How to create an account that can be used to back up SharePoint data

Problem:

You want to create a new admin account that is used by CodeTwo Backup to back up and restore SharePoint data. 

Solution:

Below you can find step-by-step instructions on how to create an admin account that has all the necessary roles and privileges to back up and restore data from:

• SharePoint Online
• on-premises SharePoint Server 2016

How to create an admin account to back up and restore SharePoint Online data

1. Sign in to the Microsoft 365 admin center using an account with Global Administrator permissions.
2. Go to Users > Active users and click Add a user (Fig. 1.).

Fig. 1. Adding a new user.

4. In the Basics step, fill in all the necessary fields and click Next (Fig. 2.).

Fig. 2. Adding basic user information.

5. In the Product licenses step, assign the user a product license that includes SharePoint Online (e.g. Office 365 E5 or Microsoft 365 E5) and click Next (Fig. 3.).

Fig. 3. Assigning product license to the new user.

6. In the next step, Optional settings, assign the Global Administrator role to the new user (Fig. 4.).

   Use less privileged roles

   While the Global Administrator role allows a new user to perform all backup and restore tasks for Exchange/SharePoint Online data with CodeTwo Backup, it grants many additional rights that are not necessary.

   To follow the principle of least privilege, you can assign the user the following combination of roles to handle all backup/restore tasks:

   • Privileged Role Administrator – this role isn't available during the new user setup. After completing the wizard, assign it to the newly created user by following these steps.
   • SharePoint Administrator – this role is needed only if you want to perform certain actions (e.g. restore custom web part page layouts or surveys that don't allow for multiple responses) that require the use of legacy authentication. Learn more

Fig. 4. Assigning an admin role to a user.

7. Review your settings in the Finish step and click Finish adding to create a new user.

You can now use this account to back up your SharePoint content in CodeTwo Backup.

If you need to assign the Privileged Role Administrator role now, complete the steps in the section below. 

How to assign the Privileged Role Administrator role

1. Sign in to the Microsoft Entra admin center and go to Identity > Users > All Users (as shown in Fig. 5.).
2. Click your newly created user in the users list to open their settings.
3.  Go to Assigned roles and click Add assignments (Fig. 5.).

Fig. 5. Adding a new role assignment for a user.

4. Click the Select role drop-down list and type Privileged in the search box. Select Privileged Role Administrator when it appears (Fig. 6.).

Fig. 6. Selecting the right role.

5. Click Next to go to the next step in the role assignment wizard.
6. Under Assignment type, select Active and provide the required justification in the text field below (Fig. 7.).

   Tip

   If you want to grant the role temporarily (e.g. for the user to complete a one-time SharePoint backup job), uncheck the Permanently assigned option and specify the start and end date/time (see Fig. 7.).

Fig. 7. Configuring the role assignment settings.

7. Finally, click Assign at the bottom (see Fig. 7.) to grant the Privileged Role Administrator role to the user. Wait a few minutes for the changes to take effect.

How to create an admin account to back up and restore SharePoint (on-premises) data

This section includes the following steps:

1. Creating a new Active Directory user with administrator rights
2. Adding the created admin account to the SharePoint Farm Administrators group
3. Granting Full Control permissions to the SharePoint site at the Web Application Policy level
4. Adding the admin account to the Remote Management Users group
5. Adding the admin account to the SharePoint_Shell_Access role
6. Configuring the site collection administrator 

Creating a new Active Directory user with administrator rights

1. On your Domain Controller, open Active Directory Users and Computers.
2. Right-click the Users object in the left pane and then click New > User (Fig. 8.).

   
   Fig. 8. Creating a new user in Active Directory.

3. Fill in at least the Full name and User logon name fields (Fig. 9.) and click Next.

   
   Fig. 9. Filling in the necessary user data.

4. In the next step, provide the password and configure the remaining options according to your needs (Fig. 10.).

   
   Fig. 10. Configuring the password settings.

