AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > Manage Service Accounts > Manage Microsoft 365 Service Account Profiles

Export to PDF

Manage Microsoft 365 Service Account Profiles

The services that support the Microsoft 365 service account authentication method are listed below:

- Cense - Classic DocAve Backup - Cloud Archiving - Cloud Backup for Dynamics 365 - Cloud Backup for IaaS + PaaS - Cloud Backup for Microsoft 365 - Cloud Governance - Cloud Management - EnPower - Fly - Opus - Policies for Microsoft 365 - AvePoint Portal Manager

*Note: The AvePoint Online Services common service option is only supported for service providers to create service account profiles.

The Tenant Owner and Service Administrators can manage service account profiles by navigating to Management > Service account. On the Service account page, you can perform the following actions:

- **Create** – Click **Create**. Then, refer to the instructions in [Create a Service Account Profile](#missing-link). - **Edit** – Select a service account profile and click **Edit**. To view details of a service account profile, click the link in the **Profile name** column. When you view the details of a service account profile, you can also click **Edit** to edit its details. > ***Note**: If your organization uses multi-factor authentication (MFA) in Microsoft 365 and has configured MFA service account profiles in the AOS classic UI (before the June 2023 release), you can edit MFA service account profiles by referring to instructions in the appendix: [What Should I Do If My Organization Uses Multi-Factor Authentication (MFA) in Microsoft 365?](#missing-link) - **Delete** – Select one or more service account profiles and click **Delete**. A pop-up window appears asking for your confirmation. Click **Confirm** to confirm your deletion.

*Note: If your organization has configured service account pools in the AOS classic UI (before June 2023 release), you can manage these settings by referring to the instructions in the appendix: Manage Account Pool (Obsolete).

Create a Service Account Profile

To create a service account profile, click Create. Then, configure the following settings in the Create service account profile pane.

*Note: If you have configured service account profiles in the classic UI, these service account profiles can still be used to scan objects and invite users in the new UI.

  1. Profile name – Enter a name for the service account profile.

  2. Description – Enter an optional description.

  3. Select tenant – Select a tenant from the drop-down list.

  4. Select service – Select at least one service from the drop-down list.

  5. Username – Specify an account with the permissions required by your tenant’s cloud services. The permissions of the Microsoft 365 service account vary with the different cloud services your tenant is using. Refer to the Required Permissions of Cloud Services section below for more information.

    Note the following:

    • AvePoint does not recommend that a personal active user account be used as the service account. We recommend you use a separate service account to manage all administration.

    • If you run a scan profile to scan SharePoint sites / Microsoft 365 Groups, the specified service account will be automatically added as one of the Term Store Administrators.

    • The specified Microsoft 365 account cannot have multi-factor authentication (MFA) enabled. If your organization has MFA enabled, you can refer to additional details in the following section: Helpful Notes for Passing the Validation Test of a Service Account.

  6. Password – Enter the login password of the account above.

    *Note: The password is validated via Microsoft 365 API. Due to a Microsoft 365 API limitation, you may encounter the following issue: the password is checked as invalid here, but you can use this password to log into Microsoft 365 successfully. To resolve the issue, you must change your password in Microsoft 365, and then enter the new password here. For details about the password limitations and requirements, refer to Password Limitations and Requirements of Microsoft 365 Accounts.

  7. Click Save to save your configurations, or click Cancel to go back to the Service account page without saving any configurations.

  8. If you encounter the error Your organization has set access policies that block the validation and the service account profile cannot be saved, refer to the solutions in the Helpful Notes for Passing the Validation Test of a Service Account section below for troubleshooting.

Password Limitations and Requirements of Microsoft 365 Accounts

The table below details the password limitations and requirements of Microsoft 365 accounts. Note that the password limitations and requirements are from Microsoft 365.

