Permissions for Modern Authentication and Legacy Protocols

The following table lists required permissions that must be granted to Azure AD applications to perform a backup for organizations with modern authentication with legacy protocols allowed.

All listed permissions are of the Application type and required for data backup.

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Description

Microsoft Graph

Directory.Read.All

Querying Azure AD for organization properties, the list of users and groups and their properties.

Group.Read.All

Querying Azure AD for the list of groups and group sites.

TeamSettings.ReadWrite.All

 

 

Accessing archived teams.

Sites.Read.All

 

 

Accessing sites of the applications that are installed from the SharePoint store.

Office 365 Exchange Online

full_access_as_app

 

Reading mailboxes content.

SharePoint

Sites.FullControl.All

 

Reading SharePoint sites and OneDrive accounts content.

User.Read.All

 

Reading OneDrive accounts (getting site IDs).