Removing the Global admin role from the backup service account.

Removing the Global admin role from the backup service account.

Article: 100051522
Last Published: 2021-10-08
Ratings: 0 0
Product(s): SaaS Backup

Global admin necessary for connector creation

A dedicated Microsoft service account with the Global administrator role must be used to create a connector and to start the backup. 

When the connector is created, the Global admin user will automatically become:

  • a member of all Microsoft 365 Groups and Teams included in the backup
  • a member of all private channels

This is necessary for VSB to access the data and include it in the backup.

Note: If All groups are selected in the Groups & Teams configuration when the connector is being created, the Global admin will be added as a member to all new groups that are created in Microsoft. 


Removing the Global admin role:

After the connector has been created, the Global admin role can be removed from the user and the backup will continue to run successfully.

This means the user can be assigned a different admin role or can be made a regular user with no admin center access.

To remove the Global admin role:

1. In the Microsoft 365 admin center, navigate Users > Active users.
2. From the list of users, find and select the Global admin user used to set up the backup.
3. Under Roles select Manage roles.
4. Select User (no admin center access) or desired admin role.
5. Select Save changes.

Re-authenticating your connector:

If you will need to re-authenticate your connector, you will need to re-assign the Global admin role to the user before you authenticate. After you authenticate you can again remove the Global admin role. 

Instances when you may need to re-authenticate your connector:

  • If you need to update your credentials because your Microsoft 365 session expired and authentication between Microsoft and Veritas SaaS Backup is no longer valid
  • If you re-authenticate your connector using the re-authenticate key icon on the configuration screen because you have authorized your connector with the wrong Global admin account


Must the user remain in groups and private channels?

Even if the Global admin role is removed, the user will automatically remain a member of all groups and private channels.

The user must stay a member of the above for all data to be backed up.

A user should be removed only in the case that you have authenticated a connector with the wrong account. 


Will new groups be backed up even if the user is no longer a Global admin?

When the connector is created, the Global admin user grants the VSB App in Microsoft certain permissions, including the permission to make this user a member of all groups. We retain this permission even if the Global admin role is removed from the user - meaning we can still make this user a member of all new groups that are created in Microsoft and accordingly back them up.

Was this content helpful?