Service Principal Authentication for New and Existing Clients

Kaitlyn Johnson
Kaitlyn Johnson
  • Updated

Service Principal Authentication in our End-User Portal aims to minimize the potential damage caused by accidental or intentional security breaches. It restricts data access rights to the minimum levels required to perform their tasks. This improvement is a simpler process that removes the need for global admin creation and automates the custom role creation. Please note Service Principal Authentication does not support Groups & Teams’ calendar backup or Groups & Teams Mailbox with attachments at this time.

Prerequisites for Service Principal Authentication

  • For users who will authorize the Exchange Online Management App, PowerShell must be enabled
  • An Exchange Online License and email backups are required
    • Organizations that backup only SharePoint and Groups are unable to use Service Principal Authentication
  • SPA requires users to authorize the Exchange Online Management App by using a role that has access to required cmdlets in PowerShell
    • Global Admin can be used
      • If Global Admin is not used, a custom role can be created that has access to the required cmdlets
      • The Global Admin is used once and standing access will not remain with Dropsuite once the authorization process is complete
  • The required PowerShell cmdlets are:
    • Enable-OrganizationCustomization
    • Get-RoleGroup
    • New-RoleGroup
    • Get-ManagementRole
    • New-ManagementRole
    • New-ManagementRoleAssignment
    • Get-ServicePrincipal
    • New-ServicePrincipal
    • Get-RoleGroupMember
    • Add-RoleGroupMember

Please note that with SPA, Dropsuite will still use the Global Admin within the tenant (Not the backup admin that is created for our legacy connection method) for the following scenarios.  This Global Admin will need to have an exchange license in order to properly access these.  In the case of public folders, it should also be an owner of the folders.

Backup Module:

  • Public Folder Backup.
  • Public Folder Restore.
  • Shared Mailbox Restore of Groups.

PowerShell Module:

  • Creating a subapp during the initial setup and recreating it if the subapp becomes invalid.

Adding M365 Backup with Service Principal Authentication for New Clients

As a partner, you can instruct your clients on adding M365 backup with Service Principal Authentication authorization by providing them with these steps, or you can perform the task by yourself by impersonating the client.

  1. Sign in to the End-User Portal 
  2. Click the “+ Add Backup” button on the Dashboard page.
  3. Click the “Sign in with Microsoft 365” button. 
  4. You will see 2 options. Select the second option, “Authorize with Least Privilege Permissions,” for authorization and input the M365 admin account accordingly. 
  5. Scroll down the page and click the “Accept” button.
  6. Once the consent is granted, the user will be redirected to the M365 AUTHORIZATION page. There are 2 steps in total: 
    1. Step 1: Create Backup Application, we are creating sub-applications in the user's tenant. It may take a few seconds to complete. 
    2. In step 2: Device Authorization, click the available link. The system will redirect you to the new Microsoft window, copy and paste the code from the portal, then click the “Next” button. Select the correct email admin. Click the “Continue” button. 
  7. Go back to the End-User Portal and click the “Verify & Continue” button to finish.
  8. Once it is successful, the system will list all of the M365 accounts on this tenant. Please wait until custom role creation is successfully connected. It may take up to 24 hours. During this time, the Public Folder is restored, and Journaling (for the Archiver plan) is stopped. You can monitor the status on the Account Settings page under the Credentials tab.

Learn More

Migrating Service Principal Authentication for Existing Clients

As a partner, you can instruct your clients on adding M365 backup with Service Principal Authentication authorization by providing them with these steps, or you can perform the task by yourself by impersonating the client.

  1. When logged into the portal, you see a banner; click the “Learn More” button.
  2. You will be redirected to the Credentials tab under the Account Settings page, then click the “Migrate Now” button.
  3. Click the “Yes, Continue” button on the confirmation popup.
  4. Select the correct Organization’s email. 
  5. Click the “Continue” button.
  6. You will need to complete the device authorization process. When the process is completed, you can close the window.
  7. Back to the portal, click the “Verify & Continue” button.
  8. When successful, the system will list all of the M365 accounts on this tenant, with an additional banner indicating that the migration to use Service Principal Authentication is successful.
  9. We advise you to remove the previous backup admin email and app id in the Azure AD portal. Go to the Azure AD portal to remove this information. 

Learn More

Was this article helpful?

0 out of 1 found this helpful