Azure AD Application Permissions
This section explains required permissions for Azure AD applications that you use to back up and restore data from/to your Microsoft Office 365 organisations.
For more information about permissions in Azure, see this Microsoft article.
During the setup process we will create an Azure application called CloudCover 365 Backup, this will be used to conduct your backups.
The following table lists permissions for Azure AD applications that are granted automatically during the setup when your organisation is added.
|
API |
Permission name |
Type |
Usage |
Description |
|
Microsoft Graph |
Directory.Read.All |
Application |
Backup |
Querying Azure AD for organization properties, the list of users and groups and their properties. |
|
|
|
Delegated1 |
Restore |
Querying Azure AD for organization properties, the list of users and groups and their properties. |
|
Group.Read.All |
Application |
Backup |
Querying Azure AD for the list of groups and group sites. |
|
|
Group.ReadWrite.All |
Application2 |
Restore |
Recreating in Azure AD an associated group in case of a deleted team site restore. |
|
|
|
|
|
This permission is only required for restore of SharePoint site data with Azure AD applications using a certificate. The operation is available through RESTful API and PowerShell. |
|
|
|
Delegated1 |
Restore |
Recreating in Azure AD an associated group in case of teams restore. |
|
|
offline_access |
Delegated1 |
Restore |
Obtaining a refresh token from Azure AD. |
|
|
Sites.ReadWrite.All |
Application |
Backup |
Querying Azure AD for the list of sites and getting download URLs for files and their versions. |
|
|
TeamSettings.ReadWrite.All |
Application |
Backup |
Accessing archived teams to backup. |
|
|
|
Application2 |
Restore |
Restoring teams to the archived state. |
|
|
|
|
|
|
|
|
Exchange Online |
EWS.AccessAsUser.All |
Delegated |
Restore |
Accessing mailboxes as the signed- in user (impersonation) through EWS to restore. |
|
|
full_access_as_app |
Application |
Backup |
Reading mailboxes content to backup. |
|
SharePoint |
AllSites.FullControl |
Delegated1 |
Restore |
Reading the current state and restoring SharePoint sites and OneDrive accounts content. |
|
Sites.FullControl.All |
Application |
Backup |
Reading sites and OneDrive accounts content to backup. |
|
|
Application2 |
Restore |
Reading the current state and restoring SharePoint sites and OneDrive accounts content. |
||
|
User.Read.All |
Application |
Backup |
Reading OneDrive accounts to backup (getting site IDs). |
|
|
Application2 |
Restore |
Resolving OneDrive accounts to restore (getting site IDs). |
||
|
User.ReadWrite.All |
Delegated1 |
Restore |
Resolving OneDrive accounts to restore (getting site IDs). |
1 Permissions of the Delegated type are used for data restore using the device code flow.
2 Permissions of the Application type are used for data restore using an application certificate.