Skip to main content
druva_logo.pngDruva
|
Documentation

How can we help you?

 

Trending articles:
Druva Documentation

Microsoft 365 Permissions for Druva App

  1. Last updated
  2. Save as PDF

Overview

This article helps you understand the permissions that Druva requires to backup and restore your Microsoft 365 data.

For more information about how and where to provide these permissions to authorize Druva, see Configure Druva inSync for Microsoft 365.

Druva requires the following permission types.

  • Application: This will allow applications in Azure Active Directory (Azure AD) to perform actions using admin-driven consent.
  • Delegated: This will allow applications in Azure AD to perform actions on behalf of a particular user.

New permissions required for Microsoft Graph API v1.0

The new permissions required for Microsoft Graph API v1.0 are listed below.

Permission Type  Purpose
Exchange Online
Calendars.ReadWrite Application Backup and restore Exchange Online calendars.
Contacts.ReadWrite Application Backup and restore Exchange Online contacts.
Mail.ReadWrite Application Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All Application Backup and restore Exchange Online tasks.
SharePoint Online
Sites.ReadWrite.All Application Backup and restore SharePoint Site using latest Graph APIs.
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.

For more information, see Microsoft Graph Permissions.

App-specific permissions

Permissions required for each app are listed below.

Microsoft 365 Advanced

Supported apps/features

SharePoint Online Public Folder Exchange Online OneDrive Teams  Groups Multi-Geo
               ✅                ✅                 ✅                ✅               ✅                  ✅                  ✅

Required Permissions

Permission Type Purpose

Application.ReadWrite.All

Application

Revoke app access from the tenant. 
Calendars.ReadWrite Application Read and write calendars in all mailboxes. 
Contacts.ReadWrite Application Read and write contacts in all mailboxes
Directory.ReadWrite.All Delegated Read and write directory data.
Directory.ReadWrite.All Application Read and write directory data.
RoleManagement.ReadWrite.Directory Application Read and write directory RBAC settings
RoleManagement.ReadWrite.Directory Delegated Read and write directory RBAC settings
Mail.ReadWrite Application Read and write mail in all mailboxes
MailboxSettings.Read Application Get user's mailbox type
Sites.ReadWrite.All Application Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups.
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
Tasks.ReadWrite.All Application Read and write all users’ tasks and task lists
User.Read.All Application Backup SharePoint site users.
Files.Read.All Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.
Sites.ReadWrite.All Application Backup and Restore SharePoint Site using latest Graph APIs.
Exchange Online
Calendars.ReadWrite Application Backup and restore Exchange Online calendars.
Contacts.ReadWrite Application Backup and restore Exchange Online contacts.
Mail.ReadWrite Application Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All Application Backup and restore Exchange Online tasks.
Microsoft Teams

Channel.Create

Application

Restore Microsoft Teams channels.

Channel.ReadBasic.All

Application

Backup Microsoft Teams channel metadata.

ChannelMember.ReadWrite.All

Application

Backup and restore Microsoft Teams channel members.

ChannelMessage.Read.All

Application

Backup Microsoft Teams channel conversations (messages).

ChannelSettings.ReadWrite.All

Application

Backup and restore Microsoft Teams channel settings.
Group.ReadWrite.All Delegated Restore Microsoft Teams.
Sites.Read.All Application Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups.
TeamMember.ReadWrite.All Application Backup and restore Microsoft Teams members.
TeamSettings.ReadWrite.All Application Backup and restore Microsoft Teams settings.
TeamsTab.Read.All Application Back up Microsoft Teams tab's metadata.
Microsoft Groups
AppRoleAssignment.ReadWrite.All Application Backup and restore Microsoft Groups Role Assignment data.

Group.ReadWrite.All

Application

Backup and restore Microsoft Groups data.

GroupMember.ReadWrite.All

Application

Add a member to a Microsoft 365 group or a security group through the members’ navigation property.
SharePoint
Sites.Read.All Application Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.

Microsoft 365 Basic

Supported apps/features

SharePoint Online Public Folder Exchange Online OneDrive Teams  Groups Multi-Geo
             ✅          ✅          ✅             ✅                ✅                 ❌                 ❌

Required Permissions

Permission Type Purpose

Application.ReadWrite.All

Application

Revoke app access from the tenant.
Calendars.ReadWrite Application Read and write calendars in all mailboxes
Contacts.ReadWrite Application Read and write contacts in all mailboxes.
Mail.ReadWrite Application Read and write mail in all mailboxes.
MailboxSettings.Read Application Get user's mailbox type
Tasks.ReadWrite.All Application Read and write all users’ tasks and tasklists
Sites.ReadWrite.All Application Read and write content on all sites.
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
User.Read.All Application Import users from Azure AD.
Files.Read.All Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.
Sites.ReadWrite.All Application Backup and Restore SharePoint Site using latest Graph APIs.
Exchange Online
Calendars.ReadWrite Application Backup and restore Exchange Online calendars.
Contacts.ReadWrite Application Backup and restore Exchange Online contacts.
Mail.ReadWrite Application Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All Application Backup and restore Exchange Online tasks.
Sites.ReadWrite.All Application Backup and Restore SharePoint Site using latest Graph APIs.
Microsoft Teams

Channel.Create

Application

Restore Microsoft Teams channels.

