Question

Replace 'global administrator' account in Commvault Plan configuration for exchange online, onedrive, teamss

  • 19 September 2023
  • 5 replies
  • 153 views

Userlevel 1
Badge +5

Hello Team. I have CV data protection configured for Exchange Online, OneDrive and Teams. It’s been running successfully for some time. The customer wants azure ‘global administrator’ account to be substituted in the CV configuration for a different account (with less capabilities). CV documentation states that after the initial configuration ‘global administrator’ can be substituted but it does not specify with what account (and type) it can be substituted with. 

Thanks!


5 replies

Userlevel 2
Badge +6

@mzator
if you would like to replace the global admin account with reduced permission 
then each O365 app has its own requirement 

  • Sharepoint online app minimum required would be sharepoint administrator
  • Teams app requires teams administrator
  • Exchange app requires exchange amdministrator
  • Onedrive for business app requires onedrive administrator

Global admin account is mainly leverage for creation of appid  and verfication of same inital configuraiton
few of the O365 apps uses azure appid only for discovery and backup purpose too
some reference in documentation (sharing for one app)
https://documentation.commvault.com/v11/essential/134726_give_azure_service_account_access_to_sharepoint_online_sites_in_basic_authentication_environment.html

The Office 365 with SharePoint (SharePoint Online) administrator account must have the following service accounts configured:

A SharePoint Online service account, which must meet the following requirements:

Must have either the SharePoint administrator role or the global administrator role assigned so that the SharePoint administrator or the global administrator can discover and back up the sites. For more information, see Assign admin roles in Office 365 in the Microsoft documentation.
 

Userlevel 1
Badge +5

Hi thank you for the response. Does there need to be a unique account for each role or can we assign all these rights to the one account ? Are the accounts in question specific to an O365 application (e.g. exchange online, onedrive, teams)?

Userlevel 6
Badge +14

@mzator No you could use one account for all apps. If its global admin it should have all required rights.

Userlevel 1
Badge +5

The desire is to replace Global Administrator now that the configuration is complete and data protection operations are running. 

With sunjay’s response in mind, can a sole account that is not (has lower capability) Global Administrator be used for exchange online, onedrive and teams  (can 1 account of elevated capability be used for all 3 ) ?

“For the account security do we need to have a unique account for each role or can we assign all these rights to the one account?”

 

Userlevel 1
Badge +5

I need to know what the required rights are. How do I determine that ?

Reply