Veeam Backup for Microsoft Office 365 4.0
User Guide
Related documents

Azure AD Applications

This section explains required permissions for Azure AD applications that you use to back up and restore data from/to your Microsoft Office 365 organizations.

For more information about permissions in Azure, see this Microsoft article.

Veeam Backup for Microsoft Office 365 Version 4c

The following table lists permissions for AD applications that are granted automatically by Veeam Backup for Microsoft Office 365 when you add organizations using the modern authentication method.

If you prefer to use a custom application of your own, make sure to grant all the permissions listed in this table manually.

API

Permission name

Type

Usage

Description

Microsoft Graph

Directory.Read.All

Application

Backup

Querying Azure AD for organization properties, the list of users and groups and their properties.

Delegated1

Restore

Querying Azure AD for organization properties, the list of users and groups and their properties.

Group.Read.All

Application

Backup

Querying Azure AD for the list of groups and group sites.

Group.ReadWrite.All

Application2

Restore

Recreating in Azure AD an associated group in case of a deleted team site restore.

This permission is only required for restore of SharePoint site data with AD applications using a certificate. The operation is available through RESTful API and PowerShell.

offline_access

Delegated1

Restore

Obtaining a refresh token from Azure AD.

Sites.ReadWrite.All

Application

Backup

Querying Azure AD for the list of sites and getting download URLs for files and their versions.

Exchange

EWS.AccessAsUser.All

Delegated1

Restore

Accessing mailboxes as the signed-in user (impersonation) through EWS for the purpose of restore.

full_access_as_app

Application

Backup

Reading mailboxes content for the purpose of backup.

full_access_as_user

Delegated1

Restore

Reading the current state and restoring mailboxes content.

This permission is only required when you add an organization in the Germany region.

SharePoint

AllSitesFullControl

Delegated1

Restore

Reading the current state and restoring SharePoint sites and OneDrive accounts content.

Sites.FullControl.All

Application

Backup

Reading sites and OneDrive accounts content for the purpose of backup.

Application2

Restore

Reading the current state and restoring SharePoint sites and OneDrive accounts content.

User.Read.All

Application

Backup

Reading OneDrive accounts for the purpose of backup (getting site IDs).

Application2

Restore

Resolving OneDrive accounts for the purpose of restore (getting site IDs).

User.ReadWrite.All

Delegated1

Restore

Resolving OneDrive accounts for the purpose of restore (getting site IDs).

1 Permissions of the Delegated type are used for data restore using the device code flow.

2 Permissions of the Application type are used for data restore using an application certificate.

The following table lists required permissions for AD applications that you add as backup applications.

API

Permission name

Type

Usage

Description

Microsoft Graph

Sites.ReadWrite.All

Application

Backup

Getting download URLs for files and their versions.

SharePoint

Sites.FullControl.All

Reading site and OneDrive account content for the purpose of backup.

User.Read.All

Reading OneDrive accounts for the purpose of backup (getting site IDs).

Required Azure AD Application Settings

For data restore using an AD application, the following settings must be specified for the application in Microsoft Azure:

  1. In the AD application settings, the Treat application as a public client option must be set to Yes. For more information on application settings, see Microsoft Docs.

Note that this option is not available in Microsoft Azure for the Germany region. In this region, you must register AD applications used for backup and restore as applications of the Public client/Native type.

  1. In the AD application settings, a redirect URI must be specified for the application. For more information, see Microsoft Docs.

Veeam Backup for Microsoft Office 365 Version 4

The following table lists required permissions that must be granted to AD applications for backup operations for organizations with modern authentication and legacy authentication protocols.

API

Permission name

Type

Usage

Description

Microsoft Graph

Directory.Read.All

Application

Backup

Querying Azure AD for organization properties, the list of users and groups and their properties.

Group.Read.All

Querying Azure AD for the list of groups and group sites.

Exchange

full_access_as_app

Reading mailbox content for the purpose of backup.

SharePoint

Sites.FullControl.All

Reading site and OneDrive account content for the purpose of backup.

User.Read.All

Reading OneDrive accounts for the purpose of backup (getting site IDs).

This Document Help Center
User GuideRESTful API ReferencePowerShell ReferenceVeeam Explorers User GuideVeeam Explorers PowerShell Reference
I want to report a typo

There is a misspelling right here:

 

I want to let the Veeam Documentation Team know about that.