Channel.ReadBasic.All

Application

Backup Microsoft Teams channel metadata.

ChannelMember.ReadWrite.All

Application

Backup and restore Microsoft Teams channel members.

ChannelMessage.Read.All

Application

Backup Microsoft Teams channel conversations (messages).

ChannelSettings.ReadWrite.All

Application

Backup and restore Microsoft Teams channel settings.

Directory.Read.All

Application

Read Groups settings while Teams backup.

Group.ReadWrite.All

Delegated

Restore Microsoft Teams. 
Sites.Read.All Application Read data from SharePoint sites and sites associated with Microsoft Teams.
TeamMember.ReadWrite.All Application Backup and restore Microsoft Teams members.
TeamSettings.ReadWrite.All Application Backup and restore Microsoft Teams settings.
TeamsTab.Read.All Application Back up Microsoft Teams tab's metadata.
Microsoft Groups    

Group.ReadWrite.All

Application

Backup and restore Microsoft Groups data.

GroupMember.ReadWrite.All

Application

Add a member to a Microsoft 365 group or a security group through the members’ navigation property.
SharePoint
Sites.Read.All Application Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.

Exchange Online and Public Folder

Required Permissions

Permission Type Purpose

Application.ReadWrite.All

Application

Revoke app access from the tenant.
Calendars.ReadWrite Application Read and write calendars in all mailboxes
Contacts.ReadWrite Application Read and write contacts in all mailboxes
Directory.Read.All Application Import users from Azure AD.
Mail.ReadWrite Application Read and write mail in all mailboxes
MailboxSettings.Read Application Read all user mailbox settings
Tasks.ReadWrite.All Application Read and write all users’ tasks and task lists
User.Read.All Delegated Read all users' full profiles
Exchange Online
Calendars.ReadWrite Application Backup and restore Exchange Online calendars.
Contacts.ReadWrite Application Backup and restore Exchange Online contacts.
Mail.ReadWrite Application Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All Application Backup and restore Exchange Online tasks.

OneDrive and SharePoint

Required Permissions

Permission Type Purpose

Application.ReadWrite.All

Application

Revoke app access from the tenant.
User.Read.All Application Import users from Azure AD.
Files.Read.All Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.
Sites.ReadWrite.All Application Backup and Restore SharePoint Site using latest Graph APIs.
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
Microsoft Teams

Group.Read.All

Application

Support Teams Meeting Recording Exclusion. 

Sites.Read.All

Application

Read data from SharePoint sites and sites associated with Microsoft Teams.
SharePoint
Sites.Read.All Application Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.

Workload-specific permissions

Permissions required for Microsoft Graph are listed below.

Permission Type Purpose
Application.ReadWrite.All Application Delete service principal from the associated tenant and revoke app access from the tenant.
Files.Read.All Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.
User.Read.All Application Import users from Azure AD.
MailboxSettings.Read Application Get user's mailbox type
Sites.ReadWrite.All Application Backup and Restore SharePoint Site using latest Graph APIs.
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
Microsoft Teams
Channel.Create Application Restore Microsoft Teams channels.
Channel.ReadBasic.All Application Back up Microsoft Teams channel metadata.
ChannelMessage.Read.All Application Back up Microsoft Teams channel conversations (messages).
ChannelMember.ReadWrite.All Application Back up and restore Microsoft Teams channel members.
ChannelSettings.ReadWrite.All Application Back up and restore Microsoft Teams channel settings.
Directory. Read. All Application Back up and restore Microsoft Teams.
Directory.ReadWrite.All Application

Restore Microsoft Teams.

Note: This permission is needed only when you are using the Microsoft 365 Advanced app to protect Groups and to use the Multi-Geo support feature. The Microsoft 365 Basic app does not need this permission. For more information, see Configure Druva inSync for Microsoft 365.
Group.ReadWrite.All Delegated Restore Microsoft Teams. 
GroupMember.ReadWrite.All Application Add a member to a Microsoft 365 group or a security group through the members’ navigation property.
Sites.Read.All Application Read data from SharePoint sites and sites associated with Microsoft Teams.
TeamMember.ReadWrite.All Application Back up and restore Microsoft Teams members.
TeamSettings.ReadWrite.All Application Back up and restore Microsoft Teams settings.
TeamsTab.Read.All Application Back up Microsoft Teams tab's metadata.
Exchange Online
Calendars.ReadWrite Application Backup and restore Exchange Online calendars.
Contacts.ReadWrite Application Backup and restore Exchange Online contacts.
Mail.ReadWrite Application Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All Application Backup and restore Exchange Online tasks.
SharePoint
Sites.Read.All Application Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All Application Restore of all SharePoint sites, including site content types, using Microsoft Graph API
Sites.FullControl.All Application Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.

