Why use a dedicated backup user login for backing up Microsoft 365 and Office 365?

Backing up Microsoft 365 and Office 365 requires you to sign into Office 365 and authorize access for BackupAssist 365. Many first-time users make the mistake of using a human user admin account. Instead, we strongly recommend creating a dedicated, unlicensed user login – and here we explain why!

TL;DR summary

We define a dedicated backup user login as a special login that’s only used by BackupAssist 365 to back up Office 365. No human would normally use that login.

Why use a dedicated backup user login when backing up Microsoft 365 & Office 365?

Reason 1: It’s better from a cyber-security viewpoint.
Reason 2: User password changes won’t stop the backups from working.
Reason 3: Outlook won’t display other user mailboxes to anyone
Reason 4: It’s free

Recommendations:

Caveat:

  • If you do need to back up Exchange Public Folders, unfortunately an unlicensed user doesn’t have access to those public folders.
    • We recommend creating a separate backup task just to back up the Public Folders, using a normal licensed user login.
    • Then back up everything else using your dedicated backup user login.

If you make a mistake:

Reason 1: It’s better practice for cyber-security

The login that’s used to connect BackupAssist 365 to the Office 365 tenant will require several types of Admin roles. This means that the login has the rights to access almost all data in the Office 365 tenant.

By creating a dedicated backup user login, it means that this login will only ever be used by BackupAssist 365. This minimizes the potential misuse of these admin-level privileges.

  1. Access level security is better: as long as you secure the dedicated backup user login with a separate password and Multi Factor Authentication (MFA).
  2. Auditing is easier: you know for sure who’s using which login.
  3. Avoids human mistakes: human errors cause the majority of security breaches, so excluding humans from using the backup user login mitigates the possibility of such an error.

Reason 2: User password changes won’t stop the backups from working

If you sign in using the administrator’s user account (often called admin@domain.com or administrator@domain.com), then if the administrator changes his or her password, all applications using that sign-in will stop working.

This is especially problematic if you have a policy of periodic password changes.

If you don’t want to fiddle with your backup settings when the admin user changes their password, then use a separate, dedicated backup user login.

Reason 3: Outlook won’t display other user mailboxes to anyone

In order to back up other user mailboxes from a single login, BackupAssist 365 will grant the backup user access rights to each mailbox backed up.

Suppose:

BackupAssist 365 will assign access rights for Alice’s mailbox to administrator@domain.com. This is known as “mailbox delegation”.

The Outlook desktop application has a (usually) helpful feature known as “Autodiscover”, which periodically finds which mailboxes a user has access to, and automatically adds these mailboxes to the list shown in Outlook.

Because the “administrator@domain.com” user login now has access to Alice’s mailbox, it means that the administrator’s Outlook application will show Alice’s mailbox, and (depending on settings) may even download Alice’s emails to the local computer.

This is both annoying and can lead to a breach of data.

Using a dedicated backup user login will avoid this problem completely.

Reason 4: It’s free

Setting up an unlicensed login is free (it does not require a user license).

Graphical user interface, text, application, emailDescription automatically generated

As you can see from the screenshot, simply do not assign a license when creating the user, and you won’t have to pay for the license.

UNDO! I made a mistake and used my own login. How do I reverse this?

If you used a user account to log in and do the backup, then it’s likely that Outlook will display all your user mailboxes to you. And it might also start downloading them all…

Fortunately, it is possible to undo the mailbox rights assignment. It’s a manual process that takes about 15 seconds per user.

  1. Go to the Exchange Admin Center at https://admin.exchange.microsoft.com/#/
  2. Go to Recipients > Mailboxes
  3. For each user you want to remove access rights to:
    1. Click on the user, and click “Manage mailbox delegation” on the slide-in window.

    2. Under “Read and manage”, the admin user will be listed, so click Edit and then click the cross to remove the user from the list (in the screenshot below it is user Linus Chang).

In conclusion

Given the pros and cons of the dedicated backup user login, we believe the choice is clear! It’s an extra few minutes well worth the investment.

Do you have your own views? Contact us to share your ideas.

Leave a Comment

Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 1,874 other subscribers