Microsoft 365 Permissions for Druva App

Last updated
Save as PDF
Share
1. Share

Overview

This article helps you understand the permissions that Druva requires to backup and restore your Microsoft 365 data.

For more information about how and where to provide these permissions to authorize Druva, see Configure Druva inSync for Microsoft 365.

Druva requires the following permission types.

Application: This will allow applications in Azure Active Directory (Azure AD) to perform actions using admin-driven consent.
Delegated: This will allow applications in Azure AD to perform actions on behalf of a particular user.

New permissions required for Microsoft Graph API v1.0

The new permissions required for Microsoft Graph API v1.0 are listed below.

Permission	Type	Purpose
Exchange Online
Calendars.ReadWrite	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All	Application	Backup and restore Exchange Online tasks.
SharePoint Online
Sites.ReadWrite.All	Application	Backup and restore SharePoint Site using latest Graph APIs.
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.

For more information, see Microsoft Graph Permissions.

Graph API

App-specific permissions

Permissions required for each app are listed below.

Microsoft 365 Advanced

Supported apps/features

SharePoint Online	Public Folder	Exchange Online	OneDrive	Teams	Groups	Multi-Geo
✅	✅	✅	✅	✅	✅	✅

Required Permissions

Permission	Type	Purpose
Application.ReadWrite.All	Application	Revoke app access from the tenant.
Calendars.ReadWrite	Application	Read and write calendars in all mailboxes.
Contacts.ReadWrite	Application	Read and write contacts in all mailboxes
Directory.ReadWrite.All	Delegated	Read and write directory data.
Directory.ReadWrite.All	Application	Read and write directory data.
RoleManagement.ReadWrite.Directory	Application	Read and write directory RBAC settings
RoleManagement.ReadWrite.Directory	Delegated	Read and write directory RBAC settings
Mail.ReadWrite	Application	Read and write mail in all mailboxes
MailboxSettings.Read	Application	Get user's mailbox type
Sites.ReadWrite.All	Application	Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups.
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
Tasks.ReadWrite.All	Application	Read and write all users’ tasks and task lists
User.Read.All	Application	Backup SharePoint site users.
Files.Read.All	Application	Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files.
Sites.ReadWrite.All	Application	Backup and Restore SharePoint Site using latest Graph APIs.
Exchange Online
Calendars.ReadWrite	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All	Application	Backup and restore Exchange Online tasks.
Microsoft Teams
Channel.Create	Application	Restore Microsoft Teams channels.
Channel.ReadBasic.All	Application	Backup Microsoft Teams channel metadata.
ChannelMember.ReadWrite.All	Application	Backup and restore Microsoft Teams channel members.
ChannelMessage.Read.All	Application	Backup Microsoft Teams channel conversations (messages).
ChannelSettings.ReadWrite.All	Application	Backup and restore Microsoft Teams channel settings.
Group.ReadWrite.All	Delegated	Restore Microsoft Teams.
Sites.Read.All	Application	Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups.
TeamMember.ReadWrite.All	Application	Backup and restore Microsoft Teams members.
TeamSettings.ReadWrite.All	Application	Backup and restore Microsoft Teams settings.
TeamsTab.Read.All	Application	Back up Microsoft Teams tab's metadata.
Microsoft Groups
AppRoleAssignment.ReadWrite.All	Application	Backup and restore Microsoft Groups Role Assignment data.
Group.ReadWrite.All	Application	Backup and restore Microsoft Groups data.
GroupMember.ReadWrite.All	Application	Add a member to a Microsoft 365 group or a security group through the members’ navigation property.
Tasks.Read	Application	Backup and restore Planner and Tasks
SharePoint
Sites.Read.All	Application	Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.
TermStore.ReadWrite.All	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.

