Setting up a Backup User for BackupAssist 365

This is our current recommended procedure to back up Mailboxes (Exchange), SharePoint Documents and OneDrive for Business in Microsoft 365 (Office 365) using a single login.

It is recommended that you create a special “backup user” login in Microsoft 365 and use it in BackupAssist 365.

This is preferred because:

  • Better security – the backup user can be assigned a special complex password that is only used in BackupAssist 365 and is never given to users.
  • No licence is required for the backup user – therefore it won’t cost anything.

A full discussion on the advantages of this is available at our blog article. This document gives you the “HOW TO” steps.

If the above hyperlink does not work, manually paste this URL into your browser:

https://www.backupassist.com/blog/why-use-a-dedicated-backup-user-login-for-backing-up-microsoft-365-and-office-365

How to set up the backup user account

Follow these instructions:

  1. Log into Office 365 as the administrator for your tenant. Create a new user in Office 365, as shown in the screenshot below. You can call the user anything you want, but we recommend something that will be easy to remember.
    1. Create a password at the time of setting up this user.
    2. Make sure both checkboxes at the bottom are unchecked. If you require the user to change the password, BA365 will be unable to login.

    Creating a backup user for backing up mailboxes in Office 365

  2. Create the user without a license. This is so you don’t have to pay for an unnecessary license.

    3. No product licenses are needed for this backup user

  3. Set the roles to include permissions depending on what you want to back up.

    4. To back up Roles required
    Exchange mailboxes (user + shared) Exchange Administrator
    SharePoint SharePoint Administrator + Application Administrator
    OneDrive for Business

    Adding privileges for the backup user

  4. Confirm the settings as shown.

    5. Confirm these settings

Sometimes changing permissions on the backup user can usually take 10-15 minutes to propagate. So if you receive permissions problems in BackupAssist 365, we recommend waiting a few minutes and trying again.

Propagating permissions changes to SharePoint seems to be slowest of all – we once saw it take some 20 hours, although this is not typical.

Congratulations – you can now use this logon identity in BackupAssist 365.

Additional steps for Exchange Mailbox backups

Commencing in August 2023, Microsoft made changes to the security model in Exchange, and one further set of steps is required.

These steps can be followed for both new users of BackupAssist 365, and existing users.

  1. Go to the Exchange Admin center - https://admin.exchange.microsoft.com
  2. Navigate to Roles > Admin roles, and click Add role group.
  3. Give the group a name. We recommend “BA365 Impersonation” but the name won’t make any difference to functionality.
  4. In the next step, select the ApplicationImpersonation permission, as shown below.
  5. In the next step, add the same backup user login that you just created.
  6. Proceed to the end of the wizard, and your role group will now be ready.

Note: do you need to back up Public Folders?

Only a licensed user can access Public Folders.

Therefore there are two options:

  1. Assign an Exchange license to the backup user – but this may incur extra costs if you have to purchase an extra license
  2. Use a regular user login for Public Folders.

If you choose Option #2, we recommend that you set up an additional task to only back up the Public Folders in that task.