Permissions

The accounts that Veeam Backup for Microsoft Entra ID uses to deploy and manage backup infrastructure components must be granted the following permissions.

Veeam Backup & Replication User Account Permissions

A user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in the Veeam Backup & Replication User Guide, section Installing and Using Veeam Backup & Replication.

Microsoft Entra Roles and Permissions

Veeam Backup for Microsoft Entra ID requires a Microsoft Entra application whose permissions are used to add Microsoft Entra ID tenants to the backup infrastructure and to perform backup and restore operations with Microsoft Entra ID resources.

Adding and Backing Up Tenants

You can specify an existing application or instruct Veeam Backup & Replication to create a new one. The list of permissions granted to the Microsoft Entra application and the list of roles assigned to the Microsoft Entra ID user account that you use to create the application depend on the actions you plan to perform using the application.

Application	Permissions
New	The Microsoft Entra ID user account associated with the tenant where the Microsoft Entra ID application will be created must have the following built-in roles assigned: Application Administrator Privileged Role Administrator As an alternative, you can use the Global Administrator Microsoft Entra built-in role. The created application will be assigned the permissions described in the Existing Application row in this table.
Existing	To perform backup, the application must have the following permissions: Microsoft Graph application permissions: AuditLog.Read.All, Directory.Read.All, Group.Read.All, MailboxSettings.Read, RoleManagement.Read.Directory, User.Read.All
To be able to further perform restore, the application must have the following permissions: Microsoft Graph delegated permissions: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All, Application.ReadWrite.All, Group.ReadWrite.All API delegated permission: user_impersonation Note: the application must also have the Allow public client flows option enabled.

Application

Permissions

New

The Microsoft Entra ID user account associated with the tenant where the Microsoft Entra ID application will be created must have the following built-in roles assigned:

As an alternative, you can use the Global Administrator Microsoft Entra built-in role.

The created application will be assigned the permissions described in the Existing Application row in this table.

Existing

To perform backup, the application must have the following permissions:

Microsoft Graph application permissions: AuditLog.Read.All, Directory.Read.All, Group.Read.All, MailboxSettings.Read, RoleManagement.Read.Directory, User.Read.All

To be able to further perform restore, the application must have the following permissions:

Microsoft Graph delegated permissions: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All, Application.ReadWrite.All, Group.ReadWrite.All
API delegated permission: user_impersonation

Note: the application must also have the Allow public client flows option enabled.

Important

By default, Veeam Backup for Microsoft Entra ID does not back up relationships between protected resources and management groups. If you want to add these relationships into the backup scope, you must perform additional configuration steps described in this Veeam KB article.

Restoring Tenant Data

To restore tenant data, Veeam Backup for Microsoft Entra ID uses the Microsoft Entra application that was used to add the tenant. This application has delegated access and acts on behalf of a user that you specify in the restore wizard.

This user must have with the following roles:

As an alternative, you can use the Global Administrator Microsoft Entra built-in role.