This is an archive version of the document. To get the most up-to-date information, see the current version.Permissions Changelog
You can learn what was changed in permissions required for Veeam Backup for Microsoft 365 6a comparing to version 5.0.
Azure AD Application Permissions
The following table lists changes in permissions for modern app-only authentication:
API | Permission name | Type | Usage | Description | Status |
|---|---|---|---|---|---|
Microsoft Graph | Sites.Read.All | Application | Backup | Querying Azure AD for the list of sites and getting download URLs for files and their versions. | new |
Sites.Read.All | Delegated | Restore | Accessing sites of the applications that are installed from the SharePoint store. | new | |
Sites.Read.All | Application | Restore | Accessing sites of the applications that are installed from the SharePoint store. | new | |
Sites.ReadWrite.All | Application | Backup | Querying Azure AD for the list of sites and getting download URLs for files and their versions. | removed | |
TeamSettings.ReadWrite.All | Application | Restore | Restoring teams to the archived state. | removed | |
Directory.ReadWrite.All | Delegated | Restore | Setting the preferred data location when creating a new M365 group for a multi-geo tenant in case of teams restore. | new | |
ChannelMessage.Read.All | Application | Backup | Accessing all Teams public channel messages. Note: This permission is only required if you want to back up team chats using Teams Export APIs. | new | |
SharePoint | User.ReadWrite.All | Delegated | Restore | Resolving OneDrive accounts (getting site IDs). | removed |
User.Read.All | Delegated | Restore | Resolving OneDrive accounts (getting site IDs). Note: This permission is not required to restore SharePoint Online data. | new | |
User.Read.All | Application | Restore | Resolving OneDrive accounts (getting site IDs). Note: This permission is not required to restore SharePoint Online data. | changed |
The following table lists changes in permissions for modern authentication and legacy protocols:
API | Permission name | Type | Usage | Description | Status |
|---|---|---|---|---|---|
Microsoft Graph | Sites.Read.All | Application | Backup | Accessing sites of the applications that are installed from the SharePoint store. | new |
If you allow users to perform self-service restore using Restore Portal, they will authenticate to the portal with their Microsoft 365 user account credentials. Veeam Backup for Microsoft 365 requires Azure AD application to be configured and granted permissions to ensure such authentication. For more information, see Permissions for Authentication to Restore Portal.
If you want to use the Azure archiver appliance when Veeam Backup for Microsoft 365 copies backed-up data from Azure Blob storage to Azure Archive storage, you must assign the required roles to a user account that you use to create Azure AD application for the Microsoft Azure service account. For more information, see Permissions for Azure Archiver Appliance.
Amazon S3 Storage Permissions
If you create an instance of your backed-up data in Amazon S3 Glacier or Amazon S3 Glacier Deep Archive storage, you must grant permissions to a user account that you use to access Amazon buckets and folders. For more information, see Amazon S3 Storage Permissions.
Azure Archive Storage
If you create an instance of Microsoft 365 and on-premises Microsoft organization backups in Azure Blob Storage Archive access tier, you must grant permissions to a user account that you use to access Azure archive storage. For more information, see Azure Archive Storage Permissions.
