Azure AD Applications
This section explains required permissions for Azure AD applications that you use to back up and restore data from/to your Microsoft Office 365 organizations.
For more information about permissions in Azure, see this Microsoft article.
Requirements for Modern App-Only Authentication
The following table lists permissions for Azure AD applications that are granted automatically by Veeam Backup for Microsoft Office 365 when you add organizations using the modern app-only authentication method.
If you prefer to use a custom application of your own, make sure to grant all the permissions listed in this table manually.
API | Permission name | Type | Usage | Description |
|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | Backup | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Delegated1 | Restore | Querying Azure AD for organization properties, the list of users and groups and their properties. | ||
Group.Read.All | Application | Backup | Querying Azure AD for the list of groups and group sites. | |
Group.ReadWrite.All | Application2 | Restore | Recreating in Azure AD an associated group in case of a deleted team site restore. This permission is only required for restore of SharePoint site data with Azure AD applications using a certificate. The operation is available through RESTful API and PowerShell. | |
Delegated1 | Restore | Recreating in Azure AD an associated group in case of teams restore. | ||
offline_access | Delegated1 | Restore | Obtaining a refresh token from Azure AD. | |
Sites.ReadWrite.All | Application | Backup | Querying Azure AD for the list of sites and getting download URLs for files and their versions. | |
TeamSettings.ReadWrite.All | Application | Backup | Accessing archived teams for the purpose of backup. | |
Application2 | Restore | Restoring teams to the archived state. | ||
Exchange | EWS.AccessAsUser.All | Delegated1 | Restore | Accessing mailboxes as the signed-in user (impersonation) through EWS for the purpose of restore. |
full_access_as_app | Application | Backup | Reading mailboxes content for the purpose of backup. | |
full_access_as_user | Delegated1 | Restore | Reading the current state and restoring mailboxes content. This permission is only required when you add an organization in the Germany region. | |
SharePoint | AllSites.FullControl | Delegated1 | Restore | Reading the current state and restoring SharePoint sites and OneDrive accounts content. |
Sites.FullControl.All | Application | Backup | Reading sites and OneDrive accounts content for the purpose of backup. | |
Application2 | Restore | Reading the current state and restoring SharePoint sites and OneDrive accounts content. | ||
User.Read.All | Application | Backup | Reading OneDrive accounts for the purpose of backup (getting site IDs). | |
Application2 | Restore | Resolving OneDrive accounts for the purpose of restore (getting site IDs). | ||
User.ReadWrite.All | Delegated1 | Restore | Resolving OneDrive accounts for the purpose of restore (getting site IDs). |
1 Permissions of the Delegated type are used for data restore using the device code flow.
2 Permissions of the Application type are used for data restore using an application certificate.
The following table lists required permissions for Azure AD applications that you add as backup applications.
API | Permission name | Type | Usage | Description |
|---|---|---|---|---|
Microsoft Graph | Sites.ReadWrite.All | Application | Backup | Getting download URLs for files and their versions. |
SharePoint | Sites.FullControl.All | Reading site and OneDrive account content for the purpose of backup. | ||
User.Read.All | Reading OneDrive accounts for the purpose of backup (getting site IDs). |
Required Azure AD Application Settings
For data restore using an Azure AD application, the following settings must be specified for the application in Microsoft Azure:
- In the Azure AD application settings, the Treat application as a public client option must be set to Yes. For more information on application settings, see this Microsoft article.
Note that this option is not available in Microsoft Azure for the Germany region. In this region, you must register Azure AD applications used for backup and restore as applications of the Public client/Native type.
- In the Azure AD application settings, a redirect URI must be specified for the application. For more information, see this Microsoft article.
When creating a new Azure AD application automatically, Veeam Backup for Microsoft Office 365 specifies http://localhost/ as a redirect URI.
Required User Account Roles for Azure AD Applications
The account that the Azure AD application will use to log in to Microsoft Office 365 must be assigned the following roles:
- Global Administrator or Exchange Administrator — required for data restore with Veeam Explorer for Microsoft Exchange.
- Global Administrator or SharePoint Administrator — required for data restore with Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business.
- Global Administrator or Teams Service Administrator — required for data restore with Veeam Explorer for Microsoft Teams.
- Global Administrator — required for establishing a connection to a service provider in the Office 365 Backup as a Service scenario.
Requirements for Modern Authentication with Legacy Protocols Allowed
The following table lists required permissions that must be granted to Azure AD applications for backup operations for organizations with modern authentication and legacy protocols allowed.
API | Permission name | Type | Usage | Description |
|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | Backup | Querying Azure AD for organization properties, the list of users and groups and their properties. |
Group.Read.All | Querying Azure AD for the list of groups and group sites. | |||
TeamSettings.ReadWrite.All | Accessing archived teams for the purpose of backup. | |||
Exchange | full_access_as_app | Reading mailbox content for the purpose of backup. | ||
SharePoint | Sites.FullControl.All | Reading site and OneDrive account content for the purpose of backup. | ||
User.Read.All | Reading OneDrive accounts for the purpose of backup (getting site IDs). |
