The service account that is used to backup and restore Multi-Factor Authentication (MFA) settings, inactive mailboxes, conditional access polices, and Application Proxy settings must have the following permissions:
The service account is used to backup and restore the following data:
Table 1: Required permissions for the service account by feature
|On Demand Recovery feature||Required Directory role|
|Restoring conditional access policies||Conditional access administrator|
|Restoring MFA settings||User administrator|
|Restoring inactive mailboxes and backup required data||Exchange administrator|
|Restoring Gallery applications and SSO settings||Application administrator or Cloud application administrator|
|Restoring Application Proxy settings and connector||Application administrator|
|NOTE: The Application administrator role is required to restore the Application Proxy settings. The Global reader role is sufficient for the backup operation.|
For instructions on how to add or remove an Azure AD tenant, see the Tenant Management section in the On Demand Global Settings User Guide.
Note: Creation of backups is disabled by default. After the tenant is added, you must enable the backup creation as described in Step 6 in Working with On Demand Recovery.
Office 365 and on-premises Exchange offer some native means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from the Recycle Bin, it is strongly recommend that you use Office 365 retention policy or Litigation Hold (for hybrid configuration).