Microsoft Entra Application Permissions
Veeam Data Cloud for Microsoft 365 uses Microsoft Entra applications to establish and maintain the connection between Veeam Data Cloud for Microsoft 365 and Microsoft 365 organizations, and perform backup and restore of the organization data.
For Veeam Data Cloud, Microsoft Entra ID automatically creates 3 Enterprise applications (not application registrations) in your tenant:
- Veeam Data Cloud [EMEA, AMER, APJ]
When you log in to Veeam Data Cloud for Microsoft 365 with a Microsoft account for the first time, you must accept the following delegated permissions: openid (allowing users to sign in), profile (viewing users basic profile), offline_access (viewing and updating data you have given access to), email (viewing user email address). After you accept the permissions, the Veeam Data Cloud [EMEA, AMER, APJ] Enterprise application is created with those permissions. Veeam Data Cloud uses this Enterprise application to authenticate the users who sign in to Veeam Data Cloud with Microsoft accounts. When users log in to Veeam Data Cloud for Microsoft 365 for the first time, they must accept the following permissions: profile — View users' basic profile and offline_access — Maintain access to data you have given it access to.
- Veeam Data Cloud Registration [EMEA, AMER, APJ]
- During the self-service onboarding process, if you choose to automatically connect Veeam Data Cloud to Microsoft 365, you must accept the following delegated permissions upon entering the device code: Application.ReadWrite.All (creating, reading, updating and deleting applications), AppRoleAssignment.ReadWrite.All (managing app permission grants and app role assignments), Directory.ReadWrite.All (reading and writing data in your organization directory), RoleManagement.ReadWrite.Directory (reading and managing the role-based access control settings for your directory). After you accept the permissions, the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application is created. Veeam Data Cloud uses this Enterprise application to automatically create the Veeam Data Cloud for Microsoft 365 application registration that is used for backup and restore.
- During the self-service onboarding process, if you choose to manually connect Veeam Data Cloud to Microsoft 365, the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application is not created. You must manually create the Veeam Data Cloud for Microsoft 365 application registration. For more information on how to create a new application registration, see this Microsoft article.
Once you have successfully onboarded, the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application is deleted. When using features such as uploading certificates, Veeam Data Cloud will ask for the permissions and create the Veeam Data Cloud Registration [EMEA, AMER, APJ] Enterprise application again.
- Veeam Data Cloud for Microsoft 365
When you run your first backup session, the Veeam Data Cloud for Microsoft 365 Enterprise application is created. Veeam Data Cloud uses this Enterprise application for backup and restore purposes.
For Express or Premium, you must grant admin consent to a fourth Enterprise application, called Multi-tenant Registration for MBS Billing. To view the required permissions for this Enterprise application, see Microsoft Entra Application Permissions .
In the following sections you can find a list of permissions for Microsoft Entra applications that are granted automatically by Veeam Data Cloud for Microsoft 365 when you add your organization during onboarding.
If you prefer to manually add your organization, make sure to manually grant all the listed permissions to the Veeam Data Cloud for Microsoft 365 application registration.
Note |
For the user account that the Microsoft Entra application will use to log in to Microsoft 365, consider the following:
|
Required User Account Roles for Microsoft Entra Application
The user account that the Microsoft Entra application uses to log in to Microsoft 365 must be assigned the following roles:
- Global Administrator — required for adding organizations, creating Microsoft Entra application for the Microsoft Azure service account, creating backup applications, reauthorizing Veeam Data Cloud.
- Owner — required for backing up public folder mailboxes.
