Permissions for Modern App-Only Authentication

Tables in this section list permissions for Azure AD applications that are granted automatically by Veeam Backup for Microsoft 365 when you add organizations using the modern app-only authentication method.

If you prefer to use a custom application of your own, make sure to grant all the permissions listed in these tables manually to perform the following operations:

Note

For a user account that the Azure AD application will use to log in to Microsoft 365, consider the following:

  • You must assign the required roles to this user account.
  • If you plan to back up public folder mailboxes, this user account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization.

The following sections contain additional instructions that help you to check Office 365 Exchange Online API permissions and configure the Azure AD application settings:

Follow this instruction to check Office 365 Exchange Online API permissions in Azure Active Directory.

Follow this instruction to configure the Azure AD application settings in Microsoft Azure for data restore.

Veeam Backup for Microsoft 365 also requires you to grant permissions to Azure AD applications that you add as backup applications. For more information, see Backup Application Permissions.

Required User Account Roles for Azure AD Applications

Azure AD application uses a user account to log in to Microsoft 365. This user account must be assigned the following roles:

Granting Owner Role in PowerShell

To grant the Owner role to a user account that the Azure AD application uses to log in to Microsoft 365, do the following:

  1. Connect to the Exchange server. For more information, see this Microsoft article.
  2. Use the following example to grant the role:

$folders = get-publicfolder "\" -recurse

foreach($folder in $folders)

{

Add-PublicFolderClientPermission -Identity $folder.identity -user <user_account> -AccessRights Owner

}

Permissions for Backup

All listed permissions are of the Application type.

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Description

Microsoft Graph

Directory.Read.All

Querying Azure AD for organization properties, the list of users and groups and their properties.

Group.Read.All

Querying Azure AD for the list of groups and group sites.

Sites.Read.All

 

Querying Azure AD for the list of sites and getting download URLs for files and their versions.

TeamSettings.ReadWrite.All

 

 

Accessing archived teams.

ChannelMessage.Read.All

 

 

Accessing all Teams public channel messages.

Note: This permission is only required if you want to back up team chats using Teams Export APIs. For more information, see Organization Object Types.

Office 365 Exchange Online1

full_access_as_app

 

Reading mailboxes content.

Exchange.ManageAsApp

 

 

Accessing Exchange Online PowerShell to do the following:

  • Back up public folder and discovery search mailboxes.
  • Determine object type for shared mailboxes as Shared Mailbox.

Note: This permission is required only to back up public folder and discovery search mailboxes as well as determine correctly object type for shared mailboxes starting from Veeam Backup for Microsoft 365 version 7 CP4 (build 7.0.0.3968). This permission works along with the Global Reader role granted to the Azure AD application. For more information, see Granting Global Reader Role to Azure AD Application.

Office 365 SharePoint Online

Sites.FullControl.All

 

Reading SharePoint sites and OneDrive accounts content.

User.Read.All

 

Reading OneDrive accounts (getting site IDs).

Note: This permission is not used to back up Microsoft Teams data, but you must grant it along with SharePoint Online and OneDrive for Business permission to add a Microsoft 365 organization successfully.

1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.

Granting Global Reader Role to Azure AD Application

Starting from version 7 CP4 (build 7.0.0.3968), Veeam Backup for Microsoft 365 supports backup of public folder and discovery search mailboxes and determines correctly object type for shared mailboxes in Microsoft 365 organizations with modern app-only authentication. To back up these objects, Veeam Backup for Microsoft 365 needs access to Exchange Online PowerShell. To do this, an Azure AD application additionally needs the Global Reader role.

To grant the Global Reader role to the Azure AD application, do the following:

  1. Sign in to the Azure portal.
  2. Go to Azure Active Directory > Roles and administrators.
  3. In the Administrative roles list, find the Global Reader role and click on it.
  4. In the Global Reader window, click Add assignments.

The Add assignments wizard runs.

  1. In the Select member(s) section, click the link.
  2. In the Select a member window, select the Azure AD application in the list and click Select.

The selected application appears in the Selected member(s) list.

  1. Click Next and then Assign to finish the wizard.

Permissions for Restore

Note

To restore data using Azure AD application, make sure that you configure the Azure AD application settings. For more information, see Configuring Azure AD Application Settings.

Restore Using Device Code Flow

All listed permissions are of the Delegated type and required for data restore using Veeam Explorers.

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Description

Microsoft Graph

Directory.Read.All

Querying Azure AD for organization properties, the list of users and groups and their properties.

Group.ReadWrite.All

 

 

Recreating in Azure AD an associated group in case of teams restore.

Sites.Read.All

 

Accessing sites of the applications that are installed from the SharePoint store.

Directory.ReadWrite.All

 

 

Setting the preferred data location when creating a new M365 group for a multi-geo tenant in case of teams restore.

offline_access

Obtaining a refresh token from Azure AD.

Office 365 Exchange Online1

EWS.AccessAsUser.All

 

 

Accessing mailboxes as the signed-in user (impersonation) through EWS.

full_access_as_user

 

 

Reading the current state and restoring mailboxes content.

This permission is only required when you add an organization in legacy Microsoft Azure Germany region.

Office 365 SharePoint Online

AllSites.FullControl

 

Reading the current state and restoring SharePoint sites and OneDrive accounts content.

User.Read.All

 

 

Resolving OneDrive accounts (getting site IDs).

Note: This permission is not required to restore SharePoint Online data.

1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.

Restore Using Application Certificate

All listed permissions are of the Application type and required for data restore using Restore Portal and through REST API and PowerShell.

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Description

Microsoft Graph

Directory.Read.All

 

Querying Azure AD for organization properties, the list of users and groups and their properties.

Group.ReadWrite.All

 

Recreating in Azure AD an associated group in case of a deleted team site restore.

Note: This permission is only required for restore of SharePoint site data through REST API and PowerShell.

Sites.Read.All

 

Accessing sites of the applications that are installed from the SharePoint store.

Directory.ReadWrite.All

 

 

Setting the preferred data location when creating a new M365 group for a multi-geo tenant in case of teams restore.

Office 365 Exchange Online1

full_access_as_app

 

 

Reading the current state and restoring mailboxes content.

Office 365 SharePoint Online

Sites.FullControl.All

 

Reading the current state and restoring SharePoint sites and OneDrive accounts content.

User.Read.All

 

 

Resolving OneDrive accounts (getting site IDs).

Note: This permission is not required to restore SharePoint Online data.

1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.