Permissions Changelog

You can learn what was changed in permissions required for Veeam Backup for Microsoft 365 6a comparing to version 5.0.

Azure AD Application Permissions

The following table lists changes in permissions for modern app-only authentication:

API

Permission name

Type

Usage

Description

Status

 

Microsoft Graph

Sites.Read.All

Application

Backup

Querying Azure AD for the list of sites and getting download URLs for files and their versions.

new

Sites.Read.All

Delegated

Restore

Accessing sites of the applications that are installed from the SharePoint store.

new

Sites.Read.All

Application

Restore

Accessing sites of the applications that are installed from the SharePoint store.

new

Sites.ReadWrite.All

Application

Backup

Querying Azure AD for the list of sites and getting download URLs for files and their versions.

removed

TeamSettings.ReadWrite.All

Application

Restore

Restoring teams to the archived state.

removed

Directory.ReadWrite.All

Delegated

Restore

Setting the preferred data location when creating a new M365 group for a multi-geo tenant in case of teams restore.

new

ChannelMessage.Read.All

Application

Backup

Accessing all Teams public channel messages.

Note: This permission is only required if you want to back up team chats using Teams Export APIs.

new

 

SharePoint

User.ReadWrite.All

Delegated

Restore

Resolving OneDrive accounts (getting site IDs).

removed

User.Read.All

Delegated

Restore

Resolving OneDrive accounts (getting site IDs).

Note: This permission is not required to restore SharePoint Online data.

new

User.Read.All

Application

Restore

Resolving OneDrive accounts (getting site IDs).

Note: This permission is not required to restore SharePoint Online data.

changed

The following table lists changes in permissions for modern authentication and legacy protocols:

API

Permission name

Type

Usage

Description

Status

Microsoft Graph

Sites.Read.All

Application

Backup

Accessing sites of the applications that are installed from the SharePoint store.

new

If you allow users to perform self-service restore using Restore Portal, they will authenticate to the portal with their Microsoft 365 user account credentials. Veeam Backup for Microsoft 365 requires Azure AD application to be configured and granted permissions to ensure such authentication. For more information, see Permissions for Authentication to Restore Portal.

If you want to use the Azure archiver appliance when Veeam Backup for Microsoft 365 copies backed-up data from Azure Blob storage to Azure Archive storage, you must assign the required roles to a user account that you use to create Azure AD application for the Microsoft Azure service account. For more information, see Permissions for Azure Archiver Appliance.

Amazon S3 Storage Permissions

If you create an instance of your backed-up data in Amazon S3 Glacier or Amazon S3 Glacier Deep Archive storage, you must grant permissions to a user account that you use to access Amazon buckets and folders. For more information, see Amazon S3 Storage Permissions.

Azure Archive Storage

If you create an instance of Microsoft 365 and on-premises Microsoft organization backups in Azure Blob Storage Archive access tier, you must grant permissions to a user account that you use to access Azure archive storage. For more information, see Azure Archive Storage Permissions.