Service Principal Authentication FAQ

Anne O'Connor
Anne O'Connor
  • Updated

How long does it take to create a custom role? 

It will depend on the situation on Microsoft’s side. It varies from a couple of minutes up to 24 hours. 


Let’s say I choose to use automated custom role creation, and I find that creating the role takes some time to complete, so I want to switch to running the script manually to create the role. Will it make the custom role creation faster? 

It’s not a guarantee that switching to a manual role will make the custom role creation faster, as it depends on what’s happening on Microsoft’s side. 


What will happen to tenants when custom role creation is still pending? 

We expect them to wait up to 24 hours. Every day, we’re going to retry the process, and if it still fails, we’ll send a notification email and ask them to contact our support. 


What tenant protocols need to be available? 

We use the ‘Exchange Online PowerShell V3 Module’ to connect to the client’s tenant. 


After partners are successfully authorized with the service principal permissions, what should they do next?

We advise you to remove the global admin from your account after verifying your new authorization with the service principal.  


I've successfully migrated to Service Principal Authentication and received the prompt that I can clean up the backupadmin and the app registration Azure AD, why is their other app registrations still listed?

Once you have migrated from the legacy method to Service Principal authentication, the backup admin and associated app registration can be deleted, however, SPA requires the remaining sub-apps not to be deleted.


After we migrated to Service Principal Authentication, we learned Service Principal Authentication does not support Groups and Teams' calendar backup or Groups and Teams Mailbox with attachments. Can we revert to the legacy method?

Yes, please reach out to to request this reversal. Note: Once this is completed, reauthentication with the backupadmin will be required.


After switching from the legacy method to Service Principal Authentication, will I still have to periodically re-authenticate?

No, since we no longer hold tokens for the backupadmin, there should not be any re-authentication required. The only time a re-authentication could be required is if the tokens for the main app of the organization are revoked.


What is needed to set up or migrate to Service Principal Authentication?

The admin that is being used for authorization must have access to the cmdlet (enable-organizationcustomization) for custom role creation before authorizing the ExO app. Remote Powershell should be enabled for the user who is authorizing the ExO app. The tenant should have an exchange license to migrate to the Service Principal Authentication (SPA) flow, otherwise, the custom role cannot be created.


Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request