Service Principal Authentication FAQ

Permanently deleted user
Permanently deleted user
  • Updated

How long does it take to create a custom role? 

It will depend on the situation on Microsoft’s side. It varies from a couple of minutes up to 3 days. 

 

Does SPA require a Global Admin?

Yes, a global admin is required during the setup of SPA.  Additionally, the below scenarios will continue to require a Global Admin within the tenant

Backup Module:

  • Public Folder Backup.
  • Public Folder Restore.

PowerShell Module:

  • Creating a subapp during the initial setup and recreating it when the subapp is invalid.

 

Let’s say I choose to use automated custom role creation, and I find that creating the role takes some time to complete, so I want to switch to running the script manually to create the role. Will it make the custom role creation faster? 

It’s not a guarantee that switching to a manual role will make the custom role creation faster, as it depends on what’s happening on Microsoft’s side. 

 

What will happen to tenants when custom role creation is still pending? 

We expect them to wait up to 24 hours. Every day, we’re going to retry the process, and if it still fails, we’ll send a notification email and ask them to contact our support. 

 

What tenant protocols need to be available? 

We use the ‘Exchange Online PowerShell V3 Module’ to connect to the client’s tenant. 

 

After partners are successfully authorized with the service principal permissions, what should they do next?

We advise you to remove the backupadmin from your account after verifying your new authorization with the service principal.  

 

I've successfully migrated to Service Principal Authentication and received the prompt that I can clean up the backupadmin and the app registration Azure AD, why is their other app registrations still listed?

Once you have migrated from the legacy method to Service Principal authentication, the backup admin and associated app registration can be deleted, however, SPA requires the remaining sub-apps not to be deleted.

 

After we migrated to Service Principal Authentication, we learned Service Principal Authentication does not support Groups and Teams' calendar backup or Groups and Teams Mailbox with attachments. Can we revert to the legacy method?

Yes, please reach out to support@dropsuite.com to request this reversal. Note: Once this is completed, reauthentication with the backupadmin will be required.

 

After switching from the legacy method to Service Principal Authentication, will I still have to periodically re-authenticate?

No, since we no longer hold tokens for the backupadmin, there should not be any re-authentication required. The only time a re-authentication could be required is if the tokens for the main app of the organization are revoked.

 

What is needed to set up or migrate to Service Principal Authentication?

The admin that is being used for authorization must have access to the cmdlet (enable-organizationcustomization) for custom role creation before authorizing the ExO app. Remote Powershell should be enabled for the user who is authorizing the ExO app. The tenant should have an exchange license to migrate to the Service Principal Authentication (SPA) flow, otherwise, the custom role cannot be created.

 

My Custom Role Status shows "Disconnected," what do I do?

Please reach out to support@dropsuite.com if you are seeing this in your organization.

 

I am seeing a credential error after migrating to SPA, how do I resolve this?

To resolve the credential error that presents after migrating to SPA, use any global admin within the M365 tenant to re-authenticate. Since SPA doesn't hold tokens for the backup admin, this should be the only re-authentication that has to be completed.

 

What are the Roles/Scopes required for SPA?

Permission Type

Purpose

Application.Read.WriteAll Delegated

Create and delete sub-applications used for backup and restore

AppRoleAssignment.ReadWrite.All Delegated

Grant administrative consent for sub-applications

Calendars.ReadWrite Application

Calendar backup and restore

ChannelMessage.Read.All Application

Teams chat backup and restore

Chat.Read.All Application

Teams chat backup and restore

Contacts.ReadWrite Application

Contact backup and restore

Domain.Read.All Delegated

List the available domains in the tenant

Files.ReadWrite.All Application

File backup and restore

Group.ReadWrite.All Application

Group and Teams backup and restore

Mail.ReadBasic.All Application

Email backup and restore

Notes.ReadWrite.All Application

Notes backup and restore

offline_access Delegated

Renew refresh token for ORG admin

Reports.Read.All Application

 

RoleManagement.Read.Directory Application

Retrieve the list of users and administrators in the organization

Sites.Manage.All Application

Sites backup and restore

Sites.ReadWrite.All Application

Sites backup and restore

Teamwork.Migrate.All Application

Teams Chat restore

User.Read.All Application

Lists users

User.ReadWrite.All Delegated

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request