Microsoft 365 Basic

Supported apps/features

SharePoint Online	Public Folder	Exchange Online	OneDrive	Teams	Groups	Multi-Geo
✅	✅	✅	✅	✅	❌	❌

Required Permissions

Permission	Type	Purpose
Application.ReadWrite.All	Application	Revoke app access from the tenant.
Calendars.ReadWrite	Application	Read and write calendars in all mailboxes
Contacts.ReadWrite	Application	Read and write contacts in all mailboxes.
Mail.ReadWrite	Application	Read and write mail in all mailboxes.
MailboxSettings.Read	Application	Get user's mailbox type
Tasks.ReadWrite.All	Application	Read and write all users’ tasks and tasklists
Sites.ReadWrite.All	Application	Read and write content on all sites.
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
User.Read.All	Application	Import users from Azure AD.
Files.Read.All	Application	Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files.
Sites.ReadWrite.All	Application	Backup and Restore SharePoint Site using latest Graph APIs.
Exchange Online
Calendars.ReadWrite	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All	Application	Backup and restore Exchange Online tasks.
Sites.ReadWrite.All	Application	Backup and Restore SharePoint Site using latest Graph APIs.
Microsoft Teams
Channel.Create	Application	Restore Microsoft Teams channels.
Channel.ReadBasic.All	Application	Backup Microsoft Teams channel metadata.
ChannelMember.ReadWrite.All	Application	Backup and restore Microsoft Teams channel members.
ChannelMessage.Read.All	Application	Backup Microsoft Teams channel conversations (messages).
ChannelSettings.ReadWrite.All	Application	Backup and restore Microsoft Teams channel settings.
Directory.Read.All	Application	Read Groups settings while Teams backup.
Group.ReadWrite.All	Delegated	Restore Microsoft Teams.
Sites.Read.All	Application	Read data from SharePoint sites and sites associated with Microsoft Teams.
TeamMember.ReadWrite.All	Application	Backup and restore Microsoft Teams members.
TeamSettings.ReadWrite.All	Application	Backup and restore Microsoft Teams settings.
TeamsTab.Read.All	Application	Back up Microsoft Teams tab's metadata.
Microsoft Groups
Group.ReadWrite.All	Application	Backup and restore Microsoft Groups data.
GroupMember.ReadWrite.All	Application	Add a member to a Microsoft 365 group or a security group through the members’ navigation property.
SharePoint
Sites.Read.All	Application	Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.
TermStore.ReadWrite.All	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.

Exchange Online and Public Folder

Required Permissions

Permission	Type	Purpose
Application.ReadWrite.All	Application	Revoke app access from the tenant.
Calendars.ReadWrite	Application	Read and write calendars in all mailboxes
Contacts.ReadWrite	Application	Read and write contacts in all mailboxes
Directory.Read.All	Application	Import users from Azure AD.
Mail.ReadWrite	Application	Read and write mail in all mailboxes
MailboxSettings.Read	Application	Read all user mailbox settings
Tasks.ReadWrite.All	Application	Read and write all users’ tasks and task lists
User.Read.All	Delegated	Read all users' full profiles
Exchange Online
Calendars.ReadWrite	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All	Application	Backup and restore Exchange Online tasks.

OneDrive and SharePoint

Required Permissions

Permission	Type	Purpose
Application.ReadWrite.All	Application	Revoke app access from the tenant.
User.Read.All	Application	Import users from Azure AD.
Files.Read.All	Application	Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files.
Sites.ReadWrite.All	Application	Backup and Restore SharePoint Site using latest Graph APIs.
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
Microsoft Teams
Group.Read.All	Application	Support Teams Meeting Recording Exclusion.
Sites.Read.All	Application	Read data from SharePoint sites and sites associated with Microsoft Teams.
SharePoint
Sites.Read.All	Application	Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.
TermStore.ReadWrite.All	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.

Workload-specific permissions

Permissions required for Microsoft Graph are listed below.

