#Manage Microsoft Service Account Profiles

The services that support the Microsoft 365 service account authentication method are listed below:

• Cense

• Classic DocAve Backup

• Cloud Archiving

• Cloud Backup for Dynamics 365

• Cloud Backup for IaaS + PaaS

• Cloud Backup for Microsoft 365

• Cloud Governance

• Cloud Management

• EnPower

• Fly

• Opus

• Policies for Microsoft 365

• AvePoint Portal Manager

The Tenant Owner and Service Administrators can manage service account profiles by navigating to Management > Service account. On the Service account page, select the Microsoft service account tab, and then you can perform the following actions:

• Create – Click Create. Then, refer to the instructions in Create a Service Account Profile.

  NOTE

  To check if a service account profile is required in your tenant, see more details in this FAQ topic: Will the App Profile Method Meet Your Data Management Requirements?

• Edit – Select a service account profile and click Edit.

  To view details of a service account profile, click the link in the Profile name column. When you view the details of a service account profile, you can also click Edit to edit its details.

• Delete – Select one or more service account profiles and click Delete. A pop-up window appears asking for your confirmation. Click Confirm to confirm your deletion.

#Create a Service Account Profile

To create a service account profile, click Create. Then, configure the following settings in the Create service account profile pane.

1. Profile name – Enter a name for the service account profile.

2. Description – Enter an optional description.

3. Select tenant – Select a tenant from the drop-down list.

4. Select service – Select at least one service from the drop-down list.

5. Username – Specify an account with the permissions required by your tenant’s cloud services. The permissions of the Microsoft 365 service account vary with the different cloud services your tenant is using. Refer to the Required Permissions of Cloud Services section below for more information.

   Note the following:

   • AvePoint does not recommend that a personal active user account be used as the service account. We recommend you use a separate service account to manage all administration.

   • If you run a scan profile to scan SharePoint sites / Microsoft 365 Groups, the specified service account will be automatically added as one of the Term Store Administrators.

   • The specified Microsoft 365 account cannot have multi-factor authentication (MFA) enabled. If your organization has MFA enabled, you can refer to additional details in the following section: Helpful Notes for Passing the Validation Test of a Service Account.

6. Password – Enter the login password of the account above.

   NOTE

   The password is validated via Microsoft 365 API. Due to a Microsoft 365 API limitation, you may encounter the following issue: the password is checked as invalid here, but you can use this password to log into Microsoft 365 successfully. To resolve the issue, you must change your password in Microsoft 365, and then enter the new password here. For details about the password limitations and requirements, refer to Password Limitations and Requirements of Microsoft 365 Accounts.

7. Click Save to save your configurations, or click Cancel to go back to the Service account page without saving any configurations.

8. If you encounter the error Your organization has set access policies that block the validation and the service account profile cannot be saved, refer to the solutions in the Helpful Notes for Passing the Validation Test of a Service Account section below for troubleshooting.

#Password Limitations and Requirements of Microsoft 365 Accounts

The table below details the password limitations and requirements of Microsoft 365 accounts. Note that the password limitations and requirements are from Microsoft 365.

Property	Requirements
Characters Allowed	● A-Z● a-z● 0-9● @ # $ % ^ & * - _ ! + = [] {}
Characters Not Allowed	● Unicode characters● Spaces● Strong passwords only: Cannot contain a dot character (.) immediately preceding the @ symbol.
Password Restrictions	● Eight (8) characters to the minimum and sixteen (16) characters to the maximum● Strong passwords only: Three of the following are required:○ Lowercase characters○ Uppercase characters○ Numbers (0-9)○ Symbols (see the symbols listed in Characters Allowed above)
Password Expiry	By default, password expiry is enabled.If you want to disable it, navigate to Microsoft 365 > Admin center > Settings > Security & privacy > Password policy, click Edit, and then click the Off button.
Password Expiry Duration	By default, a password will expire in 90 days.If you want to change the duration, navigate to Microsoft 365 > Admin center > Settings > Security & privacy > Password policy, click Edit, and then modify the number in the Days before passwords expire field.
Password Expiry Notification	By default, a password expiry notification will be sent to users 14 days before the password expires.If you want to change the notification time, navigate to Microsoft 365 > Admin center > Settings > Security & privacy > Password policy, click Edit, and then modify the number in the Days before a user is notified about expiration field.

#Helpful Notes for Passing the Validation Test of a Service Account

If your organization uses multi-factor authentication (MFA), or if you encounter the error Your organization has set access policies that block the validation, causing that the service account profile cannot be saved, refer to the solutions below for troubleshooting:

• Delete or disable the access policies / multi-factor authentication.

