Permissions

The accounts that Veeam Backup for Microsoft Entra ID uses to deploy and manage backup infrastructure components must be granted the following permissions.

Veeam Backup & Replication User Account Permissions

A user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Veeam Backup & Replication User Guide, section Installing and Using Veeam Backup & Replication.

Microsoft Entra Permissions

Veeam Backup for Microsoft Entra ID requires a Microsoft Entra application whose permissions are used to add Microsoft Entra ID tenants to the backup infrastructure and to perform backup and restore operations with Microsoft Entra ID resources.

You can specify an existing application or instruct Veeam Backup & Replication to create a new one. The list of the permissions that must be granted to a Microsoft Entra application depends on whether you instruct Veeam Backup & Replication to create a new application or specify an existing one.

Application	Permissions
New	The Microsoft Entra ID user account associated with the tenant where the Microsoft Entra ID application will be created must have the Global Administrator Microsoft Entra built-in role assigned. No additional permissions are required.
Existing	List of permissions to add Microsoft Entra ID tenants and to perform backup: Microsoft Graph application permissions: AuditLog.Read.All, Directory.Read.All, Group.Read.All, MailboxSettings.Read, RoleManagement.Read.Directory, User.Read.All
List of permissions to perform restore: Microsoft Graph delegated permissions: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All, Application.ReadWrite.All, Group.ReadWrite.All API delegated permission: user_impersonation Note: the application must also have the Allow public client flows option enabled.

Application

Permissions

New

The Microsoft Entra ID user account associated with the tenant where the Microsoft Entra ID application will be created must have the Global Administrator Microsoft Entra built-in role assigned. No additional permissions are required.

Existing

List of permissions to add Microsoft Entra ID tenants and to perform backup:

Microsoft Graph application permissions: AuditLog.Read.All, Directory.Read.All, Group.Read.All, MailboxSettings.Read, RoleManagement.Read.Directory, User.Read.All

List of permissions to perform restore:

Microsoft Graph delegated permissions: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All, Application.ReadWrite.All, Group.ReadWrite.All
API delegated permission: user_impersonation

Note: the application must also have the Allow public client flows option enabled.

Important

By default, Veeam Backup for Microsoft Entra ID does not back up relationships between protected resources and management groups. If you want to add these relationships into the backup scope, you must perform additional configuration steps described in this Veeam KB article.