NOTE |
Veeam Data Cloud for Microsoft 365 does not support Microsoft Entra Privileged Identity Management. |
Required Permissions for Microsoft Entra Application
Note |
To restore data using Microsoft Entra application, make sure that you configure the Microsoft Entra application settings. For more information, see Configuring Microsoft Entra Application Settings. |
API | Permission name | Permission type | Exchange Online | SharePoint Online and OneDrive for Business | Microsoft Teams | Description |
|---|---|---|---|---|---|---|
Microsoft Graph | Directory.Read.All | Application | ✔ | ✔ | ✔ | Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties. |
Group.Read.All | Application | ✔ | ✔ | ✔ | Querying Microsoft Entra ID for the list of groups and group sites. | |
Group.ReadWrite.All | Application |
| ✔ | ✔ | Recreating in Microsoft Entra ID an associated group in case of a deleted team site restore. | |
Sites.Read.All | Application |
| ✔ | ✔ | Querying Microsoft Entra ID for the list of sites and getting download URLs for files and their versions. | |
TeamSettings.ReadWrite.All | Application |
|
| ✔ | Accessing archived teams. | |
ChannelMessage.Read.All | Application |
|
| ✔ | Accessing Microsoft Teams public channel messages. | |
ChannelMember.Read.All | Application |
|
| ✔ | Accessing Microsoft Teams private and shared channels. | |
Directory.Read.All | Delegated | ✔ | ✔ | ✔ | Querying Microsoft Entra ID for organization properties, the list of users and groups and their properties. | |
Group.ReadWrite.All | Delegated |
|
| ✔ | Recreating in Microsoft Entra ID an associated group in case of teams restore. | |
Sites.Read.All | Delegated |
| ✔ | ✔ | Accessing sites of the applications that are installed from the SharePoint store. | |
Directory.ReadWrite.All | Delegated |
|
| ✔ | Setting the preferred data location when creating a new Microsoft 365 group for a multi-geo tenant in case of teams restore. | |
offline_access | Delegated | ✔ | ✔ | ✔ | Obtaining a refresh token from Microsoft Entra ID. | |
ChannelMember.ReadWrite.All | Delegated |
|
| ✔ | Reading the current state and restoring Microsoft Teams private and shared channels. | |
ChannelMessage.Read.All | Delegated |
|
| ✔ | Accessing Microsoft Teams user channel messages. | |
Files.ReadWrite.All | Application |
|
| ✔ | Reading the current state and restoring files of Microsoft Teams shared channels. | |
ChannelMember.ReadWrite.All | Application |
|
| ✔ | Reading the current state and restoring Microsoft Teams private and shared channels. | |
Reports.Read.All | Application | ✔ | ✔ | ✔ | Reading all service usage reports. | |
Reports.Read.All | Delegated | ✔ | ✔ | ✔ | Reading all usage reports. | |
User.Read | Delegated | ✔ | ✔ | ✔ | Signing in and reading user profile. | |
Sites.ReadWrite.All | Application |
| ✔ |
| Creating, reading, updating and deleting documents and list items in all site collections. | |
Sites.ReadWrite.All | Delegated |
| ✔ |
| Editing or deleting documents and list items in all site collections. | |
Office 365 Exchange Online1 | full_access_as_app | Application | ✔ |
| ✔ | Reading and restoring mailboxes content. |
Exchange.ManageAsApp | Application | ✔ |
|
| Accessing Exchange Online PowerShell to do the following:
Note: This permission is required to back up public folders and discovery search mailboxes. This permission works along with the Global Reader role granted to the Microsoft Entra application. For more information, see Granting Global Reader Role to Microsoft Entra Application. | |
EWS.AccessAsUser.All | Delegated | ✔ |
|
| Accessing mailboxes as the signed-in user (impersonation) through EWS. | |
Office 365 SharePoint Online | Sites.FullControl.All | Application |
| ✔ | ✔ | Reading SharePoint sites and OneDrive accounts content. |
User.Read.All | Application |
| ✔ | ✔ | Reading OneDrive accounts (getting site IDs). Note: This permission is not used to back up Microsoft Teams data, but you must grant it along with SharePoint Online and OneDrive for Business permission to add a Microsoft 365 organization successfully. | |
AllSites.FullControl | Delegated |
| ✔ | ✔ | Reading the current state and restoring SharePoint sites and OneDrive accounts content. | |
| User.ReadWrite.All | Delegated |
| ✔ |
| Reading and updating user profiles. |
1You can check permissions for Office 365 Exchange Online API. For more information, see Checking Permissions for Office 365 Exchange Online API.
