Microsoft Entra Application Permissions
Veeam Data Cloud for Microsoft 365 uses Microsoft Entra applications to establish and maintain the connection between Veeam Data Cloud for Microsoft 365 and Microsoft 365 organizations, and perform backup and restore of the organization data.
In this section you can find a list of permissions for Microsoft Entra applications that are granted automatically by Veeam Data Cloud for Microsoft 365 when you add your organization during onboarding.
If you prefer to manually add your organization, make sure to manually grant all the listed permissions.
Note |
For the user account that the Microsoft Entra application will use to log in to Microsoft 365, consider the following:
|
Required User Account Roles for Microsoft Entra Applications
The user account that the Microsoft Entra application uses to log in to Microsoft 365 must be assigned the following roles:
- Global Administrator — required for adding organizations, creating backup applications, and creating Microsoft Entra application for the Microsoft Azure service account.
- ApplicationImpersonation and Global Administrator or Exchange Administrator — required for data restore for Microsoft Exchange.
- Global Administrator or SharePoint Administrator — required for data restore for Microsoft SharePoint and Microsoft OneDrive for Business.
- Global Administrator or Teams Administrator — required for data restore for Microsoft Teams.
- Owner — required for backing up public folder mailboxes.
Backup and Restore Permissions
All the listed permissions are required for backup and restore operations.
Note |
To restore data using Microsoft Entra application, make sure that you configure the Microsoft Entra application settings. For more information, see Configuring Microsoft Entra Application Settings. |
API | Permission name | Permission type | Exchange Online | SharePoint Online and OneDrive for Business | Microsoft Teams | Description |
|---|---|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | ✔ | ✔ | ✔ | Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties. |
Group.Read.All | Application | ✔ | ✔ | ✔ | Querying Microsoft Entra ID for the list of groups and group sites. | |
Group.ReadWrite.All | Application |
| ✔ | ✔ | Recreating in Microsoft Entra ID an associated group in case of a deleted team site restore. | |
Sites.Read.All | Application |
| ✔ | ✔ | Querying Microsoft Entra ID for the list of sites and getting download URLs for files and their versions. | |
TeamSettings.ReadWrite.All | Application |
|
| ✔ | Accessing archived teams. | |
ChannelMessage.Read.All | Application |
|
| ✔ | Accessing Microsoft Teams public channel messages. | |
ChannelMember.Read.All | Application |
|
| ✔ | Accessing Microsoft Teams private and shared channels. | |
Directory.Read.All | Delegated | ✔ | ✔ | ✔ | Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties. | |
Group.ReadWrite.All | Delegated |
|
| ✔ | Recreating in Microsoft Entra ID an associated group in case of teams restore. | |
Sites.Read.All | Delegated |
| ✔ | ✔ | Accessing sites of the applications that are installed from the SharePoint store. | |
Directory.ReadWrite.All | Delegated |
|
| ✔ | Setting the preferred data location when creating a new Microsoft 365 group for a multi-geo tenant in case of teams restore. | |
offline_access | Delegated | ✔ | ✔ | ✔ | Obtaining a refresh token from Microsoft Entra ID. | |
ChannelMember.ReadWrite.All | Delegated |
|
| ✔ | Reading the current state and restoring Microsoft Teams private and shared channels. | |
ChannelMessage.Read.All | Delegated |
|
| ✔ | Accessing Microsoft Teams user channel messages. | |
Directory.ReadWrite.All | Application |
|
| ✔ | Setting the preferred data location when creating a new Microsoft 365 group for a multi-geo tenant in case of teams restore. | |
Files.ReadWrite.All | Application |
|
| ✔ | Reading the current state and restoring files of Microsoft Teams shared channels. | |
ChannelMember.ReadWrite.All | Application |
|
| ✔ | Reading the current state and restoring Microsoft Teams private and shared channels. | |
Reports.Read.All | Application | ✔ | ✔ | ✔ | Reading all service usage reports. | |
Reports.Read.All | Delegated | ✔ | ✔ | ✔ | Reading all usage reports. | |
User.Read | Delegated | ✔ | ✔ | ✔ | Signing in and reading user profile. | |
Sites.ReadWrite.All | Application |
| ✔ |
| Creating, reading, updating, and deleting documents and list items in all site collections. | |
Office 365 Exchange Online1 | full_access_as_app | Application | ✔ |
| ✔ | Reading and restoring mailboxes content. |
Exchange.ManageAsApp | Application | ✔ |
|
| Accessing Exchange Online PowerShell to do the following:
Note: This permission is required to back up public folders and discovery search mailboxes. This permission works along with the Global Reader role granted to the Microsoft Entra application. For more information, see Granting Global Reader Role to Microsoft Entra Application. | |
EWS.AccessAsUser.All | Delegated | ✔ |
|
| Accessing mailboxes as the signed-in user (impersonation) through EWS. | |
full_access_as_user | Delegated | ✔ |
|
| Reading the current state and restoring mailboxes content. Note: This permission is only required for organizations located in legacy Microsoft Entra Germany region. | |
Office 365 SharePoint Online | Sites.FullControl.All | Application |
| ✔ | ✔ | Reading SharePoint sites and OneDrive accounts content. |
User.Read.All | Application |
| ✔ | ✔ | Reading OneDrive accounts (getting site IDs). Note: This permission is not used to back up Microsoft Teams data, but you must grant it along with SharePoint Online and OneDrive for Business permission to add a Microsoft 365 organization successfully. | |
AllSites.FullControl | Delegated |
| ✔ | ✔ | Reading the current state and restoring SharePoint sites and OneDrive accounts content. | |
| User.ReadWrite.All | Delegated |
| ✔ |
| Reading and updating user profiles. |
1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.
Granting Global Reader Role to Microsoft Entra Application
Veeam Data Cloud for Microsoft 365 supports backup of public folders and discovery search mailboxes in Microsoft 365 organizations. To back up these objects, Veeam Data Cloud for Microsoft 365 needs access to Exchange Online PowerShell. To access Exchange Online PowerShell, Microsoft Entra application requires the Global Reader role.
To grant the Global Reader role to the Microsoft Entra application, do the following:
- Sign in to the Microsoft Entra admin center.
- Go to Identity > Roles & admins > Roles & admins.
- In the Administrative roles list, find the Global Reader role and click on it.
- In the Global Reader window, click Add assignments. The Add assignments wizard runs.
- In the Select member(s) section, click the link.
- In the Select a member window, select the Microsoft Entra application in the list and click Select. The selected application will appear in the Selected member(s) list.
- Click Next and then click Assign to finish working with the wizard.