Add the Required Role and Group to the Exchange Online Backup Account to Perform Backup and Restore

This section provides information about how to add the backup account to the Discovery Management role group and assign the Application Impersonation permission.

To add the required role and group, perform one of the following:

Method 1: Using Office 365 portal

Follow these steps:

1. Log into Microsoft 365.
2. In the left pane, click Admin.
3. The Microsoft 365 admin center page opens in a new window.
3. In the left pane, click Show all, and then click Exchange under Admin centers.
4. The Exchange admin center page opens in a new window.
4. Under Roles, select Admin roles.
5. The Admin roles page opens.
5. From the list of Role groups, click Discovery Management.
6. The Discovery Management dialog appears.
6. Go to the Permissions tab, and then select the ApplicationImpersonation check box.
7. Go to the Assigned tab, click Add to add the backup account.
8. The Add admins dialog opens.
8. Search for member account by name or enter the member account, and then click Add.
9. The backup account gets added to the ApplicationImpersonation role and appears under the Assigned Admin names.

Method 2: Using Remote PowerShell

Follow these steps:

1. Connect to the Exchange Online tenant using remote PowerShell. For more information, see Connect to Exchange Online PowerShell.
2. Once connected, to add the backup account as a member of Discovery Management role group, use the following:

"Add-RoleGroupMember" cmdlet

For example: Add-RoleGroupMember "discovery management" -member userName@domain.onmicrosoft.com.

3. To assign application impersonation role to the backup account, use the following:

"New-ManagementRoleAssignment" cmdlet

For example: New-ManagementRoleAssignment -Name: impersonationAssignmentName -Role:ApplicationImpersonation - User: "username@domain.onmicrosoft.com"

The ApplicationImpersonation role and Members group are added to the Exchange Online backup account.