Permissions for Modern App-Only Authentication

Tables in this section list permissions for Microsoft Entra applications that are granted automatically by Veeam Backup for Microsoft 365 when you add organizations using the modern app-only authentication method.

If you prefer to use a custom application of your own, make sure to grant all the permissions listed in these tables manually to perform the following operations:

Backup
Restore Using Device Code Flow
Restore Using Application Certificate

Note

For a user account that the Microsoft Entra application will use to log in to Microsoft 365, consider the following:

You must assign the required roles to this user account.
If you plan to back up public folder mailboxes, this user account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization.

The following sections contain additional instructions that help you to check Office 365 Exchange Online API permissions and configure the Microsoft Entra application settings:

Checking Permissions for Office 365 Exchange Online API

Follow this instruction to check Office 365 Exchange Online API permissions in Microsoft Entra ID (formerly Azure Active Directory).

Configuring Microsoft Entra Application Settings

Follow this instruction to configure the Microsoft Entra application settings in Microsoft Entra ID for data restore.

Veeam Backup for Microsoft 365 also requires you to grant permissions to Microsoft Entra applications that you add as backup applications. For more information, see Backup Application Permissions.

Required User Account Roles for Microsoft Entra Applications

Microsoft Entra application uses a user account to log in to Microsoft 365. This user account must be assigned the following roles:

Global Administrator — required for adding organizations with modern app-only authentication, creating backup applications, registering Microsoft Entra application for Restore Portal and creating Microsoft Entra application for the Microsoft Azure service account.
ApplicationImpersonation, and Global Administrator or Exchange Administrator — required for data restore with Veeam Explorer for Microsoft Exchange.
Global Administrator or SharePoint Administrator — required for data restore with Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business.
Global Administrator or Teams Administrator — required for data restore with Veeam Explorer for Microsoft Teams.
Global Administrator — required for establishing a connection to a service provider in the Backup as Service for Microsoft 365 scenario.
Owner — requires to back up public folder mailboxes in organizations with modern app-only authentication.

Granting Owner Role in PowerShell

To grant the Owner role to a user account that the Microsoft Entra application uses to log in to Microsoft 365, do the following:

Connect to the Exchange server. For more information, see this Microsoft article.
Use the following example to grant the role:

$folders = get-publicfolder "\" -recurse

foreach($folder in $folders)

{

Add-PublicFolderClientPermission -Identity $folder.identity -user <user_account> -AccessRights Owner

}

Permissions for Backup

All listed permissions are of the Application type.

API	Permission name	Exchange Online	SharePoint Online and OneDrive for Business	Microsoft Teams	Description
Microsoft Graph	Directory.Read.All	✔	✔	✔	Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties.
	Group.Read.All	✔	✔	✔	Querying Microsoft Entra ID for the list of groups and group sites.
	Sites.Read.All		✔	✔	Querying Microsoft Entra ID for the list of sites and getting download URLs for files and their versions.
	TeamSettings.ReadWrite.All			✔	Accessing archived teams.
	ChannelMessage.Read.All			✔	Accessing Microsoft Teams public channel messages.
	ChannelMember.Read.All			✔	Accessing Microsoft Teams private and shared channels.
Office 365 Exchange Online1	full_access_as_app	✔		✔	Reading mailboxes content.
Office 365 Exchange Online1	Exchange.ManageAsApp	✔			Accessing Exchange Online PowerShell to do the following: Back up public folder and discovery search mailboxes. Determine object type for shared mailboxes as Shared Mailbox. Note: This permission is required to back up public folder and discovery search mailboxes as well as determine correctly object type for shared mailboxes. This permission works along with the Global Reader role granted to the Microsoft Entra application. For more information, see Granting Global Reader Role to Microsoft Entra Application.
Office 365 SharePoint Online	Sites.FullControl.All		✔	✔	Reading SharePoint sites and OneDrive accounts content.
Office 365 SharePoint Online	User.Read.All		✔	✔	Reading OneDrive accounts (getting site IDs). Note: This permission is not used to back up Microsoft Teams data, but you must grant it along with SharePoint Online and OneDrive for Business permission to add a Microsoft 365 organization successfully.

1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.