PropertyRequirements
Characters Allowed● A-Z● a-z● 0-9● @ # $ % ^ & * - _ ! + = [] {}
Characters Not Allowed● Unicode characters● SpacesStrong passwords only: Cannot contain a dot character (.) immediately preceding the @ symbol.
Password Restrictions● Eight (8) characters to the minimum and sixteen (16) characters to the maximumStrong passwords only: Three of the following are required:○ Lowercase characters○ Uppercase characters○ Numbers (0-9)○ Symbols (see the symbols listed in Characters Allowed above)
Password ExpiryBy default, password expiry is enabled.If you want to disable it, navigate to Microsoft 365 > Admin center > Settings > Security & privacy > Password policy, click Edit, and then click the Off button.
Password Expiry DurationBy default, a password will expire in 90 days.If you want to change the duration, navigate to Microsoft 365 > Admin center > Settings > Security & privacy > Password policy, click Edit, and then modify the number in the Days before passwords expire field.
Password Expiry NotificationBy default, a password expiry notification will be sent to users 14 days before the password expires.If you want to change the notification time, navigate to Microsoft 365 > Admin center > Settings > Security & privacy > Password policy, click Edit, and then modify the number in the Days before a user is notified about expiration field.

Helpful Notes for Passing the Validation Test of a Service Account

If your organization uses multi-factor authentication (MFA), or if you encounter the error Your organization has set access policies that block the validation, causing that the service account profile cannot be saved, refer to the solutions below for troubleshooting:

- Delete or disable the access policies / multi-factor authentication. - Edit the access policies to exclude the Microsoft 365 user set as the Service Account. ![Excluding a Microsoft 365 user from an access policy](/en/aos/manage-app-profiles/create-custom-apps/create-a-custom-azure-app/images/image65.png "Excluding a Microsoft 365 user from an access policy") - Edit the access policies to exclude the reserved IP addresses of AvePoint Online Services. The reserved IP addresses can be downloaded in **Administration** > **Security**. ![Excluding reserved IP addresses of AvePoint Online Services from an access policy](/en/aos/manage-app-profiles/create-custom-apps/create-a-custom-azure-app/images/image66.png "Excluding reserved IP addresses of AvePoint Online Services from an access policy")

Required Permissions of Cloud Services

The following services support using a Microsoft 365 service account for authentication. The permissions of the Microsoft 365 service account vary with the different cloud services your tenant is using. Refer to the information in the links below to prepare a Microsoft 365 account and assign the required roles to this account.

- - - - (Protect distribution lists or mail-enabled security groups) - - - - - - - -

Manage Account Pool (Obsolete)

*Note: The information in this section is only for customers who have configured service account pools in the AOS classic UI (before June 2023 release).

SharePoint Online has a built-in throttling feature that prevents one account from processing several requests simultaneously. To avoid getting throttled or blocked in SharePoint Online, you can use an account pool that contains multiple Microsoft 365 accounts.

When AvePoint Online Services (AOS) registers SharePoint Online site collections and OneDrive, AOS grants the site collection administrator permission to the group set in the account pool for Sites, Mailboxes, Groups, and Teams / Project Sites / Exchange Public Folders, and the Microsoft 365 accounts in the account pool will inherit the site collection administrator permission from the group. With the credentials of these accounts, AvePoint services can work smoothly. For example, Cloud Backup for Microsoft 365 can manage a large amount of data simultaneously, and Cloud Governance can process multiple requests simultaneously.

For an overview of what services can use a Microsoft 365 account pool, refer to the What Services Can Use a Microsoft 365 Account Pool? section.

To build an account pool in AvePoint Online Services, create a group in Microsoft 365 first. The group type can be Microsoft 365 Group, mail-enabled security group, or security group. This group should contain a certain number of users, and these users can be unlicensed in Microsoft 365.

The table below lists the required information for each object type.

