful completion of any scans and/or running jobs for mailbox in Exchange Online, Teams, Microsoft 365 Group, and Public Folders will be impacted.
Service account authentication requires credentials of a Microsoft Global Administrator, SharePoint Administrator, or Exchange Administrator account, and then use the credentials to scan objects in your tenant. However, SharePoint Online has a built-in throttling feature that prevents one account from processing several requests simultaneously.
The service account and configured account pool users used for Auto Discovery and backup and restore must meet the permission requirements for the corresponding service types. For details, refer to .
Required Permissions of Service Account
When backing up and restoring the registered objects, make sure the service accounts have the corresponding permissions:
The required permissions involve the SharePoint Administrator and Exchange Administrator roles in Microsoft 365. For details about these roles, refer to the Microsoft article .
| Object Types | Permissions or Roles | Notes |
|---|---|---|
| SharePoint Online, Project Online, and OneDrive | SharePoint Administrator role for object registration, backup and restore.Cloud Backup for Microsoft 365 will automatically add this service account as the Site Collection Administrator for backup and restore.*Note: The service account used to protect the Project Online data must also have one of the following Project Online licenses: Essentials, Project Plan 1, Project Plan 3 (formerly, Professionals), or Project Plan 5 (formerly, Premium). | When restoring the data related to terms, the restore job will add the service account as the Term Store Administrator automatically, and Cloud Backup for Microsoft 365 will use the service account to back up and restore the Managed Metadata Service. |
| Exchange Online mailboxes | Exchange Administrator role | |
| Public Folders | The service account must have an Exchange Online license and must be the Owner of the Public Folder. | Accounts that have the Publishing Editor permission can also back up Public Folders successfully, but this permission is not enough to restore them; users with Publishing Editor permission can assign Reviewer permission to others but cannot assign Owner permission to others. |
| Microsoft 365 Groups | The service account must have both the SharePoint Administrator and Exchange Administrator roles for protecting the Microsoft 365 Groups. | The SharePoint Administrator role is required to protect the Microsoft 365 group team site; the Exchange Administrator role is required to protect the Microsoft 365 group mailbox. The Auto Discovery scan job will add the service account as the Terms Store Administrator automatically, and Cloud Backup for Microsoft 365 will use the service account to back up and restore the Managed Metadata Service. Other than that, the backup and restore of the Microsoft 365 group team site only requires the Site Collection Administrator permission. |
| Teams | The service account that performs backup and restore jobs must have the Microsoft Teams product license and Exchange Online license assigned in Microsoft 365, and must be SharePoint Online Administrator, Exchange Online Administrator, Teams admin, and both the owner and member of the Teams that you want to protect. | For private Groups and Teams, at least one member or owner must have the Exchange Online license. To protect Teams’ Private/Shared Channel, the service account must also be the owner of all the current and future private/shared channels. The Auto Discovery scan job can automatically add the service account as the private/shared channel owner if the Automatically add the service account as the owner of private channels in all scanned Teams option is set to Yes. *Note: If you are using the hybrid approach for the backup and restore, the Private Channel’s site will be protected in the app context. The owner role to the private channels is not required. |
| Viva Engage | The service account must have both the SharePoint administrator and Exchange administrator roles for protecting the Viva Engage community. | |
| Power BI | The service account must be a Pro account or a Premium per user account and have the Fabric Administrator role (the former Power BI admin role). | If you use service account authentication to protect Power BI data, Cloud Backup for Microsoft 365 will automatically add this service account as the workspace admin. |
| Power Automate | The service account must be the environment admin/system administrator, and the Power Platform admin. | These roles are required for Auto Discovery scan and for the backup. In addition, the backup job will automatically add the service account as the flow owner. |
| Power Apps | The service account must be the global admin and the environment admin/system administrator. | The backup job will automatically add this service account as the app’s co-owner and flow owner (if the app has an associated flow). |