• Edit the access policies to exclude the Microsoft 365 user set as the Service Account.

  

• Edit the access policies to exclude the reserved IP addresses of AvePoint Online Services. The reserved IP addresses can be downloaded in Administration > Security.

  

#Required Permissions of Cloud Services

The following services support using a Microsoft 365 service account for authentication. The permissions of the Microsoft 365 service account vary with the different cloud services your tenant is using. Refer to the information in the links below to prepare a Microsoft 365 account and assign the required roles to this account.

• Cense

• Classic DocAve Backup

• Cloud Archiving

• Cloud Backup for Dynamics 365

• Cloud Backup for IaaS + PaaS (Protect distribution lists or mail-enabled security groups)

• Cloud Backup for Microsoft 365

• Cloud Governance

• Cloud Management

• Opus

• EnPower

• Fly

• Policies for Microsoft 365

• AvePoint Portal Manager

#Manage Account Pool (Obsolete)

SharePoint Online has a built-in throttling feature that prevents one account from processing several requests simultaneously. To avoid getting throttled or blocked in SharePoint Online, you can use an account pool that contains multiple Microsoft 365 accounts.

When AvePoint Online Services (AOS) registers SharePoint Online site collections and OneDrive, AOS grants the site collection administrator permission to the group set in the account pool for Sites, Mailboxes, Groups, and Teams / Project Sites / Exchange Public Folders, and the Microsoft 365 accounts in the account pool will inherit the site collection administrator permission from the group. With the credentials of these accounts, AvePoint services can work smoothly. For example, Cloud Backup for Microsoft 365 can manage a large amount of data simultaneously, and Cloud Governance can process multiple requests simultaneously.

For an overview of what services can use a Microsoft 365 account pool, refer to the What Services Can Use a Microsoft 365 Account Pool? section.

To build an account pool in AvePoint Online Services, create a group in Microsoft 365 first. The group type can be Microsoft 365 Group, mail-enabled security group, or security group. This group should contain a certain number of users, and these users can be unlicensed in Microsoft 365.

The table below lists the required information for each object type.

Object Type	Need Account Pool?	Need Username?	Need Password?	Need SharePoint Administrator Role?	Need License?
SharePoint Online Site Collections	Yes	Yes	Yes	No	No
OneDrive	Yes	Yes	Yes	No	No
Microsoft 365 Group Team Sites	Yes	Yes	Yes	No	No
Exchange Online Mailboxes	Yes	Yes	Yes	No	No
Microsoft 365 Group Mailboxes	Yes	Yes	Yes	No	No
Microsoft 365 Groups	Yes	Yes	Yes	No	Yes. Have the SharePoint Online and Exchange Online product licenses assigned in Microsoft 365.
Microsoft Teams	Yes	Yes	Yes	No	Yes. Have the Exchange Online and Microsoft Teams product licenses assigned in Microsoft 365.
Project Online Site Collections	Yes	Yes	Yes	No	Yes. Have one of the following Project Online product licenses assigned in Microsoft 365: Essentials, Professionals, or Premium.
Exchange Online Public Folders	Yes	Yes	No	No	Yes. Have the Exchange Online product license assigned in Microsoft 365.
Microsoft 365 Users	Yes	Yes	Yes	No*	Yes. Have one of the following Microsoft Entra ID product licenses assigned in Microsoft 365: Premium P1 or Premium P2.
Viva Engage Communities	No	No	No	No	No

Note the following:

• For SharePoint Online site collections, OneDrive, and Microsoft 365 Group team sites, the SharePoint Administrator role is required by Cloud Management > Administrator and Classic DocAve Backup functionalities.

• For managing Microsoft 365 users, the EnPower service needs the Microsoft 365 Global Administrator role.

The Tenant Owner and Service Administrators can then manage the account pool by navigating to Management > Service account, and then clicking the classic UI link to open the Manage Account Pool page in a new tab. Follow the instructions below to configure settings on the Manage Account Pool page:

1. Select a Tenant – Select a tenant from the drop-down list. The tenant is retrieved from the previously configured app profile or Microsoft 365 service account profile.

2. Configure the account pool for Sites, Mailboxes, Groups, and Teams, Project Sites, or Exchange Public Folders according to the objects you will back up or manage via services for Microsoft 365.

   NOTE

   The Sites, Mailboxes, Groups, and Teams tab includes different object types for the following cloud services:

   • For the EnPower service, this tab includes SharePoint sites, OneDrive, Microsoft 365 Group team sites, Exchange Online mailboxes, and Microsoft 365 mailboxes.

   • For the Fly service, this tab includes SharePoint sites, OneDrive, Microsoft 365 Group team sites, Exchange Online mailboxes, Microsoft 365 Groups, and Microsoft Teams.

