Service Principal Authentication FAQ

Permanently deleted user
Permanently deleted user
  • Updated

How long does it take to create a custom role? 

It will depend on the situation on Microsoft’s side. It varies from a couple of minutes up to 3 days. 


Does SPA require a Global Admin?

Yes, a global admin is required during the setup of SPA.  Additionally, the below scenarios will continue to require a Global Admin within the tenant

Backup Module:

  • Public Folder Backup.
  • Public Folder Restore.
  • Shared Mailbox Restore of Groups.

PowerShell Module:

  • Creating a subapp during the initial setup and recreating it when the subapp is invalid.


Let’s say I choose to use automated custom role creation, and I find that creating the role takes some time to complete, so I want to switch to running the script manually to create the role. Will it make the custom role creation faster? 

It’s not a guarantee that switching to a manual role will make the custom role creation faster, as it depends on what’s happening on Microsoft’s side. 


What will happen to tenants when custom role creation is still pending? 

We expect them to wait up to 24 hours. Every day, we’re going to retry the process, and if it still fails, we’ll send a notification email and ask them to contact our support. 


What tenant protocols need to be available? 

We use the ‘Exchange Online PowerShell V3 Module’ to connect to the client’s tenant. 


After partners are successfully authorized with the service principal permissions, what should they do next?

We advise you to remove the backupadmin from your account after verifying your new authorization with the service principal.  


I've successfully migrated to Service Principal Authentication and received the prompt that I can clean up the backupadmin and the app registration Azure AD, why is their other app registrations still listed?

Once you have migrated from the legacy method to Service Principal authentication, the backup admin and associated app registration can be deleted, however, SPA requires the remaining sub-apps not to be deleted.


After we migrated to Service Principal Authentication, we learned Service Principal Authentication does not support Groups and Teams' calendar backup or Groups and Teams Mailbox with attachments. Can we revert to the legacy method?

Yes, please reach out to to request this reversal. Note: Once this is completed, reauthentication with the backupadmin will be required.


After switching from the legacy method to Service Principal Authentication, will I still have to periodically re-authenticate?

No, since we no longer hold tokens for the backupadmin, there should not be any re-authentication required. The only time a re-authentication could be required is if the tokens for the main app of the organization are revoked.


What is needed to set up or migrate to Service Principal Authentication?

The admin that is being used for authorization must have access to the cmdlet (enable-organizationcustomization) for custom role creation before authorizing the ExO app. Remote Powershell should be enabled for the user who is authorizing the ExO app. The tenant should have an exchange license to migrate to the Service Principal Authentication (SPA) flow, otherwise, the custom role cannot be created.


My Custom Role Status shows "Disconnected," what do I do?

Please reach out to if you are seeing this in your organization.


I am seeing a credential error after migrating to SPA, how do I resolve this?

To resolve the credential error that presents after migrating to SPA, use any global admin within the M365 tenant to re-authenticate. Since SPA doesn't hold tokens for the backup admin, this should be the only re-authentication that has to be completed.

Was this article helpful?

0 out of 0 found this helpful