Permissions

The accounts that Veeam Data Cloud uses to manage Microsoft Entra ID must be granted the following permissions.

Veeam Data Cloud User Account Permissions

A user account that you plan to use when working with Entra ID tenants in Veeam Data Cloud must have at least one of the following Veeam Data Cloud roles assigned: EntraID:Administrator or OrganizationAdmin. For details, see User Roles.

Microsoft Entra Roles and Permissions

Veeam Data Cloud requires a Microsoft Entra service principal to add Microsoft Entra ID tenants to Veeam Data Cloud and to back up and restore Microsoft Entra ID data. To allow Veeam Data Cloud to create this service principal, you need to authorize Veeam Data Cloud using your Microsoft Entra ID account with the Global Administrator privileges.

Veeam Data Cloud creates the Microsoft Entra service principal with the following set of permissions:

API

Permission

Permission display name

Permission type

Microsoft Graph

AdministrativeUnit.ReadWrite.All

Read and write all administrative units

Application

Application.ReadWrite.All

Read and write all applications

Application

AppRoleAssignment.ReadWrite.All

Manage app permission grants and app role assignments

Application

AuditLog.Read.All

Read all audit log data

Application

Directory.ReadWrite.All

Read and write directory data

Application

Group.ReadWrite.All

Read and write all groups

Application

MailboxSettings.Read

Read all user mailbox settings

Application

RoleManagement.ReadWrite.Directory

Read and write all directory RBAC settings

Application

User.DeleteRestore.All

Delete and restore all users

Application

User.ReadWrite.All

Read and write all users' full profiles

Application

User.Read

Sign in and read user profile

Application

Policy.Read.All

(required for Conditional Access policies backup)

Read your organization's policies

Application

Policy.ReadWrite.ConditionalAccess

(required for Conditional Access policies backup)

Read and write your organization's Conditional Access policies

Application

Agreement.Read.All

(required for Conditional Access policies backup)

Read all terms of use agreements

Application

Azure Resource Manager

user_impersonation

Access Azure Resource Manager as organization users

Delegated