App-specific permissions

Permissions required for each app are listed below.

Microsoft 365 Advanced

Supported apps/features

SharePoint Online Public Folder Exchange Online OneDrive Teams  Groups Multi-Geo
             ✅                  ✅                 ✅                  ✅                 ✅                ✅                 ✅

Required Permissions

Permission Type Purpose
Office 365 Exchange Online
Calendars.ReadWrite.All Application Backup and restore Exchange Online calendars.
Contacts.ReadWrite Application Backup and restore Exchange Online contacts.
EWS.AccessAsUser.All Delegated Backup and restore Exchange Online mailboxes in user context.
full_access_as_app Application Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.
Mail.ReadWrite Application Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite Application Backup and restore Exchange Online tasks.
SharePoint

Sites.FullControl.All

Application

Backup and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

Sites.Search.All

Delegated

Run search queries as a user

TermStore.Read.All

Application

Backup  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

User.Read.All

Application

Backup SharePoint site users.

Microsoft 365 Basic

Supported apps/features

SharePoint Online Public Folder Exchange Online OneDrive Teams  Groups Multi-Geo
             ✅          ✅          ✅          ✅          ✅                 ❌                 ❌

Required Permissions

Permission Type Purpose
Office 365 Exchange Online

Calendars.ReadWrite.All

Application

Backup and restore Exchange Online calendars.

Contacts.ReadWrite

Application

Backup and restore Exchange Online contacts.

EWS.AccessAsUser.All

Delegated

Backup and restore Exchange Online mailboxes in admin context.

full_access_as_app

Application

Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

Mail.ReadWrite

Application

Backup and restore Exchange Online mailboxes.

Tasks.ReadWrite

Application

Backup and restore Exchange Online tasks.
SharePoint

Sites.FullControl.All

Application

Backup and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

Sites.Search.All

Delegated

Run search queries as a user

TermStore.Read.All

Application

Back up  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

User.Read.All

Application

Backup SharePoint site users.

Exchange Online and Public Folder 

Required Permissions 

Permission Type Purpose
Office 365 Exchange Online

Calendars.ReadWrite.All

Application

Backup and restore Exchange Online calendars.

Contacts.ReadWrite

Application

Backup and restore Exchange Online contacts.

EWS.AccessAsUser.All

Delegated

Backup and restore Exchange Online mailboxes in admin context.

full_access_as_app

Application

Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

Mail.ReadWrite

Application

Backup and restore Exchange Online mailboxes.

Tasks.ReadWrite

Application

Backup and restore Exchange Online tasks.

OneDrive and SharePoint 

Required Permissions

Permission Type Purpose
SharePoint

Sites.FullControl.All

Application

Backup and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

Sites.Search.All

Delegated

Run search queries as a user

TermStore.Read.All

Application

Back up  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

User.Read.All

Application

Backup SharePoint site users.

Workload-specific permissions

Permissions required for each workload are listed below.

Office 365 Exchange Online

The following table explains the permissions required to use the Office 365 Exchange Online services:

Permission Type Purpose
Calendars.ReadWrite.All Application Back up and restore Exchange Online calendars.
Contacts.ReadWrite Application Back up and restore Exchange Online contacts.
EWS.AccessAsUser.All Delegated Back up and restore Exchange Online mailboxes in admin context.
full_access_as_app Application Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.
Mail.ReadWrite Application Back up and restore Exchange Online mailboxes.
Tasks.ReadWrite Application Back up and restore Exchange Online tasks.

Office 365 SharePoint Online 

The following table explains the permissions required to use the Office 365 SharePoint Online services:

Permission Type Purpose
Sites.FullControl.All Application Back up and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.
TermStore.Read.All Application Back up  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.
User.Read.All Application Back up SharePoint site users.
User.Read.All Delegated Get site collection administrators during restore activity to a new site.

Microsoft Groups

The following table explains the permissions required to use Microsoft Groups:

Permission Type Purpose
Group.ReadWrite.All Application Backup and restore Microsoft Groups data.
Directory.ReadWrite.All Application Backup and restore groups specific settings (applies to only Microsoft 365 groups) and preferred data location (PDL)
RoleManagement.ReadWrite.Directory Application Backup only Microsoft Groups Sensitivity labels data.
AppRoleAssignment.ReadWrite.All Application Backup and restore Microsoft Groups Role Assignment data.
Group.ReadWrite.All Delegated Backup and restore Microsoft Groups data.
Directory.ReadWrite.All Delegated Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders.
RoleManagement.ReadWrite.Directory Delegated Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. M365
    2. M365 permissions for Druva App