Permissions

The accounts that Veeam Backup for Microsoft Entra ID uses to deploy and manage backup infrastructure components must be granted the following permissions.

Veeam Backup & Replication User Account Permissions

A user account that you plan to use when installing and working with Veeam Backup & Replication must have permissions described in section Installing and Using Veeam Backup & Replication.

Microsoft Entra Roles and Permissions

Veeam Backup for Microsoft Entra ID requires a Microsoft Entra application whose permissions are used to add Microsoft Entra ID tenants to the backup infrastructure and to perform backup and restore operations with Microsoft Entra ID resources.

Adding and Backing Up Tenants

You can specify an existing application or instruct Veeam Backup & Replication to create a new one. The list of permissions granted to the Microsoft Entra application and the list of roles assigned to the Microsoft Entra ID user account that you use to create the application depend on the actions you plan to perform using the application.

Adding and Backing Up Tenants
Application	Permissions
New	The Microsoft Entra ID user account associated with the tenant where the Microsoft Entra ID application will be created must have the following built-in roles assigned: Application Administrator Privileged Role Administrator As an alternative, you can assign the Global Administrator Microsoft Entra built-in role.
Existing	To perform backup, the application must have the following permissions: Microsoft Graph application permissions. For essential tenant items backup: Directory.Read.All, Group.Read.All, MailboxSettings.Read, RoleManagement.Read.Directory, User.Read.All. For optional tenant items backup: Policy.Read.All, Policy.ReadWrite.ConditionalAccess, Agreement.Read.All, DeviceManagementConfiguration.Read.All. For log backup: AuditLog.Read.All.
Existing	To perform restore, the application must have the following permissions: Microsoft Graph delegated permissions. For essential tenant items restore: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All, Application.ReadWrite.All, Group.ReadWrite.All. For optional tenant items restore: Policy.ReadWrite.ConditionalAccess, Agreement.Read.All, DeviceManagementConfiguration.ReadWrite.All. API delegated permissions: user_impersonation Note: Make sure that the Allow public client flows option is enabled for the application. For more information, see Microsoft Docs.

Important

Application permissions cannot be used to restore device configuration profiles of the editionUpgradeConfiguration resource type — these profiles can be restored using delegated permissions only.
When restoring device configuration profiles of the editionUpgradeConfiguration resource type, Veeam Backup for Microsoft Entra ID rewrites values of the License and ProductKey properties with predefined placeholders. To change these values, update the properties manually in the Intune Admin Center.

Restoring Tenant Data

To restore tenant data, Veeam Backup for Microsoft Entra ID uses the Microsoft Entra application that was used to add the tenant. This application has delegated access and acts on behalf of a user that you specify in the restore wizard.

This user must have with the following roles:

As an alternative, you can use Global Administrator Microsoft Entra plus Conditional Access Administrator (recommended) or plus Security Administrator roles.