This is an archive version of the document. To get the most up-to-date information, see the current version.

Required Permissions

The following table lists required permissions for data restore.

Operation	Required Roles and Permissions
Restore to Microsoft Office 365 and on-premises Microsoft Exchange	To restore data to Microsoft Office 365 and on-premises Microsoft Exchange organizations, you must grant the following roles and permissions to user accounts: Restore to Public Folder Using Basic Authentication Method The account must own a mailbox on a target Microsoft Exchange server. The account must be a member of the Organization Management role group on a target Microsoft Exchange server. See Adding User Account to Organization Management Role Group. [For restore of In-Place Hold Items to the original location] If the In-Place Hold Items folder already exists, make sure the account being used can create, modify and delete items. If the In-Place Hold Items folder does not exist, the account being used must be able to create folders under the All Public Folders root node. Restore to Mailbox Using Basic Authentication Method If the account owns a mailbox, make sure it has Full Access. If the account does not own a mailbox, then access must be granted through impersonation. See Granting Full Access. Restore Using Modern App-Only Authentication Method The account used to log in to Microsoft Office 365 must be assigned the following roles: ApplicationImpersonation role. For more information, see this Microsoft article. Global Administrator or Exchange Administrator role. Also make sure that the required settings are specified for the Azure AD application used for restore. For more information, see Configuring Azure AD Application Settings.

Operation

Required Roles and Permissions

Restore to Microsoft Office 365 and on-premises Microsoft Exchange

To restore data to Microsoft Office 365 and on-premises Microsoft Exchange organizations, you must grant the following roles and permissions to user accounts:

Restore to Public Folder Using Basic Authentication Method

The account must own a mailbox on a target Microsoft Exchange server.
The account must be a member of the Organization Management role group on a target Microsoft Exchange server. See Adding User Account to Organization Management Role Group.
[For restore of In-Place Hold Items to the original location] If the In-Place Hold Items folder already exists, make sure the account being used can create, modify and delete items. If the In-Place Hold Items folder does not exist, the account being used must be able to create folders under the All Public Folders root node.

Restore to Mailbox Using Basic Authentication Method

If the account owns a mailbox, make sure it has Full Access.
If the account does not own a mailbox, then access must be granted through impersonation. See Granting Full Access.

Restore Using Modern App-Only Authentication Method

The account used to log in to Microsoft Office 365 must be assigned the following roles:

ApplicationImpersonation role. For more information, see this Microsoft article.
Global Administrator or Exchange Administrator role.

Also make sure that the required settings are specified for the Azure AD application used for restore. For more information, see Configuring Azure AD Application Settings.

Examples

Adding User Account to Organization Management Role Group

To add user account to the Organization Management role group, use the following cmdlet.

Add-RoleGroupMember "Organization Management" –Member "<user_account>"

For more information about the Add-RoleGroupMember cmdlet, see this Microsoft article.

Granting Full Access

To grant Full Access to the account that owns a mailbox, use the following cmdlet.

Add-MailboxPermission –Identity "<target_mailbox>" -User "<user_account>" -AccessRights FullAccess –InheritanceType All

For more information about the Add-MailboxPermission cmdlet, see this Microsoft article.

To grant Full Access to the account that does not own a mailbox (in particular, through impersonation), use the following cmdlet.

New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>"

For more information about the New-ManagementRoleAssignment cmdlet, see this Microsoft article.

Recalling Given Permissions

To recall given access level, run either of the following cmdlets.

Remove-ManagementRoleAssignment "<role_name>"

Remove-ManagementRoleAssignment -Identity "<role_name>"