Applies to: Office 365 with Exchange, User Mailbox
In an Office 365 with Exchange environment, you must configure the Exchange Online service account to discover, archive, clean up, and restore data for user mailboxes, group mailboxes, and all public folders.
- Local system account (Windows user)
Before You Begin
The Office 365 with Exchange (Exchange Online) administrator account must have the following service accounts configured:
-
Exchange Online service account, which must meet the following requirements:
-
Must be an online mailbox or a shared mailbox.
-
Must be created in Azure AD only.
-
Must have either the Exchange administrator role or the global administrator role assigned so that the Exchange administrator or the global administrator can discover and back up Office365 group mailboxes. For more information, see Assign admin roles in Office 365 on the Microsoft documentation website.
-
If you use more than one access node, the service account must have local logon rights.
-
For public folders, you must have owner permissions at the root level and the sub-folder level. If the service account is a shared mailbox, you must convert the shared mailbox to a user mailbox, assign assign the owner permissions, and then convert the mailbox back to a shared mailbox.
-
Run below command to assign owner permission to service account for root and sub-folders
Get-PublicFolder -identity "\" -Recurse | Add-PublicFolderClientPermission -user serviceaccount@domain.com -AccessRights Owner
-
-
For public folder backup and restore, the service account must have impersonation and view-only permissions.
-
For the Exchange Online service account, a license is not required. Convert the user mailbox to a shared mailbox, and remove the Office 365 license for the Exchange Online service account.
-
-
Local system account (Windows user), which must meet the following requirements:
-
Must be a member of the local administrator group.
-
Must be a domain user.
-
Procedure
-
Open Windows PowerShell and create a remote PowerShell session to Office 365 with Exchange.
-
To assign view-only recipient permissions, type the following command:
New-RoleGroup -Name "ExchangeOnlineBackupRoleGroup" -Roles "View-Only Recipients" -Members serviceaccount1,serviceaccount2
where:
-
ExchangeOnlineBackupRoleGroup is a unique name for the new role group.
-
serviceaccount1 and serviceaccount2 are Exchange Online service accounts.
-
Note
In Modern authentication, service account is required only for mailbox discovery and license computation and not for backup and restore operations.
What to Do Next
Running Application Check Readiness for the Exchange Mailbox Client