Add the backup account to the Discovery Management role group and assign Application Impersonation permission to it.

Follow these steps:

  1. Add the required role and group using any one of the following ways:

    Using Office 365 portal

    1. Log on Office 365 portal as an Administrator or with an account that has Global Admin permissions. 

      The ExchangeAdmin center page opens.

    2. Go to permissions and double-click Discovery Management from the Add drop-down.

      The Discovery Management dialog opens. 

      Note: Member of the Discovery Management role group can perform searches of mailboxes in the Exchange organization for data that meets specific criteria.

    3. Under Roles, click + to add the ApplicationImpersonation role.

      The Discovery Management dialog opens.

    4. Select ApplicationImpersonation from the Display Name drop-down.

      Note: The ApplicationImpersonation role enables applications to impersonate users in an organization in order to perform tasks on behalf of the user.

    5. Under Members, click + to add the backup account as a member.

      A dialog appears.

    6. Select the backup account from the Name drop-down and click OK.

      The selected backup account is displayed under Members on the Discovery Management dialog.

    7. Click Save.
  2. Using Remote Powershell

    1. To connect to the Exchange Online tenant using remote PowerShell, refer to the link.
    2. Once connected, to add the backup account as a member of Discovery Management role group, use the:
      "Add-RoleGroupMember" cmdlet

      For example: Add-RoleGroupMember "discovery management" -member

    3. To assign application impersonation role to the backup account, use the:
      "New-ManagementRoleAssignment" cmdlet

      For example: 

      New-ManagementRoleAssignment Name: impersonationAssignmentName -Role:ApplicationImpersonation - User: ""

The ApplicationImpersonation role and Members group are added to the Exchange Online backup account.