Object TypeNeed Account Pool?Need Username?Need Password?Need SharePoint Administrator Role?Need License?
SharePoint Online Site CollectionsYesYesYesNoNo
OneDriveYesYesYesNoNo
Microsoft 365 Group Team SitesYesYesYesNoNo
Exchange Online MailboxesYesYesYesNoNo
Microsoft 365 Group MailboxesYesYesYesNoNo
Microsoft 365 GroupsYesYesYesNoYesHave the SharePoint Online and Exchange Online product licenses assigned in Microsoft 365.
Microsoft TeamsYesYesYesNoYesHave the Exchange Online and Microsoft Teams product licenses assigned in Microsoft 365.
Project Online Site CollectionsYesYesYesNoYesHave one of the following Project Online product licenses assigned in Microsoft 365: Essentials, Professionals, or Premium.
Exchange Online Public FoldersYesYesNoNoYesHave the Exchange Online product license assigned in Microsoft 365.
Microsoft 365 UsersYesYesYesNo*YesHave one of the following Microsoft Entra ID product licenses assigned in Microsoft 365: Premium P1 or Premium P2.
Viva Engage CommunitiesNoNoNoNoNo

Note the following:

- For SharePoint Online site collections, OneDrive, and Microsoft 365 Group team sites, the SharePoint Administrator role is required by Cloud Management > **Administrator** and Classic DocAve Backup functionalities. - For managing Microsoft 365 users, the EnPower service needs the Microsoft 365 Global Administrator role.

The Tenant Owner and Service Administrators can then manage the account pool by navigating to Management > Service account, and then clicking the classic UI link to open the Manage Account Pool page in a new tab. Follow the instructions below to configure settings on the Manage Account Pool page:

  1. Select a Tenant – Select a tenant from the drop-down list. The tenant is retrieved from the previously configured app profile or Microsoft 365 service account profile.

  2. Configure the account pool for Sites, Mailboxes, Groups, and Teams, Project Sites, or Exchange Public Folders according to the objects you will back up or manage via services for Microsoft 365.

    *Note: The Sites, Mailboxes, Groups, and Teams tab includes different object types for the following cloud services:

    • For the EnPower service, this tab includes SharePoint sites, OneDrive, Microsoft 365 Group team sites, Exchange Online mailboxes, and Microsoft 365 mailboxes.

    • For the Fly service, this tab includes SharePoint sites, OneDrive, Microsoft 365 Group team sites, Exchange Online mailboxes, Microsoft 365 Groups, and Microsoft Teams.

    • For other services, this tab includes SharePoint sites, OneDrive, and Microsoft 365 Group team sites.

    Click a tab and configure the following settings:

    1. Group Name – Enter the name of the group you prepared.

    2. Click Validate next to the group name. Group members will be displayed in the Group Users field. For the minimum number of users who must be included in the group, refer to the How Many Accounts Should be Added into an Account Pool? section.

      Note the following:

      • If a user account exists in a service account profile, this service account will be used for managing operations in your AvePoint Online Services tenant and will also be used to execute application-level jobs.

      • For backing up Exchange Online Public Folders, you do not need to provide the password of the account because of the impersonation technology. You can view more information about impersonation by clicking the following link: .

      • If the account of a user has multi-factor authentication (MFA) enabled in Microsoft 365, turn on the toggle to enable MFA, and then enter the app password of this account.

      • To protect Planner data, the account must be both owner and member of the scanned Microsoft 365 Groups and Teams.

      • If the account of a user has multi-factor authentication enabled through a conditional access policy configured in Microsoft Entra, the account cannot be added to the account pool.

    3. Custom SharePoint Online Admin Center URL – If you enable MFA for one or more accounts, you must enter your SharePoint Online admin center URL in the text box.

  3. When you finish the configurations for all desired account pools, click Save to save your configurations. If you want to remove the group from the account pool, click Clear next to the group name, and then click Save.

    *Note: After an account pool for a tenant is saved, the account pool will take effect on the next scan job.

If you edit the account pool to change the group, a pop-up window will appear recommending you rerun the scan for auto discovery. Rerun the scan profiles to make the changes take effect immediately. If you do not rerun the scan profiles, your changes will be saved but will not take effect until the next scan completes.

What Services Can Use a Microsoft 365 Account Pool?

