Azure AD Application Permissions

In this article

    Veeam Backup for Microsoft Office 365 requires that you grant permissions to Azure AD applications to back up and restore data from/to your Microsoft Office 365 organizations.

    For more information about permissions in Azure, see this Microsoft article.

    Requirements for Modern App-Only Authentication

    The following table lists permissions for Azure AD applications that are granted automatically by Veeam Backup for Microsoft Office 365 when you add organizations using the modern app-only authentication method.

    If you prefer to use a custom application of your own, make sure to grant all the permissions listed in this table manually.

    API

    Permission name

    Type

    Usage

    Description

    Microsoft Graph

    Directory.Read.All

    Application

    Backup

    Querying Azure AD for organization properties, the list of users and groups and their properties.

    Delegated1

    Restore

    Querying Azure AD for organization properties, the list of users and groups and their properties.

    Group.Read.All

    Application

    Backup

    Querying Azure AD for the list of groups and group sites.

    Group.ReadWrite.All

    Application2

    Restore

    Recreating in Azure AD an associated group in case of a deleted team site restore.

    This permission is only required for restore of SharePoint site data through REST API and PowerShell.

    Delegated1

    Restore

    Recreating in Azure AD an associated group in case of teams restore.

    offline_access

    Delegated1

    Restore

    Obtaining a refresh token from Azure AD.

    Sites.ReadWrite.All

    Application

    Backup

    Querying Azure AD for the list of sites and getting download URLs for files and their versions.

    TeamSettings.ReadWrite.All

    Application

    Backup

    Accessing archived teams to backup.

    Application2

    Restore

    Restoring teams to the archived state.

    Office 365 Exchange Online

    EWS.AccessAsUser.All

    Delegated1

    Restore

    Accessing mailboxes as the signed-in user (impersonation) through EWS to restore.

    full_access_as_app

    Application

    Backup

    Reading mailboxes content to backup.

    full_access_as_user

    Delegated1

    Restore

    Reading the current state and restoring mailboxes content.

    This permission is only required when you add an organization in the Germany region.

    SharePoint

    AllSites.FullControl

    Delegated1

    Restore

    Reading the current state and restoring SharePoint sites and OneDrive accounts content.

    Sites.FullControl.All

    Application

    Backup

    Reading sites and OneDrive accounts content to backup.

    Application2

    Restore

    Reading the current state and restoring SharePoint sites and OneDrive accounts content.

    User.Read.All

    Application

    Backup

    Reading OneDrive accounts to backup (getting site IDs).

    Application2

    Restore

    Resolving OneDrive accounts to restore (getting site IDs).

    User.ReadWrite.All

    Delegated1

    Restore

    Resolving OneDrive accounts to restore (getting site IDs).

    1 Permissions of the Delegated type are used for data restore using the device code flow.

    2 Permissions of the Application type are used for data restore using an application certificate.

    Checking Permissions for Office 365 Exchange Online API

    To check Office 365 Exchange Online API permissions, do the following:

    1. Sign in to the Azure portal.
    2. Go to Azure Active Directory > App registrations, and select an application.
    3. Select API permissions > Add a permission > APIs my organization uses.
    4. Select Office 365 Exchange Online API in the list, check its permissions and configure them, if needed.

    Backup Application Permissions

    The following table lists required permissions for Azure AD applications that you add as backup applications.

    API

    Permission name

    Type

    Usage

    Description

    Microsoft Graph

    Sites.ReadWrite.All

    Application

    Backup

    Getting download URLs for files and their versions.

    SharePoint

    Sites.FullControl.All

    Reading sites and OneDrive accounts content to backup.

    User.Read.All

    Reading OneDrive accounts to backup (getting site IDs).

    Required Azure AD Application Settings

    For data restore using an Azure AD application, the following settings must be specified for the application in Microsoft Azure:

    1. In the Azure AD application settings, the Treat application as a public client option must be set to Yes. For more information on application settings, see this Microsoft article.

    Note that this option is not available in Microsoft Azure for the Germany region. In this region, you must register Azure AD applications used for backup and restore as applications of the Public client/Native type.

    1. In the Azure AD application settings, a redirect URI must be specified for the application. For more information, see this Microsoft article.

    When creating a new Azure AD application automatically, Veeam Backup for Microsoft Office 365 specifies http://localhost/ as a redirect URI.

    Required User Account Roles for Azure AD Applications

    The account that the Azure AD application will use to log in to Microsoft Office 365 must be assigned the following roles:

    Requirements for Modern Authentication with Legacy Protocols Allowed

    The following table lists required permissions that must be granted to Azure AD applications to perform a backup for organizations with modern authentication with legacy protocols allowed.

    API

    Permission name

    Type

    Usage

    Description

    Microsoft Graph

    Directory.Read.All

    Application

    Backup

    Querying Azure AD for organization properties, the list of users and groups and their properties.

    Group.Read.All

    Querying Azure AD for the list of groups and group sites.

    TeamSettings.ReadWrite.All

    Accessing archived teams to backup.

    Exchange

    full_access_as_app

    Reading mailboxes content to backup.

    SharePoint

    Sites.FullControl.All

    Reading sites and OneDrive accounts content to backup.

    User.Read.All

    Reading OneDrive accounts to backup (getting site IDs).

    I want to report a typo

    There is a misspelling right here:

     

    I want to let the Veeam Documentation Team know about that.