Permissions for Modern App-Only Authentication
Tables in this section list permissions for Azure AD applications that are granted automatically by Veeam Backup for Microsoft Office 365 when you add organizations using the modern app-only authentication method.
If you prefer to use a custom application of your own, make sure to grant all the permissions listed in these tables manually to perform the following operations:
Make sure that you assign the required roles to the user account that the Azure AD application will use to log in to Microsoft Office 365.
For more information on how to check permissions for Office 365 Exchange Online API, see Checking Permissions for Office 365 Exchange Online API.
For more information on how to configure Azure AD application settings in Microsoft Azure to perform data restore, see Configuring Azure AD Application Settings.
For more information about permissions for Azure AD applications that you add as backup applications, see Backup Application Permissions.
Required User Account Roles for Azure AD Applications
- Global Administrator — required for adding organizations with modern app-only authentication and creating backup applications.
- ApplicationImpersonation and Global Administrator or Exchange Administrator — required for data restore with Veeam Explorer for Microsoft Exchange.
- Global Administrator or SharePoint Administrator — required for data restore with Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business.
- Global Administrator or Teams Administrator — required for data restore with Veeam Explorer for Microsoft Teams.
- Global Administrator — required for establishing a connection to a service provider in the Office 365 Backup as a Service scenario.
All listed permissions are of the Application type.
API | Permission name | Exchange Online | SharePoint Online and OneDrive for Business | Microsoft Teams | Description |
---|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | ✔ | ✔ | ✔ | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Group.Read.All | ✔ | ✔ | ✔ | Querying Azure AD for the list of groups and group sites. | |
Sites.ReadWrite.All |
| ✔ | ✔ | Querying Azure AD for the list of sites and getting download URLs for files and their versions. | |
TeamSettings.ReadWrite.All |
|
| ✔ | Accessing archived teams. | |
Office 365 Exchange Online1 | full_access_as_app | ✔ |
| ✔ | Reading mailboxes content. |
SharePoint | Sites.FullControl.All |
| ✔ | ✔ | Reading SharePoint sites and OneDrive accounts content. |
User.Read.All |
| ✔ | ✔ | Reading OneDrive accounts (getting site IDs). Note: This permission is not used to back up Microsoft Teams data, but you must grant it along with SharePoint Online and OneDrive for Business permission to add Microsoft Office 365 organization successfully. |
1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.
Permissions for Restore
Note |
To restore data using Azure AD application, make sure that you configure the Azure AD application settings. For more information, see Configuring Azure AD Application Settings. |
Restore Using Device Code Flow
API | Permission name | Exchange Online | SharePoint Online and OneDrive for Business | Microsoft Teams | Description |
---|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | ✔ | ✔ | ✔ | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Group.ReadWrite.All |
|
| ✔ | Recreating in Azure AD an associated group in case of teams restore. | |
offline_access | ✔ | ✔ | ✔ | Obtaining a refresh token from Azure AD. | |
Office 365 Exchange Online1 | EWS.AccessAsUser.All | ✔ |
|
| Accessing mailboxes as the signed-in user (impersonation) through EWS. |
full_access_as_user | ✔ |
|
| Reading the current state and restoring mailboxes content. This permission is only required when you add an organization in the Germany region. | |
SharePoint | AllSites.FullControl |
| ✔ | ✔ | Reading the current state and restoring SharePoint sites and OneDrive accounts content. |
User.ReadWrite.All |
| ✔ | ✔ | Resolving OneDrive accounts (getting site IDs). |
1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.
Restore Using Application Certificate
API | Permission name | Exchange Online | SharePoint Online and OneDrive for Business | Microsoft Teams | Description |
---|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | ✔ |
| ✔ | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Group.ReadWrite.All |
| ✔ | ✔ | Recreating in Azure AD an associated group in case of a deleted team site restore. Note: This permission is only required for restore of SharePoint site data through REST API and PowerShell. | |
TeamSettings.ReadWrite.All |
|
| ✔ | Restoring teams to the archived state. | |
Office 365 Exchange Online1 | full_access_as_app | ✔ |
|
| Reading the current state and restoring mailboxes content. |
SharePoint | Sites.FullControl.All |
| ✔ | ✔ | Reading the current state and restoring SharePoint sites and OneDrive accounts content. |
User.Read.All |
| ✔ | ✔ | Resolving OneDrive accounts (getting site IDs). |
1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.