Azure AD Applications
This section explains required permissions for Azure AD applications that you use to back up and restore data from/to your Microsoft Office 365 organizations.
For more information about permissions in Azure, see this Microsoft article.
Veeam Backup for Microsoft Office 365 Version 4c
The following table lists permissions for AD applications that are granted automatically by Veeam Backup for Microsoft Office 365 when you add organizations using the modern authentication method.
If you prefer to use a custom application of your own, make sure to grant all the permissions listed in this table manually.
API | Permission name | Type | Usage | Description |
|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | Backup | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Delegated1 | Restore | Querying Azure AD for organization properties, the list of users and groups and their properties. | ||
Group.Read.All | Application | Backup | Querying Azure AD for the list of groups and group sites. | |
Group.ReadWrite.All | Application2 | Restore | Recreating in Azure AD an associated group in case of a deleted team site restore. This permission is only required for restore of SharePoint site data with AD applications using a certificate. The operation is available through RESTful API and PowerShell. | |
offline_access | Delegated1 | Restore | Obtaining a refresh token from Azure AD. | |
Sites.ReadWrite.All | Application | Backup | Querying Azure AD for the list of sites and getting download URLs for files and their versions. | |
Exchange | EWS.AccessAsUser.All | Delegated1 | Restore | Accessing mailboxes as the signed-in user (impersonation) through EWS for the purpose of restore. |
full_access_as_app | Application | Backup | Reading mailboxes content for the purpose of backup. | |
full_access_as_user | Delegated1 | Restore | Reading the current state and restoring mailboxes content. This permission is only required when you add an organization in the Germany region. | |
SharePoint | AllSitesFullControl | Delegated1 | Restore | Reading the current state and restoring SharePoint sites and OneDrive accounts content. |
Sites.FullControl.All | Application | Backup | Reading sites and OneDrive accounts content for the purpose of backup. | |
Application2 | Restore | Reading the current state and restoring SharePoint sites and OneDrive accounts content. | ||
User.Read.All | Application | Backup | Reading OneDrive accounts for the purpose of backup (getting site IDs). | |
Application2 | Restore | Resolving OneDrive accounts for the purpose of restore (getting site IDs). | ||
User.ReadWrite.All | Delegated1 | Restore | Resolving OneDrive accounts for the purpose of restore (getting site IDs). |
1 Permissions of the Delegated type are used for data restore using the device code flow.
2 Permissions of the Application type are used for data restore using an application certificate.
The following table lists required permissions for AD applications that you add as backup applications.
API | Permission name | Type | Usage | Description |
|---|---|---|---|---|
Microsoft Graph | Sites.ReadWrite.All | Application | Backup | Getting download URLs for files and their versions. |
SharePoint | Sites.FullControl.All | Reading site and OneDrive account content for the purpose of backup. | ||
User.Read.All | Reading OneDrive accounts for the purpose of backup (getting site IDs). |
Required Azure AD Application Settings
For data restore using an AD application, the following settings must be specified for the application in Microsoft Azure:
- In the AD application settings, the Treat application as a public client option must be set to Yes. For more information on application settings, see Microsoft Docs.
Note that this option is not available in Microsoft Azure for the Germany region. In this region, you must register AD applications used for backup and restore as applications of the Public client/Native type.
- In the AD application settings, a redirect URI must be specified for the application. For more information, see Microsoft Docs.
When creating a new Azure AD application automatically, Veeam Backup for Microsoft Office 365 specifies http://localhost/ as a redirect URI.
Required User Account Permissions for Azure AD Applications
The account that the Azure AD application will use to log in to Microsoft Office 365 must be assigned the following roles:
- Global Administrator or Exchange Administrator — required for data restore with Veeam Explorer for Microsoft Exchange.
- Global Administrator or SharePoint Administrator — required for data restore with Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business.
- Global Administrator — required for establishing a connection to a service provider in the Office 365 Backup as a Service scenario.
Veeam Backup for Microsoft Office 365 Version 4
The following table lists required permissions that must be granted to AD applications for backup operations for organizations with modern authentication and legacy authentication protocols.
API | Permission name | Type | Usage | Description |
|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | Backup | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Group.Read.All | Querying Azure AD for the list of groups and group sites. | |||
Exchange | full_access_as_app | Reading mailbox content for the purpose of backup. | ||
SharePoint | Sites.FullControl.All | Reading site and OneDrive account content for the purpose of backup. | ||
User.Read.All | Reading OneDrive accounts for the purpose of backup (getting site IDs). |