Granting Global Reader Role to Microsoft Entra Application

Veeam Backup for Microsoft 365 supports backup of public folder and discovery search mailboxes and determines correctly object type for shared mailboxes in Microsoft 365 organizations with modern app-only authentication. To back up these objects, Veeam Backup for Microsoft 365 needs access to Exchange Online PowerShell. To do this, a Microsoft Entra application requires the Global Reader role. You must grant this role to the Microsoft Entra application after upgrading Veeam Backup for Microsoft 365 to version 8.

To grant the Global Reader role to the Microsoft Entra application, do the following:

Sign in to the Microsoft Entra admin center.
Go to Identity > Roles & admins > Roles & admins.
In the Administrative roles list, find the Global Reader role and click on it.
In the Global Reader window, click Add assignments.

The Add assignments wizard runs.

In the Select member(s) section, click the link.
In the Select a member window, select the Microsoft Entra application in the list and click Select.

The selected application appears in the Selected member(s) list.

Click Next and then Assign to finish the wizard.

Permissions for Restore

Note

To restore data using Microsoft Entra application, make sure that you configure the Microsoft Entra application settings. For more information, see Configuring Microsoft Entra Application Settings.

Restore Using Device Code Flow

All listed permissions are of the Delegated type and required for data restore using Veeam Explorers.

API	Permission name	Exchange Online	SharePoint Online and OneDrive for Business	Microsoft Teams	Description
Microsoft Graph	Directory.Read.All	✔	✔	✔	Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties.
	Group.ReadWrite.All			✔	Recreating in Microsoft Entra ID an associated group in case of teams restore.
	Sites.Read.All		✔	✔	Accessing sites of the applications that are installed from the SharePoint store.
	Directory.ReadWrite.All			✔	Setting the preferred data location when creating a new M365 group for a Multi-Geo tenant in case of teams restore.
	offline_access	✔	✔	✔	Obtaining a refresh token from Microsoft Entra ID.
	ChannelMember.ReadWrite.All			✔	Reading the current state and restoring Microsoft Teams private and shared channels.
Office 365 Exchange Online1	EWS.AccessAsUser.All	✔			Accessing mailboxes as the signed-in user (impersonation) through EWS.
Office 365 Exchange Online1	full_access_as_user	✔			Reading the current state and restoring mailboxes content. Note: This permission is only required for organizations located in legacy Microsoft Entra Germany region. Veeam Backup for Microsoft 365 drops support for Microsoft 365 organizations in Microsoft Entra Germany region. To add organizations located in this region to Veeam Backup for Microsoft 365, run the Add-VBOOrganization cmdlet or use the POST /Organizations method.
Office 365 SharePoint Online	AllSites.FullControl		✔	✔	Reading the current state and restoring SharePoint sites and OneDrive accounts content.
Office 365 SharePoint Online	User.Read.All		✔		Resolving OneDrive accounts (getting site IDs). Note: This permission is not required to restore SharePoint Online data.

1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.

Restore Using Application Certificate

All listed permissions are of the Application type and required for the following scenarios of data restore:

Data restore by Veeam Explorer for Microsoft Exchange using modern authentication with the Microsoft Entra application certificate. For more information, see the Restore to Microsoft 365 Organizations section of the Veeam Explorers User Guide.
Data restore using Restore Portal.
Data restore through REST API and PowerShell.

API	Permission name	Exchange Online	SharePoint Online and OneDrive for Business	Microsoft Teams	Description
Microsoft Graph	Directory.Read.All	✔		✔	Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties.
	Group.ReadWrite.All		✔	✔	Recreating in Microsoft Entra ID an associated group in case of a deleted team site restore. Note: This permission is only required for restore of SharePoint site data through REST API and PowerShell.
	Sites.Read.All		✔	✔	Accessing sites of the applications that are installed from the SharePoint store.
	Directory.ReadWrite.All			✔	Setting the preferred data location when creating a new M365 group for a Multi-Geo tenant in case of teams restore.
	Files.ReadWrite.All			✔	Reading the current state and restoring files of Microsoft Teams shared channels.
	ChannelMember.ReadWrite.All			✔	Reading the current state and restoring Microsoft Teams private and shared channels.
Office 365 Exchange Online1	full_access_as_app	✔			Reading the current state and restoring mailboxes content.
Office 365 SharePoint Online	Sites.FullControl.All		✔	✔	Reading the current state and restoring SharePoint sites and OneDrive accounts content.
Office 365 SharePoint Online	User.Read.All		✔		Resolving OneDrive accounts (getting site IDs). Note: This permission is not required to restore SharePoint Online data.

1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.