Permissions for Authentication to Restore Portal

The following table lists permissions for Azure AD applications that are granted automatically by Veeam Backup for Microsoft 365 when you configure the Restore Portal settings.

If you prefer to use a custom application of your own, make sure to grant all the permissions listed in this table manually.

All listed permissions are of the Delegated type.


Permission name


Microsoft Graph


Sign in and read user profile.

<Azure AD application>


Obtain an access token on behalf of the user to implement On-Behalf-Of flow.

For more information about On-Behalf-Of flow, see this Microsoft article.

For more information on how to expose a web API, see this Microsoft article.