Microsoft Entra Application Permissions

Veeam Data Cloud for Microsoft 365 uses Microsoft Entra applications to establish and maintain the connection between Veeam Data Cloud for Microsoft 365 and Microsoft 365 organizations, and perform backup and restore of the organization data.

In this section you can find a list of permissions for Microsoft Entra applications that are granted automatically by Veeam Data Cloud for Microsoft 365 when you add your organization during onboarding.

If you prefer to manually add your organization, make sure to manually grant all the listed permissions.

Note

For the user account that the Microsoft Entra application will use to log in to Microsoft 365, consider the following:

  • You must assign the required roles to this user account.
  • If you plan to back up public folder mailboxes, this user account must have a valid Exchange Online license and an active mailbox within the Microsoft 365 organization.

Required User Account Roles for Microsoft Entra Application

The user account that the Microsoft Entra application uses to log in to Microsoft 365 must be assigned the following roles:

NOTE

Veeam Data Cloud for Microsoft 365 does not support Microsoft Entra Privileged Identity Management.

Required Permissions for Microsoft Entra Application

Note

To restore data using Microsoft Entra application, make sure that you configure the Microsoft Entra application settings. For more information, see Configuring Microsoft Entra Application Settings.

API

Permission name

Permission type

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Description

Microsoft Graph

Directory.Read.All

Application

Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties.

Group.Read.All

Application

Querying Microsoft Entra ID for the list of groups and group sites.

Group.ReadWrite.All

Application

 

Recreating in Microsoft Entra ID an associated group in case of a deleted team site restore.

Sites.Read.All

Application

 

Querying Microsoft Entra ID for the list of sites and getting download URLs for files and their versions.

TeamSettings.ReadWrite.All

Application

 

 

Accessing archived teams.

ChannelMessage.Read.All

Application

 

 

Accessing Microsoft Teams public channel messages.

ChannelMember.Read.All

Application

 

 

Accessing Microsoft Teams private and shared channels.

Directory.Read.All

Delegated

Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties.

Group.ReadWrite.All

Delegated

 

 

Recreating in Microsoft Entra ID an associated group in case of teams restore.

Sites.Read.All

Delegated

 

Accessing sites of the applications that are installed from the SharePoint store.

Directory.ReadWrite.All

Delegated

 

 

Setting the preferred data location when creating a new Microsoft 365 group for a multi-geo tenant in case of teams restore.

offline_access

Delegated

Obtaining a refresh token from Microsoft Entra ID.

ChannelMember.ReadWrite.All

Delegated

 

 

Reading the current state and restoring Microsoft Teams private and shared channels.

ChannelMessage.Read.All

Delegated

 

 

Accessing Microsoft Teams user channel messages.

Directory.ReadWrite.All

Application

 

 

Setting the preferred data location when creating a new Microsoft 365 group for a multi-geo tenant in case of teams restore.

Files.ReadWrite.All

Application

 

 

Reading the current state and restoring files of Microsoft Teams shared channels.

ChannelMember.ReadWrite.All

Application

 

 

Reading the current state and restoring Microsoft Teams private and shared channels.

Reports.Read.All

Application

Reading all service usage reports.

Reports.Read.All

Delegated

Reading all usage reports.

User.Read

Delegated

Signing in and reading user profile.

Sites.ReadWrite.All

Application

 

 

Creating, reading, updating, and deleting documents and list items in all site collections.

Office 365 Exchange Online1

full_access_as_app

Application

 

Reading and restoring mailboxes content.

Exchange.ManageAsApp

Application

 

 

Accessing Exchange Online PowerShell to do the following:

  • Back up public folder and discovery search mailboxes.
  • Determine object type for shared mailboxes as Shared Mailbox.

Note: This permission is required to back up public folders and discovery search mailboxes. This permission works along with the Global Reader role granted to the Microsoft Entra application. For more information, see Granting Global Reader Role to Microsoft Entra Application.

EWS.AccessAsUser.All

Delegated

 

 

Accessing mailboxes as the signed-in user (impersonation) through EWS.

full_access_as_user

Delegated

 

 

Reading the current state and restoring mailboxes content.

Note: This permission is only required for organizations located in legacy Microsoft Entra Germany region.

Office 365 SharePoint Online

Sites.FullControl.All

Application

 

Reading SharePoint sites and OneDrive accounts content.

User.Read.All

Application

 

Reading OneDrive accounts (getting site IDs).

Note: This permission is not used to back up Microsoft Teams data, but you must grant it along with SharePoint Online and OneDrive for Business permission to add a Microsoft 365 organization successfully.

AllSites.FullControl

Delegated

 

Reading the current state and restoring SharePoint sites and OneDrive accounts content.

 

User.ReadWrite.All

Delegated

 

 

Reading and updating user profiles.

1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.

Granting Global Reader Role to Microsoft Entra Application

Veeam Data Cloud for Microsoft 365 supports backup of public folders and discovery search mailboxes in Microsoft 365 organizations. To back up these objects, Veeam Data Cloud for Microsoft 365 needs access to Exchange Online PowerShell. To access Exchange Online PowerShell, Microsoft Entra application requires the Global Reader role.

To grant the Global Reader role to the Microsoft Entra application, do the following:

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Roles & admins > Roles & admins.
  3. In the Administrative roles list, find the Global Reader role and click on it.
  4. In the Global Reader window, click Add assignments. The Add assignments wizard runs.
  5. In the Select member(s) section, click the link.
  6. In the Select a member window, select the Microsoft Entra application in the list and click Select. The selected application will appear in the Selected member(s) list.
  7. Click Next and then click Assign to finish working with the wizard.