Solved

MS365 Backup


Userlevel 4
Badge +7

Hello, is it possible to say different service accounts for ms365 backup and give only the needed permissions to this dedicated users in the admin center of ms365 ? If yes can someone may share some information about, i was looking in the documentation but i dont find anything.
May there is some documentation from commvault and / or Microsoft available ?

Or should it be run over the modern authentication to dont have this issues ? 

Many thanks and best Regards

Philipp

icon

Best answer by Manas Mutha 14 January 2021, 14:46

View original

12 replies

Userlevel 1
Badge +1

Phillip, 

Service accounts do not have the ability to be designated towards specific users at this time. Our teams write the code around the idea that the service accounts have “god” access as far as the backups/restores go, to allow for multiple facets of data management. 

The mailbox agent also has the ability to leverage these accounts in tandem in order to get around throughput/throttling issues on the o365 end, so we wouldn’t have any way of rotating them during one job, if they were dedicated towards specific users. Modern authentication is built around the same concepts, there wouldn’t be any difference there. 

The only logistical way I could see this happening would be to architect it from the o365 side, where certain users are in certain tenants, and you would have separate service accounts for specific tenants. 

 

Hope this helps, 

 

Userlevel 4
Badge +7

Hello, 

many thanks for your reply, it is not complete clear for me, that means the god modus admin (global Admin) create the service accounts and after it i can disable this user ? Question is related on security thinking, so in a hack of this user it is only able to login to exchange for example and not to teams, sharepoint and onedrive ? Or does i think here wrong may be ? 

 

Cheers 

Userlevel 1
Badge +1

Phillipp, 

 

To clarify, there are two accounts in the equation when setting up Exchange backups via command center in an Azure AD setup. (Hybrid and on-premise are a little different) 

 

  1. The global admin account that is used only when creating the Azure apps, in order to create the applications needed for the backup. As the global account is “god” over the entire tenant, we can issue commands to assign all required permissions to the apps, to cover mailboxes. Add an App for Exchange Online Using the Express Configuration Option (commvault.com) This was done to avoid the need for tedious creation of applications manually, where they were generally created incorrectly. In theory, if you are not actively in the process of adding Azure apps, we have no reason to have this account in the equation. This account is also NOT cached anywhere in CV. 
  2. The other account needed is the Exchange online service account, which needs to actually have a mailbox: Providing Service Accounts Access to Mailboxes Exchange Online (commvault.com) This account is “god” over Exchange, as compared to the entire tenant. THIS account will be used actively. This account wouldn’t have the ability to get into Sharepoint or Onedrive unless you gave it that level of access for some reason. 
  1. Neither of these are able to be setup in a way where they can select specific mailboxes based on security. The Azure apps are rotated dynamically thorough all jobs, so there’s no way to implement some to some mailboxes, and some to others. We do this to avoid MSFT throttling. The Exchange online admin is the same concept. 

-Daniel

 

 

Userlevel 4
Badge +7

thanks it is now a little bit more clear 

Userlevel 4
Badge +7

but i can also use the god admin or i am wrong ? so the global admin 

Userlevel 1
Badge +2

Using modern authentication is much safer than using basic authentication.

 

If you use basic authentication, you can create service accounts per application in Office365. Rather it is recommended to use different sets of service accounts for each application.The below link provides info on how to create a service account for each application.

https://documentation.commvault.com/11.22/essential/93799_providing_service_accounts_access_to_mailboxes_in_exchange_online_through_azure_active_directory_01.html

https://documentation.commvault.com/commvault/v11_sp20/article?p=18078_1.htm

Userlevel 4
Badge +7

ok got it - and on this command i have to change the username1 and username2 to an correct name correct ? and i should take the complete name for exampe service.exchange.1@onmicrosoft.com right ? 

 

New-RoleGroup -Name "ExchangeOnlineBackupRoleGroup" -Roles "ApplicationImpersonation", "View-Only Recipients" -Members serviceaccount1,serviceaccount2
 

Userlevel 1
Badge +2

Yes.

Userlevel 4
Badge +7

thanks, sorry to ask this questions but it is a complete new topic as you may know and understand 

Userlevel 7
Badge +18

thanks, sorry to ask this questions but it is a complete new topic as you may know and understand 

This is exactly what this community is for, keep asking :smiley:

Userlevel 4
Badge +7

how you guys can answer and take over the original message in the conversation ? I am looking for it but i dont find it :smiley:

 

Userlevel 1
Badge +2

For the original question, are you looking for a way to create service accounts for a particular group of users rather than the entire organization?

Is that what you are looking for?

If not can you please explain that question again?

Reply