A dedicated Microsoft service account with either the Privileged Role Admin (PRA) or Global Admin (GA) is required to create Microsoft 365 connectors, reauthenticate them, and perform certain backup and restore operations.

Although you can remove the PRA or GA account after a connector is created, be aware that there are scenarios where one of these admin roles will still be required.

While the PRA can replace the GA in most cases, the GA role is specifically required for backing up SharePoint sites.


Changing roles in case of existing connectors

If you would like to change the role associated with the service account for an existing connector, you have two options:

  • Use the same service account with a different role
    After updating the role, we recommend reauthenticating the connector to ensure the changes take effect.
  • Create a new service account with the desired role
    In this case, you must reauthenticate the connector to apply the new role.


In what cases do I need a Privileged Role Admin or Global Admin?

  • Connector creation

To create a Microsoft 365 connector and start the initial backup, you must use a dedicated Microsoft service account with either the PRA or GA role.

During connector creation, the admin user is automatically added as a member of all Microsoft 365 Groups and Teams included in the backup. This is necessary for Keepit to access and back up the data.

Note: If All Groups is selected in the Groups & Teams configuration when creating the connector, the PRA or GA will be added as a member of all newly created Groups or Teams in your Microsoft 365 tenant.


  • Connector reauthentication 

To reauthenticate a connector, you will need to reassign the PRA or GA role to the user before you authenticate. Once reauthentication is complete, you can remove the admin role again.

You may need to reauthenticate your connector if:

  • Your Microsoft 365 session expires, causing authentication between Microsoft and Keepit to become invalid.
  • You need to reauthenticate using the key icon in the configuration window because the connector was authorized with the wrong Global Admin account.
  • Keepit updates its product to leverage new Microsoft capabilities that require changes to the permissions we request.


  • Backing up all SharePoint sites

To back up all SharePoint sites, an appropriate admin role is needed. Since the PRA may not have sufficient permissions to back up all sites, the GA role is required for a complete backup.

In multi-geo environments, the GA role is specifically required to back up the Content-Type Hub site across all geolocations.

Additionally, there may be other scenarios where the GA role is necessary for a successful restore.


  • Restoring Teams Shared Channels

To restore shared channels, you must have an appropriate admin role.

You have two options:

  • If you use the Privileged Role Admin, you must also assign the Teams Admin role to your account. Once both roles are assigned, you can proceed with the restore process.

  • Alternatively, you can use the Global Admin role for the restore the channel.


  • Recommended for restoring SharePoint data

To ensure a successful SharePoint data restore, we recommend reassigning the PRA or GA role before starting the process. Since restoring data from a snapshot involves writing into your tenant, the service account must have a privileged role to create SharePoint sites. Once the restore is complete, you can remove the admin role again.