The following table lists required permissions for a restore.
Required Roles and Permissions
Restore to Microsoft Office 365 and on-premises Microsoft Exchange
To restore data to Microsoft Office 365 and on-premises Microsoft Exchange, make sure to configure user accounts as follows:
Restore to Public Folder Using Basic Authentication Method
Restore to Mailbox Using Basic Authentication Method
The account used to log in to Microsoft Office 365 must be assigned the ApplicationImpersonation role. For more information, see this Microsoft article.
Also make sure that the required settings are specified for the AD application used for restore. For more information, see Required Azure AD Application Settings.
To assign the Organization Management role, use the following cmdlet.
Add-RoleGroupMember “Organization Management” –Member “<user_account>”
For more information about the Add-RoleGroupMember cmdlet, see this Microsoft article.
To grant Full Access to the account that owns a mailbox, use the following cmdlet.
Add-MailboxPermission –Identity “<target_mailbox>” -User “<user_account>” -AccessRights FullAccess –InheritanceType All
For more information about the Add-MailboxPermission cmdlet, see this Microsoft article.
To grant Full Access to the account that do not own a mailbox (i.e. through impersonation), use the following cmdlet.
New-ManagementRoleAssignment -Name "<role_name>" -Role ApplicationImpersonation -User "<user_account>"
For more information about the New-ManagementRoleAssignment cmdlet, see this Microsoft article.
Recalling Given Permissions
To recall given access level, run either of the following cmdlets.
Remove-ManagementRoleAssignment -Identity <role_name>