Express or Premium Permissions for Microsoft Entra Application
If you are under the Express or Premium plan, the following additional permissions are required for the Microsoft Entra application:
Permission name | AppOnly ("type": "Role") | Delegated ("type": "Scope") | Description |
|---|---|---|---|
BackupRestore-Configuration.Read.All | 5fbb5982-3230-4882-93c0-2167523ce0c2 | 444ed4b6-0554-4dc6-8e9c-3f9a34ee3ff6 | Reading all backup configurations and lists of Microsoft 365 365 service resources to be backed-up, without (or on behalf of) a signed-in user. |
BackupRestore-Configuration.ReadWrite.All | 18133149-5489-40ac-80f0-4b6fa85f6cdc | a0244d16-171c-4496-8ffb-7b9b6954d339 | Reading and updating the backup configuration and lists of Microsoft 365 service resources to be backed-up, without (or on behalf of) a signed-in user. |
BackupRestore-Restore.Read.All | 87853aa5-0372-4710-b34b-cef27bb7156e | 94b36f78-434f-4904-8c08-421d9a9c1dc2 | Reading all restore sessions, without (or on behalf of) a signed-in user. |
BackupRestore-Restore.ReadWrite.All | bebd0841-a3d8-4313-a51d-731112c8ee4 | 9f89e109-94b9-4c9b-b4fc-98cdaa54f574 | Reading restore all sessions and starting restore sessions from backups, without (or on behalf of) a signed-in user. |
BackupRestore-Search.Read.All | f6135c51-c766-4be1-9638-ed90c2ed2443 | 2b24830f-f435-446f-ab5a-b1e70d9a2eb5 | Searching all backup snapshots for Microsoft 365 resources, without (or on behalf of) a signed-in user. |
BackupRestore-Control.Read.All | 6fe20a79-0e15-45a1-b019-834c125993a0 | af598c63-4292-4437-b925-e996354d3854 | Reading the status of Microsoft 365 backup service, without (or on behalf of) a signed-in user. |
BackupRestore-Control.ReadWrite.All | fb240865-88f8-4a1d-923f-98dbc7920860 | 96d46335-d92d-41b8-bc9f-273a692381ea | Updating or reading the status of Microsoft 365 backup service, without (or on behalf of) a signed-in user. |
Veeam Insights for Microsoft 365 Permissions
In addition to the permissions mentioned, if you access Veeam Insights for Microsoft 365, you must accept the following permissions:
- Reports.Read.All (delegate): Reading all service usage reports on behalf of the signed-in user.
- User.Read.All (delegate): Reading the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
- Domain.Read.All (delegate): Reading all domain properties on behalf of the signed-in user.
Granting Global Reader Role to Microsoft Entra Application
Veeam Data Cloud for Microsoft 365 supports backup of public folders and discovery search mailboxes in Microsoft 365 organizations. To back up these objects, Veeam Data Cloud for Microsoft 365 needs access to Exchange Online PowerShell. To access Exchange Online PowerShell, Microsoft Entra application requires the Global Reader role.
To grant the Global Reader role to the Microsoft Entra application, do the following:
- Sign in to the Microsoft Entra admin center.
- Go to Identity > Roles & admins > Roles & admins.
- In the Administrative roles list, find the Global Reader role and click on it.
- In the Global Reader window, click Add assignments. The Add assignments wizard runs.
- In the Select member(s) section, click the link.
- In the Select a member window, select the Microsoft Entra application in the list and click Select. The selected application will appear in the Selected member(s) list.
- Click Next and then click Assign to finish working with the wizard.