Skip to main content
Tenant Registration FAQs

Quick answers related to global admin creds, app, permissions, KMS, and user deployment.

Updated over 2 months ago

Following are some of the most frequently asked questions for tenant registration.

Why do I need global admin credentials?

Global admin credentials are required to give consent to the required permissions to install the Druva App so it can perform backup and restore. The global admin role can be reduced to a normal user role later.

Global admin credentials are the highest level of permissions in Microsoft 365.

How to decide which app to install?

The set of permissions Druva requires differs depending on the apps you want to protect.

Depending on the Microsoft 365 Apps you want to protect, select the appropriate Druva App.

  • Advanced (Includes Multi-Geo) - Backs up the data for Exchange Online, Groups, OneDrive, Public folder, SharePoint, Teams

  • Basic - Backs up the data for Exchange Online, OneDrive, Public folder, SharePoint, Teams
    Use the Basic app when you want to protect this data without providing the Directory.ReadWrite.All permission.

  • Exchange Online & Public folder - Backs up the data for Exchange Online and Public folder

  • OneDrive & SharePoint - Backs up the data for OneDrive and SharePoint

What are the different permissions required to install the Druva App?

Each app requires different permissions depending on the workloads you are protecting. Druva requires the following permission types:

  • Application: Allows to perform actions using admin-driven consent.

  • Delegated: Allows to perform actions on behalf of a particular user.

For more detailed list of all permissions, see Microsoft 365 Permissions.

Why is Cloud Key Management required?

Cloud Key Management system is required to run scheduled backups wherein the data is encrypted.

Druva requires access to the data encryption key (ekey) to encrypt the user data during backups. The Cloud Key Management utilizes the AWS Cloud Key Management System (AWS KMS) to generate a Data Key. The Data Key is then used to encrypt the ekey. The encrypted key is then stored in the Druva Cloud. During the scheduled backup, the encrypted key in combination with the Data Key, is used to obtain the ekey required to run the scheduled backups. By default, the Cloud Key Management system is selected for data protection.

Why is Cloud Key Management recommended for data encryption?

Cloud Key Management system has the following benefits:

  • Remove dependency on AD Connector for scheduled backups for SaaS Apps.

  • Remove the risk of all backups failing in case of AD connector disconnections.

  • Reduce the risk of non-availability of backups in case of a ransomware attack.

  • Strict adherence to backup SLAs by removing the risk of backup interruptions due to environment maintenance.

How do I change the user deployment method?

Azure AD user deployment method is configured by default. You can change it later from the Overview page. You can change the user deployment method to SCIM or AD/LDAP.

How to reconnect a disconnected app?

To reconnect the app, you need to reconfigure it with global admin credentials.

  1. On the Overview page, click Re-Configure.

  2. On the Re-Configure for Backup page, click the three-dots menu, and click Re-Configure beside the app type that you want to reconfigure.

Which Protocol is used during the Tenant Registration Process?

We use the OAuth 2.0 authorization grant flow to get permissions to access Microsoft. This flow allows the Global administrator to share protected content from Microsoft 365 without sharing their credentials. When an admin authenticates with Global admin credentials, inSync sends the admin to Microsoft to review and grant permissions. After the admin approves the inSync request, the admin is redirected back to inSync with an authorization code that allows inSync to access the data it needs to back up.

Do changes to the service account cause App disconnection?

Yes, after the tenant configuration is completed with the GA role, the refresh token gets invalidated in the below scenarios.

  1. For any permissions-related updates required by the inSync app in Microsoft Azure.

  2. If the password of the global admin account has changed recently.

  3. MFA was set for the account after reinstallation was done.

  4. Any permission-related changes that are made to the global administrator account used to configure a Microsoft 365 app in inSync.

​Example: If any changes are made to the conditional access permissions of the global administrator account used to configure any Microsoft 365 app, you must Re-Install the Microsoft 365 account in inSync.

Does inSync Store Global Admin Credentials?

At no point during this Authentication does inSync receive or store GA credentials, so admin can rest assured that their credentials are completely secure.

Which Account should be Preferred when setting up a Global Admin?

  • Instead of using a personal account, Create a Service account with Global Administrator role.

  • Post successful configuration, the admin can reduce the Global Administrator role to a normal account.

πŸ“Œ Additional information

For detailed steps, see Configuration Guide.


​

Did this answer your question?