Skip to main content
SaaS Backup for Microsoft 365

Create a new Microsoft 365 service account

Contributors netapp-rlithman netapp-aherbin

When you create your new Microsoft 365 account, this account must have global administration permissions with a valid and assigned Microsoft Office 365 license.

This is not the only service account used to manage SaaS Backup for Microsoft 365. The following image points out the different service account types with descriptions below.

Service account descriptions

service account types

red number 1 The account used to sign up for SaaS Backup; it requires global administration permissions with a valid Microsoft 365 license during signup. It can be used for backup and restore operations.
red number 2 A zzzCCconfigacct is automatically created as a service account to discover Microsoft 365 Groups. When Modern Authentication is enabled, you do not have a ZZZ Config service account.
red number 3 An additional service account can be added to enhance performance of backup and restore operations.

Create a new MS 365 service account with global administrator permissions

During signup, create an account with global permissions and a valid Microsoft 365 license. You can remove the global administration permissions and the license from this account after you complete signup.

  1. Log in to your Microsoft 365 Management portal using an account with administrative privileges.

  2. Click Users.

    Screenshot of users icon

  3. Select Active users, and then click Add a user.

    Screenshot of Microsoft 365 Admin Center

  4. Enter the details of the new service account.

    • First name

    • Last name

    • Display name

    • User name
      The user name is the name of the service account.

  5. Expand Roles, select Global administrator as the role, and then click Add.

    Screenshot of available administrator roles in Microsoft 365
    The service account details are sent to the administrator.

  6. Log in to your Microsoft 365 Management Portal with the new account to activate it.

  7. After signup, ensure this service account maintains three permissions:

    • Exchange Administrator

    • SharePoint Administrator

    • Application Impersonation Role

      This is especially important if you restrict the individual licenses for the Global administrator role.

ZZZ Config service account

ZZZ Config service account is an auto-created account used for discovering Shared/Archive mailboxes and private groups if you use Basic Authentication. It should have Exchange and SharePoint permissions (customized administrator in M365). It is recommended that you exclude this account from MFA policies. To avoid any discovery or backup failures, leave the account as is.

If you enable Modern Authentication, the ZZZ Config service account is removed.

New customers do not have a ZZZ Config service account.

Create additional service accounts

Service Accounts can be added in SaaS Backup for Microsoft 365 to improve the backup performance for a customer. A service account is a Microsoft 365 user account without a license; it is used for backup and restore operations.

This type of account requires 3 permissions:

  • Exchange administrator

  • SharePoint administrator

  • Application impersonation role

To add an additional service account, the service account must already exist in your Microsoft 365 environment. If you do not have an existing account, then create one.

Tip To optimize performance, it is recommended that you have 1 service account added per 1000 users in Office 365.
  1. Log in to SaaS Backup for Microsoft 365.

  2. Click settings gear icon.

  3. Click Service Settings.

    click service settings

  4. To add a service account, click plus icon under Manage service accounts.

    click plus icon to add service account

    A confirmation message pops up.

    add new service account popup confirmation message

  5. Click Confirm.

  6. On the Microsoft 365 sign-in page, provide the credentials of the above mentioned service account to add it to SaaS Backup.