The service account that is used to backup and restore Multi-Factor Authentication (MFA) settings, inactive mailboxes, conditional access polices, and Application Proxy settings must have the following permissions:
- For backup operations, this account must be a member of Exchange administrator or User administrator Azure AD role.
- To back up Application Proxy, the account must be a member of Application administrator role.
The service account is used to backup and restore the following data:
- Conditional access policies
- Multi-Factor Authentication (MFA) settings
- Identifiers of inactive mailboxes
- Gallery applications and SSO settings data
- Application Proxy settings and connector groups
Table 1: Required permissions for the service account by feature
|Restoring conditional access policies
||Conditional access administrator|
|Restoring MFA settings
|Restoring inactive mailboxes and backup required data
|Restoring Gallery applications and SSO settings
||Application administrator or Cloud application administrator|
|Restoring Application Proxy settings and connector
||NOTE: The Application administrator role is required to restore the Application Proxy settings. The Global reader role is sufficient for the backup operation.|
For instructions on how to add or remove an Azure AD tenant, see the Tenant Management section in the On Demand Global Settings User Guide.
Note: Creation of backups is disabled by default. After the tenant is added, you must enable the backup creation as described in Step 6 in Working with On Demand Recovery.
Office 365 and on-premises Exchange offer some native means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from the Recycle Bin, it is strongly recommend that you use Office 365 retention policy or Litigation Hold (for hybrid configuration).