The following services will use the Microsoft 365 account pool when the service account authentication method is used in the corresponding scan profile:

- AvePoint Cloud Backup for Microsoft 365 – The backup for SharePoint sites, Project sites, OneDrive, Microsoft 365 Group team sites, and Exchange Public Folders - AvePoint Cloud Management – The Security Search and Policy Enforcer functionalities in Administrator - Classic DocAve Backup – The backup for SharePoint sites, OneDrive, and Microsoft 365 Group team sites - AvePoint Cloud Governance – All functionalities - AvePoint Fly – The migration for Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft 365 Groups - AvePoint EnPower – The management for Exchange Online, Microsoft 365 Groups, and Microsoft 365 users.

How Many Accounts Should be Added into an Account Pool?

If this is the first time you are managing objects, we recommend that the added group in the account pool contains at least seven(7) users for managing every 1000 objects. If it is not the first time you are managing objects, we recommend that the added group in the account pool contain at least three(3) users for managing every 2000 objects.

For example:

- If you want to back up 2000 SharePoint Online site collections for the first time with AvePoint Cloud Backup for Microsoft 365, you must add at least 14 users to the account pool. - If you want to back up 1000 SharePoint Online site collections and 2000 OneDrive for the first time using AvePoint Cloud Backup for Microsoft 365, you must add at least 21 users to the account pool. - If you want to back up 2000 SharePoint Online site collections after you have run the first backup job, you must add at least three(3) users to the account pool. - If you want to back up 1000 SharePoint Online site collections and 2000 OneDrive after you have run the first backup job, you must add at least four(4) users to the account pool.

What Should I Do If My Organization Uses Multi-Factor Authentication (MFA) in Microsoft 365? (Obsolete)

*Note: The information in this section is only for customers who have configured MFA service account profiles in the AOS classic UI (before the June 2023 release).

If your organization uses multi-factor authentication (MFA) in Microsoft 365, refer to the following information to configure the required settings based on your scenario:

- Microsoft 365 MFA service account profile – If your organization has configured a Microsoft 365 MFA service account profile in the AOS classic UI (before June 2023 release), you can refer to the instructions in the **Edit MFA Service Account Profiles** section below to edit the MFA service account profile. - Microsoft 365 Account Pool – SharePoint Online has a built-in throttling feature that prevents one account from processing several requests simultaneously. To avoid getting throttled or blocked in SharePoint Online, you can configure the account pool in AvePoint Online Services. The account pool contains multiple Microsoft 365 accounts. When configuring the account pool, enable MFA and provide the app passwords of the Microsoft 365 accounts. For more information, refer to [Manage Account Pool (Obsolete)](#missing-link).

Edit MFA Service Account Profiles

Navigate to AvePoint Online Services > Management > Service account, and click the MFA service account profile. On the MFA service account profile detail page, click Edit. Then, refer to the following instructions to edit the MFA service account profile:

  1. Profile Name – Enter a name for the service account profile.

  2. Description – Enter an optional description.

  3. Enable MFA – If you want to keep this MFA service account profile in the classic UI, select the Our organization uses multi-factor authentication checkbox, and refer to the following steps to edit this MFA service account profile.

    Note that MFA service account profiles have the following limitations:

    • The Microsoft 365 MFA service account profile cannot be used to invite Microsoft 365 users/groups as AvePoint Online Services users.

    • If your organization selects Block access for the Apps that don’t use modern authentication setting in the SharePoint admin center, the Microsoft 365 MFA service account profile cannot be used for the Ghost Guest Users rule in Cloud Management Identity Manager.

    • The Microsoft 365 MFA service account profile does not support some features in Cloud Management. For additional details, refer to . You can convert and deselect the checkbox here.

    *Note: If you want to transfer this MFA service account to a common service account profile that can be edited in the AOS new UI, deselect the Our organization uses multi-factor authentication checkbox, and save your edits to this service account profile. Then, you can manage it by referring to instructions in the Manage Service Account Profiles section.

  4. Username – Specify an account with the permissions required by your tenant’s cloud services. The permissions of the Microsoft 365 service account vary with the different cloud services your tenant is using. Refer to the Required Permissions of Cloud Services section for more information.

