Azure AD Application Permissions
Veeam Backup for Microsoft Office 365 requires that you grant permissions to Azure AD applications to back up and restore data from/to your Microsoft Office 365 organizations.
For more information about permissions in Azure, see this Microsoft article.
Requirements for Modern App-Only Authentication
The following table lists permissions for Azure AD applications that are granted automatically by Veeam Backup for Microsoft Office 365 when you add organizations using the modern app-only authentication method.
If you prefer to use a custom application of your own, make sure to grant all the permissions listed in this table manually.
API | Permission name | Type | Usage | Description |
---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | Backup | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Delegated1 | Restore | Querying Azure AD for organization properties, the list of users and groups and their properties. | ||
Group.Read.All | Application | Backup | Querying Azure AD for the list of groups and group sites. | |
Group.ReadWrite.All | Application2 | Restore | Recreating in Azure AD an associated group in case of a deleted team site restore. This permission is only required for restore of SharePoint site data through REST API and PowerShell. | |
Delegated1 | Restore | Recreating in Azure AD an associated group in case of teams restore. | ||
offline_access | Delegated1 | Restore | Obtaining a refresh token from Azure AD. | |
Sites.ReadWrite.All | Application | Backup | Querying Azure AD for the list of sites and getting download URLs for files and their versions. | |
TeamSettings.ReadWrite.All | Application | Backup | Accessing archived teams to backup. | |
Application2 | Restore | Restoring teams to the archived state. | ||
Office 365 Exchange Online | EWS.AccessAsUser.All | Delegated1 | Restore | Accessing mailboxes as the signed-in user (impersonation) through EWS to restore. |
full_access_as_app | Application | Backup | Reading mailboxes content to backup. | |
full_access_as_user | Delegated1 | Restore | Reading the current state and restoring mailboxes content. This permission is only required when you add an organization in the Germany region. | |
SharePoint | AllSites.FullControl | Delegated1 | Restore | Reading the current state and restoring SharePoint sites and OneDrive accounts content. |
Sites.FullControl.All | Application | Backup | Reading sites and OneDrive accounts content to backup. | |
Application2 | Restore | Reading the current state and restoring SharePoint sites and OneDrive accounts content. | ||
User.Read.All | Application | Backup | Reading OneDrive accounts to backup (getting site IDs). | |
Application2 | Restore | Resolving OneDrive accounts to restore (getting site IDs). | ||
User.ReadWrite.All | Delegated1 | Restore | Resolving OneDrive accounts to restore (getting site IDs). |
1 Permissions of the Delegated type are used for data restore using the device code flow.
2 Permissions of the Application type are used for data restore using an application certificate.
Checking Permissions for Office 365 Exchange Online API
To check Office 365 Exchange Online API permissions, do the following:
- Sign in to the Azure portal.
- Go to Azure Active Directory > App registrations, and select an application.
- Select API permissions > Add a permission > APIs my organization uses.
- Select Office 365 Exchange Online API in the list, check its permissions and configure them, if needed.
Backup Application Permissions
The following table lists required permissions for Azure AD applications that you add as backup applications.
API | Permission name | Type | Usage | Description |
---|---|---|---|---|
Microsoft Graph | Sites.ReadWrite.All | Application | Backup | Getting download URLs for files and their versions. |
SharePoint | Sites.FullControl.All | Reading sites and OneDrive accounts content to backup. | ||
User.Read.All | Reading OneDrive accounts to backup (getting site IDs). |
Required Azure AD Application Settings
For data restore using an Azure AD application, the following settings must be specified for the application in Microsoft Azure:
- In the Azure AD application settings, the Treat application as a public client option must be set to Yes. For more information on application settings, see this Microsoft article.
Note that this option is not available in Microsoft Azure for the Germany region. In this region, you must register Azure AD applications used for backup and restore as applications of the Public client/Native type.
- In the Azure AD application settings, a redirect URI must be specified for the application. For more information, see this Microsoft article.
When creating a new Azure AD application automatically, Veeam Backup for Microsoft Office 365 specifies http://localhost/ as a redirect URI.
Required User Account Roles for Azure AD Applications
The account that the Azure AD application will use to log in to Microsoft Office 365 must be assigned the following roles:
- Global Administrator — required for adding organizations with modern app-only authentication and creating backup applications.
- Global Administrator or Exchange Administrator — required for data restore with Veeam Explorer for Microsoft Exchange.
- Global Administrator or SharePoint Administrator — required for data restore with Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business.
- Global Administrator or Teams Administrator — required for data restore with Veeam Explorer for Microsoft Teams.
- Global Administrator — required for establishing a connection to a service provider in the Office 365 Backup as a Service scenario.
Requirements for Modern Authentication with Legacy Protocols Allowed
The following table lists required permissions that must be granted to Azure AD applications to perform a backup for organizations with modern authentication with legacy protocols allowed.
API | Permission name | Type | Usage | Description |
---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | Backup | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Group.Read.All | Querying Azure AD for the list of groups and group sites. | |||
TeamSettings.ReadWrite.All | Accessing archived teams to backup. | |||
Exchange | full_access_as_app | Reading mailboxes content to backup. | ||
SharePoint | Sites.FullControl.All | Reading sites and OneDrive accounts content to backup. | ||
User.Read.All | Reading OneDrive accounts to backup (getting site IDs). |