Azure AD Application Permissions

Veeam Backup for Microsoft 365 requires that you grant permissions to Azure AD applications within the following usage scenarios:

• Back up and restore data of your Microsoft 365 organizations.

Permissions of the Azure AD application depend on the authentication method that you plan to use when adding a Microsoft 365 organization. For more information, see the following sections:

• Permissions for Modern App-Only Authentication
• Permissions for Modern Authentication and Legacy Protocols

• Self-service restore using Restore Portal.

If you allow users to perform self-service restore using Restore Portal, they will authenticate to the portal with their Microsoft 365 user account credentials. To ensure such authentication, an Azure AD application must be configured. Veeam Backup for Microsoft 365 automatically grants the required permissions to this Azure AD application or you can grant permissions manually. For more information, see the following sections:

• Permissions for Authentication to Restore Portal
• Creating or Configuring Azure AD Application

• Backup copy to Microsoft Azure Blob Storage.

You can optionally use the Azure archiver appliance when Veeam Backup for Microsoft 365 copies backed-up data between different instances of Azure Blob Storage or to Azure Blob Storage Archive. To enable usage of the Azure archiver appliance, the Microsoft Azure service account is required. You must assign the required roles to a user account that you use to create an Azure AD application for the Microsoft Azure service account. Veeam Backup for Microsoft 365 automatically grants the required permissions to this Azure AD application or you can grant permissions manually. For more information, see the following sections:

• Permissions for Azure Archiver Appliance
• Adding Microsoft Azure Service Account

For more information about permissions in Azure, see this Microsoft article.