Topic
This article answers frequently-asked questions regarding service principal authentication in NinjaOne SaaS Backup.
Environment
NinjaOne SaaS Backup
Description
Service Principal (SP) authentication can be used to grant certain administrative functions without having full backup-admin rights. Some features, such as Groups and Teams, are not supported. See the sections below for more details.
How long does it take to create a custom role?
It will depend on the situation on Microsoft’s side. It varies from a couple of minutes up to 3 days.
Does SPA require a Global Admin?
Yes, a global admin is required during the setup of SPA. Additionally, the below scenarios will continue to require a Global Admin within the tenant
Backup Module:
- Public Folder Backup.
- Public Folder Restore.
PowerShell Module:
- Creating a subapp during the initial setup and recreating it when the subapp is invalid.
Let’s say I choose to use automated custom role creation, and I find that creating the role takes some time to complete, so I want to switch to running the script manually to create the role. Will it make the custom role creation faster?
It’s not a guarantee that switching to a manual role will make the custom role creation faster, as it depends on what’s happening on Microsoft’s side.
What will happen to tenants when custom role creation is still pending?
We expect them to wait up to 24 hours. Every day, we’re going to retry the process, and if it still fails, we’ll send a notification email and ask them to contact our support.
What tenant protocols need to be available?
We use the ‘Exchange Online PowerShell V3 Module’ to connect to the client’s tenant.
After partners are successfully authorized with the service principal permissions, what should they do next?
We advise you to remove the backupadmin from your account after verifying your new authorization with the service principal.
I've successfully migrated to Service Principal Authentication and received the prompt that I can clean up the backupadmin and the app registration Azure AD, why is their other app registrations still listed?
Once you have migrated from the legacy method to Service Principal authentication, the backup admin and associated app registration can be deleted, however, SPA requires the remaining sub-apps not to be deleted.
After we migrated to Service Principal Authentication, we learned Service Principal Authentication does not support Groups and Teams' calendar backup or Groups and Teams Mailbox with attachments. Can we revert to the legacy method?
Yes, please reach out to support@dropsuite.com to request this reversal. Note: Once this is completed, reauthentication with the backupadmin will be required.
After switching from the legacy method to Service Principal Authentication, will I still have to periodically re-authenticate?
No, since we no longer hold tokens for the backupadmin, there should not be any re-authentication required. The only time a re-authentication could be required is if the tokens for the main app of the organization are revoked.
What is needed to set up or migrate to Service Principal Authentication?
The admin that is being used for authorization must have access to the cmdlet (enable-organizationcustomization) for custom role creation before authorizing the ExO app. Remote Powershell should be enabled for the user who is authorizing the ExO app. The tenant should have an exchange license to migrate to the Service Principal Authentication (SPA) flow, otherwise, the custom role cannot be created.
My Custom Role Status shows "Disconnected," what do I do?
Contact support@dropsuite.com if you are seeing this in your organization.
I am seeing a credential error after migrating to SPA, how do I resolve this?
To resolve the credential error that presents after migrating to SPA, use any global admin within the M365 tenant to re-authenticate. Since SPA doesn't hold tokens for the backup admin, this should be the only re-authentication that has to be completed.
What are the Roles/Scopes required for SPA?
| Permission | Type | Purpose |
| Application.Read.WriteAll | Delegated | Create and delete sub-applications used for backup and restore |
| AppRoleAssignment.ReadWrite.All | Delegated | Grant administrative consent for sub-applications |
| Calendars.ReadWrite | Application | Calendar backup and restore |
| ChannelMessage.Read.All | Application | Teams chat backup and restore |
| Chat.Read.All | Application | Teams chat backup and restore |
| Contacts.ReadWrite | Application | Contact backup and restore |
| Domain.Read.All | Delegated | List the available domains in the tenant |
| Files.ReadWrite.All | Application | File backup and restore |
| Group.ReadWrite.All | Application | Group and Teams backup and restore |
| Mail.ReadBasic.All | Application | Email backup and restore |
| Notes.ReadWrite.All | Application | Notes backup and restore |
| offline_access | Delegated | Renew refresh token for ORG admin |
| Reports.Read.All | Application | |
| RoleManagement.Read.Directory | Application | Retrieve the list of users and administrators in the organization |
| Sites.Manage.All | Application | Sites backup and restore |
| Sites.ReadWrite.All | Application | Sites backup and restore |
| Teamwork.Migrate.All | Application | Teams Chat restore |
| User.Read.All | Application | Lists users |
| User.ReadWrite.All | Delegated |