    Note the following:

    • AvePoint does not recommend that a personal active user account be used as the service account. We recommend you use a separate service account to manage all administration.

    • With the Enable MFA option selected, you must enter the login ID of a Microsoft 365 Global Administrator account or SharePoint Administrator account.

  5. Password – Enter the app password of the account above. For more information about app passwords, refer to the Microsoft technical article .

  6. Click Validation Test to validate the information above.

    Note the following:

    • When the validation test fails, and the error message indicates that your Microsoft 365 tenant has set access policies or enabled multi-factor authentication (MFA), refer to the Validation Test Troubleshooting section below.

    • As the Microsoft 365 user has multi-factor authentication (MFA) enabled, the user role information cannot be retrieved due to Microsoft API limitations, and the User Role field will be blank.

    • The password is validated via Microsoft 365 API. Due to a Microsoft 365 API limitation, you may encounter the following issue: the password is checked as invalid here, but you can use this password to log into Microsoft 365 successfully. To resolve the issue, you must change your password in Microsoft 365, and then enter the new password here. For details about the password limitations and requirements, refer to Password Limitations and Requirements of Microsoft 365 Accounts.

  7. In Advanced Settings, you need to configure a SharePoint Online Admin Center URL. If your organization uses the default SharePoint Online admin center URL in Microsoft 365, select the Our organization uses the default SharePoint Online admin center URL option; if your organization uses a custom SharePoint Online admin center URL in Microsoft 365, select the Our organization uses a custom SharePoint Online admin center URL option, and enter the admin center URL in the text box.

    *Note: If the Our organization uses multi-factor authentication checkbox is selected, you must manually enter the SharePoint Online admin center URL in the text box.

  8. Click Save to save your configurations.

Validation Test Troubleshooting

When the validation test fails, and you encounter one of the following error messages, refer to the solutions below for troubleshooting.

- Message 1: Your organization has set access policies that block the validation. Solution: Choose one of the following methods based on your scenario. - Delete or disable the access policies. - Edit the access policies to exclude the Microsoft 365 user set as the Service Account. ![Excluding a Microsoft 365 user from an access policy](/en/aos/manage-app-profiles/create-custom-apps/create-a-custom-azure-app/images/image67.png "Excluding a Microsoft 365 user from an access policy") - Edit the access policies to exclude the reserved IP addresses of AvePoint Online Services. The reserved IP addresses can be downloaded in **Administration** > **Security** > **Reserved IP addresses**. ![Excluding reserved IP addresses of AvePoint Online Services from an access policy](/en/aos/manage-app-profiles/create-custom-apps/create-a-custom-azure-app/images/image68.png "Excluding reserved IP addresses of AvePoint Online Services from an access policy") - Message 2: Check if this account has multi-factor authentication enabled or if you have entered an app password. Solution: If the account has multi-factor authentication enabled, choose one of the following methods based on your scenario. - In the **Enable MFA** field, select the **Our organization uses multi-factor authentication** checkbox. Enter the app password in the **Password** field. - If you do not want to select the **Our organization uses multi-factor authentication** checkbox, you need to disable multi-factor authentication for the Microsoft 365 user set as the Service Account. ![Disabling multi-factor authentication for a Microsoft 365 user](/en/aos/manage-app-profiles/create-custom-apps/create-a-custom-azure-app/images/image69.png "Disabling multi-factor authentication for a Microsoft 365 user") If the account does not have multi-factor authentication enabled and you haven’t entered an app password, check if the login password of the account is correct. - Message 3: This account has multi-factor authentication enabled. Solution: Choose one of the following methods based on your scenario. - If this account has multi-factor authentication enabled on the **multi-factor authentication** interface, either select the **Our organization uses multi-factor authentication** checkbox in the **Enable MFA** field or disable multi-factor authentication for the Microsoft 365 user. - If your Microsoft 365 tenant has enabled multi-factor authentication in Microsoft Entra conditional access policies, refer to the solution for Message 1 to either exclude the Service Account from the access policies or exclude AvePoint Online Services reserved IP addresses from the access policies.