   • For other services, this tab includes SharePoint sites, OneDrive, and Microsoft 365 Group team sites.

   Click a tab and configure the following settings:

   1. Group Name – Enter the name of the group you prepared.

   2. Click Validate next to the group name. Group members will be displayed in the Group Users field. For the minimum number of users who must be included in the group, refer to the How Many Accounts Should be Added into an Account Pool? section.

      Note the following:

      • If a user account exists in a service account profile, this service account will be used for managing operations in your AvePoint Online Services tenant and will also be used to execute application-level jobs.

      • For backing up Exchange Online Public Folders, you do not need to provide the password of the account because of the impersonation technology. You can view more information about impersonation by clicking the following link: https://msdn.microsoft.com/en-us/library/office/dn722377(v=exchg.150).aspx.

      • To protect Planner data, the account must be both owner and member of the scanned Microsoft 365 Groups and Teams.

      • If the account of a user has multi-factor authentication enabled through a conditional access policy configured in Microsoft Entra, the account cannot be added to the account pool.

   3. Custom SharePoint Online Admin Center URL – If you enable MFA for one or more accounts, you must enter your SharePoint Online admin center URL in the text box.

3. When you finish the configurations for all desired account pools, click Save to save your configurations. If you want to remove the group from the account pool, click Clear next to the group name, and then click Save.

   NOTE

   After an account pool for a tenant is saved, the account pool will take effect on the next scan job.

If you edit the account pool to change the group, a pop-up window will appear recommending you rerun the scan for auto discovery. Rerun the scan profiles to make the changes take effect immediately. If you do not rerun the scan profiles, your changes will be saved but will not take effect until the next scan completes.

#What Services Can Use a Microsoft 365 Account Pool?

The following services will use the Microsoft 365 account pool when the service account authentication method is used in the corresponding scan profile:

• AvePoint Cloud Backup for Microsoft 365 – The backup for SharePoint sites, Project sites, OneDrive, Microsoft 365 Group team sites, and Exchange Public Folders

• AvePoint Cloud Management – The Security Search and Policy Enforcer functionalities in Administrator

• Classic DocAve Backup – The backup for SharePoint sites, OneDrive, and Microsoft 365 Group team sites

• AvePoint Cloud Governance – All functionalities

• AvePoint Fly – The migration for Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Microsoft 365 Groups

• AvePoint EnPower – The management for Exchange Online, Microsoft 365 Groups, and Microsoft 365 users.

#How Many Accounts Should be Added into an Account Pool?

If this is the first time you are managing objects, we recommend that the added group in the account pool contains at least seven(7) users for managing every 1000 objects. If it is not the first time you are managing objects, we recommend that the added group in the account pool contain at least three(3) users for managing every 2000 objects.

For example:

• If you want to back up 2000 SharePoint Online site collections for the first time with AvePoint Cloud Backup for Microsoft 365, you must add at least 14 users to the account pool.

• If you want to back up 1000 SharePoint Online site collections and 2000 OneDrive for the first time using AvePoint Cloud Backup for Microsoft 365, you must add at least 21 users to the account pool.

• If you want to back up 2000 SharePoint Online site collections after you have run the first backup job, you must add at least three(3) users to the account pool.

• If you want to back up 1000 SharePoint Online site collections and 2000 OneDrive after you have run the first backup job, you must add at least four(4) users to the account pool.

#Check Classic MFA Service Accounts

If your organization has configured MFA service account profiles in the AOS classic UI (before the June 2023 release), the authentication for SharePoint Online and OneDrive for Business will be affected regarding the upcoming change from Microsoft announcement. Thus, please follow the instructions below check and remove classic MFA service accounts.

1. Check and remove classic MFA service account profiles.

   Tenant Owner and Service Administrators can navigate to Management > Service account to check classic MFA service account profiles by clicking them one by one.

   

   If you click a service account and you are redirected to the AOS classic UI, then a classic MFA service account is configured for your subscribed services.

   NOTE

   If clicking a service account does not redirect you to the classic UI, you are not using a classic service account, and no further action is needed.

   

   To remove a classic MFA service account profile, go back to Management > Service account, select the profile and click Delete.

2. Check and remove classic MFA service accounts from service account pool.

   Tenant Owner and Service Administrators can navigate to Management > Service account, and then click the classic UI link to open the Manage Account Pool page in a new tab.

   

   On the Manage Account Pool page, check if there are service accounts with the Enable MFA toggle turned on. If yes, these are the classic MFA service accounts configured for your subscribed services. You can remove classic MFA service accounts by clicking Remove on the Manage Account Pool page.