Choose your authentication method

• High security: This user can have MFA and other Conditional Access policies applied, enhancing security.
• Choice of any user account: Any Azure AD user in the tenant can be utilized with this option
• Customizable roles and permissions: The chosen user's roles and permissions can be tailored, offering flexibility in controlling Simeon's access level. This includes utilizing PIM to provide time-based role activation of higher privileges when necessary.

You can opt for a Global Administrator account for delegated authentication to ensure access to all configurations. However, if you prefer not to use a Global Administrator, you can choose a user with lower-level permissions for delegated authentication. Simeon will then authenticate as this user, meaning it will only have the permissions granted to that user account. For instance, if your user account lacks the permission to create or manage Exchange Online policies or SharePoint policies, Simeon will be unable to perform these actions as well. This approach allows you to precisely tailor Simeon's access level through the chosen user account.

• Refresh token lifecycle: refresh tokens can become invalidated if security policies or sign-in policies within the tenant change (e.g., re-enrollment in MFA or periodic MFA verification requirements).
• Potential access issues: when the refresh token is invalidated, Simeon loses the ability to authenticate, leading to disruptions in backup and syncing operations until a new sign-in generates a fresh refresh token.
• Management overhead: for clients managing multiple tenants, the need to re-authenticate the Sync when tenant policies change can be burdensome, especially if refresh tokens frequently invalidate across several tenants.

As authentication depends on a refresh token, a key issue with delegated authentication is its sensitivity to security policy changes in your tenant. For instance, if there's a re-enrollment in MFA or a need for periodic MFA renewal, the refresh token gets invalidated. This means Simeon can't authenticate, stopping backups and Syncs until you sign in again for a new token. Managing this for a large number of tenants can become a hassle if even a few require frequent re-authentication.

It is recommended to review the current sign-in policies, including token expiration policies, in the tenants you are installing to ensure that delegated authentication makes sense.

• Direct authentication: Simeon directly signs in as the service account user to authenticate into the tenant, bypassing the need for a refresh token. This direct sign-in method simplifies the authentication process and reduces potential access issues related to token invalidation.
• Stable access: Once configured, changes in tenant security policies, such as MFA re-enrollment, do not affect the service account, ensuring uninterrupted access and functionality for Simeon.
• Non-Interactive: the service account is non-interactive, meaning only Simeon has access to and can use this account, enhancing security by limiting access.
   

• Fixed permissions: the service account is created with Global Administrator permissions, giving you no control over its permission levels.
• Limited accessibility: this kind of account is non-interactive; you cannot sign in to the tenant as the service account user or change this user's properties. 
• Exclusion from MFA: since the account is non-interactive and you won't have login credentials, you cannot apply Multi-Factor Authentication (MFA) to the service account. This requires setting exclusions to MFA policies specifically for this account.