5. Click Next and Finish to create the new user.
6. Right-click this user and select Add to a group.
7. In the window that opens, type administrators, click Check Names and click OK (Fig. 11.).

   
   Fig. 11. Selecting the Administrators group.

Adding the created admin account to the SharePoint Farm Administrators group

1. Open SharePoint Central Administration and go to Security > Manage the farm administrators group (Fig. 12.).

   
   Fig. 12. Accessing the SharePoint Farm Administrators group.

2. In the Farm Administrators window, click New > Add users to this group (Fig. 13.).

   
   Fig. 13. Adding users to the Farm Administrators group.

3. Start typing the name of your user and select it once it appears in the drop-down menu below (Fig. 14.).

   
   Fig. 14. Selecting the appropriate user account.

4. Click Share.

Granting Full Control permissions to the SharePoint site at the Web Application Policy level

1. In SharePoint Central Administration, go to Application Management > Manage web applications.
2. Select SharePoint - 80 on the list and click User Policy on the ribbon (Fig. 15.).

   
   Fig. 15. Accessing the SharePoint User Policy settings.

3. In the Policy for Web Application window, click Add Users, select (All zones) from the drop-down menu, and click Next.
4. In the next window, enter the full name or logon of your user in the Users box and click the Check Names button (Fig. 16.).

   
   Fig. 16. Searching for the specific user account.

5. Under Permissions, select the Full Control checkbox and click Finish.
6. Click OK to apply the changes.

Adding the admin account to the Remote Management Users group

1. On your SharePoint Server machine, go to Control Panel > Administrative Tools > Computer Management.
2. Click Local Users and Groups in the left pane and double-click Groups.
3. In the central pane, right-click the Remote Management Users group and select Add to Group (Fig. 17.).

   
   Fig. 17. Adding users to the Remote Management Users group.

4. In the properties window that opens, click Add, enter the name of your user, click Check Names, and then click OK two times.

Adding the admin account to the SharePoint_Shell_Access role

1. Open SharePoint Management Shell and add your user to the SharePoint_Shell_Access role by using the following cmdlet:

   Add-SPShellAdmin -UserName <domain>\<user_name>

   For example:

   Add-SPShellAdmin -UserName DOMAIN140\sharepoint.admin

For more information on the Add-SPShellAdmin cmdlet, visit this Microsoft page.

You can now use this account to back up your SharePoint content in CodeTwo Backup.

Configuring the site collection administrator (optional)

In order to perform backup and restore tasks on site collections existing in your SharePoint environment, the used admin account needs to be either a primary or secondary site collection administrator for each site collection. If that admin account is neither, the program will automatically set it as the secondary site collection administrator when:

• site collections are listed in the backup job wizard
• site collections are listed in the restore job wizard
• when site collections are being backed up
• when data is being restored to a selected site collection.

Keep in mind that this action will replace the existing secondary site collection administrators (learn more). You can check which users are currently set as secondary site collection administrators or set the secondary site collection administrator for specific site collection manually by following these steps:

1. In SharePoint Central Administration, go to Application Management and click Change site collection administrators (Fig. 18.).

Fig. 18. Accessing management settings for site collection administrators.

2. In the Site Collection Administrators window, select the site collection for which you want to set the secondary site collection administrator by clicking the down arrow in the Site Collection section and choosing Change Site Collection (Fig. 19.). In the window that opens, simply click the site URL and then click OK.

Fig. 19. Changing a site collection.

3. In the Secondary site collection administrator section of the window, click the browse (book icon) button (Fig. 20.).

Fig. 20. Changing a secondary site collection administrator.

4. In the Select People window that opens, provide the name of your admin account and click the search (magnifying glass icon) button. Once found, select that account and click OK (Fig. 21.).

Fig. 21. Browsing for a specific admin account.

5. Back in the Site Collection Administrators page, click OK to save new settings. Keep in mind that you need to click OK for each site collection separately in order for the changes to be applied. 
6. Repeat steps 1-5 until you have set the secondary site collection admin for all site collections.