Microsoft Entra Application Permissions

Veeam Backup for Microsoft 365 requires that you grant permissions to Microsoft Entra applications within the following usage scenarios:

• Back up and restore data of your Microsoft 365 organizations.

Permissions of the Microsoft Entra application depend on the authentication method used for a Microsoft 365 organization. For more information about permissions for Microsoft organizations with modern app-only authentication, see Permissions for Modern App-Only Authentication.

• Self-service restore using Restore Portal.

If you allow users to perform self-service restore using Restore Portal, they will authenticate to the portal with their Microsoft 365 user account credentials. To ensure such authentication, a Microsoft Entra application must be configured. Veeam Backup for Microsoft 365 automatically grants the required permissions to this Microsoft Entra application or you can grant permissions manually. For more information, see the following sections:

• Permissions for Authentication to Restore Portal
• Creating or Configuring Microsoft Entra Application

• Backup copy to Microsoft Azure Blob Storage.

You can optionally use the Azure archiver appliance when Veeam Backup for Microsoft 365 copies backed-up data between different instances of Azure Blob Storage or to Azure Blob Storage Archive. To enable usage of the Azure archiver appliance, the Microsoft Azure service account is required. You must assign the required roles to a user account that you use to create a Microsoft Entra application for the Microsoft Azure service account. Veeam Backup for Microsoft 365 automatically grants the required permissions to this Microsoft Entra application or you can grant permissions manually. For more information, see the following sections:

• Permissions for Azure Archiver Appliance
• Adding Microsoft Azure Service Account

For more information about Microsoft Graph permissions, see this Microsoft article.