Service Principal Authentication for New and Existing Clients

Anne O'Connor
Anne O'Connor
  • Updated

*Service Principal Authentication will be available for all new clients starting February 1, 2024 and for all existing clients on February 12, 2024 

Service Principal Authentication in our End-User Portal aims to minimize the potential damage caused by accidental or intentional security breaches. It restricts data access rights to the minimum levels required to perform their tasks. This improvement is a simpler process that removes the need for global admin creation and automates the custom role creation. Please note Service Principal Authentication does not support Groups & Teams’ calendar backup or Groups & Teams Mailbox with attachments at this time. 

 

Adding M365 Backup with Service Principal Authentication for New Clients

As a partner, you can instruct your clients on adding M365 backup with Service Principal Authentication authorization by providing them with these steps, or you can perform the task by yourself by impersonating the client.

  1. Sign in to the End-User Portal 
  2. Click the “+ Add Backup” button on the Dashboard page.
  3. Click the “Sign in with Microsoft 365” button. 
  4. You will see 2 options. Select the second option, “Authorize with Least Privilege Permissions,” for authorization and input the M365 admin account accordingly. 
  5. Scroll down the page and click the “Accept” button.
  6. Once the consent is granted, the user will be redirected to the M365 AUTHORIZATION page. There are 2 steps in total: 
    1. Step 1: Create Backup Application, we are creating sub-applications in the user's tenant. It may take a few seconds to complete. 
    2. In step 2: Device Authorization, click the available link. The system will redirect you to the new Microsoft window, copy and paste the code from the portal, then click the “Next” button. Select the correct email admin. Click the “Continue” button. 
  7. Go back to the End-User Portal and click the “Verify & Continue” button to finish.
  8. Once it is successful, the system will list all of the M365 accounts on this tenant. Please wait until custom role creation is successfully connected. It may take up to 24 hours. During this time, the Public Folder is restored, and Journaling (for the Archiver plan) is stopped. You can monitor the status on the Account Settings page under the Credentials tab.

 

Migrating Service Principal Authentication for Existing Clients

As a partner, you can instruct your clients on adding M365 backup with Service Principal Authentication authorization by providing them with these steps, or you can perform the task by yourself by impersonating the client.

  1. When logged into the portal, you see a banner; click the “Learn More” button.
  2. You will be redirected to the Credentials tab under the Account Settings page, then click the “Migrate Now” button.
  3. Click the “Yes, Continue” button on the confirmation popup.
  4. Select the correct Organization’s email. 
  5. Click the “Continue” button.
  6. You will need to complete the device authorization process. When the process is completed, you can close the window.
  7. Back to the portal, click the “Verify & Continue” button.
  8. When successful, the system will list all of the M365 accounts on this tenant, with an additional banner indicating that the migration to use Service Principal Authentication is successful.
  9. We advise you to remove the previous backup admin email and app id in the Azure AD portal. Go to the Azure AD portal to remove this information. 

Was this article helpful?

0 out of 1 found this helpful

Have more questions? Submit a request