Permission	Type	Purpose
Application.ReadWrite.All	Application	Delete service principal from the associated tenant and revoke app access from the tenant.
Files.Read.All	Application	Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files.
User.Read.All	Application	Import users from Azure AD.
MailboxSettings.Read	Application	Get user's mailbox type
Sites.ReadWrite.All	Application	Backup and Restore SharePoint Site using latest Graph APIs.
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.
Microsoft Teams
Channel.Create	Application	Restore Microsoft Teams channels.
Channel.ReadBasic.All	Application	Back up Microsoft Teams channel metadata.
ChannelMessage.Read.All	Application	Back up Microsoft Teams channel conversations (messages).
ChannelMember.ReadWrite.All	Application	Back up and restore Microsoft Teams channel members.
ChannelSettings.ReadWrite.All	Application	Back up and restore Microsoft Teams channel settings.
Directory. Read. All	Application	Back up and restore Microsoft Teams.
Directory.ReadWrite.All	Application	Restore Microsoft Teams. Note: This permission is needed only when you are using the Microsoft 365 Advanced app to protect Groups and to use the Multi-Geo support feature. The Microsoft 365 Basic app does not need this permission. For more information, see Configure Druva inSync for Microsoft 365.
Group.ReadWrite.All	Delegated	Restore Microsoft Teams.
GroupMember.ReadWrite.All	Application	Add a member to a Microsoft 365 group or a security group through the members’ navigation property.
Sites.Read.All	Application	Read data from SharePoint sites and sites associated with Microsoft Teams.
TeamMember.ReadWrite.All	Application	Back up and restore Microsoft Teams members.
TeamSettings.ReadWrite.All	Application	Back up and restore Microsoft Teams settings.
TeamsTab.Read.All	Application	Back up Microsoft Teams tab's metadata.
Exchange Online
Calendars.ReadWrite	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite.All	Application	Backup and restore Exchange Online tasks.
SharePoint
Sites.Read.All	Application	Backup SharePoint Site, including site content types, using Microsoft Graph API.
Sites.Manage.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API.
Sites.FullControl.All	Application	Restore of all SharePoint sites, including site content types, using Microsoft Graph API
Sites.FullControl.All	Application	Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API.
TermStore.ReadWrite.All	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.

Outlook API

App-specific permissions

Permissions required for each app are listed below.

Microsoft 365 Advanced

Supported apps/features

SharePoint Online	Public Folder	Exchange Online	OneDrive	Teams	Groups	Multi-Geo
✅	✅	✅	✅	✅	✅	✅

Required Permissions

Permission	Type	Purpose
Office 365 Exchange Online
Calendars.ReadWrite.All	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
EWS.AccessAsUser.All	Delegated	Backup and restore Exchange Online mailboxes in user context.
full_access_as_app	Application	Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite	Application	Backup and restore Exchange Online tasks.
SharePoint
Sites.FullControl.All	Application	Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites.
Sites.Search.All	Delegated	Run search queries as a user
TermStore.Read.All	Application	Backup Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.
User.Read.All	Delegated	Get site collection administrators during restore activity to a new site.
User.Read.All	Application	Backup SharePoint site users.

Microsoft 365 Basic

Supported apps/features

SharePoint Online	Public Folder	Exchange Online	OneDrive	Teams	Groups	Multi-Geo
✅	✅	✅	✅	✅	❌	❌

Required Permissions

Permission	Type	Purpose
Office 365 Exchange Online
Calendars.ReadWrite.All	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
EWS.AccessAsUser.All	Delegated	Backup and restore Exchange Online mailboxes in admin context.
full_access_as_app	Application	Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite	Application	Backup and restore Exchange Online tasks.
SharePoint
Sites.FullControl.All	Application	Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites.
Sites.Search.All	Delegated	Run search queries as a user
TermStore.Read.All	Application	Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.
User.Read.All	Delegated	Get site collection administrators during restore activity to a new site.
User.Read.All	Application	Backup SharePoint site users.

Exchange Online and Public Folder

Required Permissions

Permission	Type	Purpose
Office 365 Exchange Online
Calendars.ReadWrite.All	Application	Backup and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Backup and restore Exchange Online contacts.
EWS.AccessAsUser.All	Delegated	Backup and restore Exchange Online mailboxes in admin context.
full_access_as_app	Application	Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.
Mail.ReadWrite	Application	Backup and restore Exchange Online mailboxes.
Tasks.ReadWrite	Application	Backup and restore Exchange Online tasks.

OneDrive and SharePoint

Required Permissions

Permission	Type	Purpose
SharePoint
Sites.FullControl.All	Application	Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites.
Sites.Search.All	Delegated	Run search queries as a user
TermStore.Read.All	Application	Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.
User.Read.All	Delegated	Get site collection administrators during restore activity to a new site.
User.Read.All	Application	Backup SharePoint site users.

Workload-specific permissions

Permissions required for each workload are listed below.

Office 365 Exchange Online

The following table explains the permissions required to use the Office 365 Exchange Online services:

Permission	Type	Purpose
Calendars.ReadWrite.All	Application	Back up and restore Exchange Online calendars.
Contacts.ReadWrite	Application	Back up and restore Exchange Online contacts.
EWS.AccessAsUser.All	Delegated	Back up and restore Exchange Online mailboxes in admin context.
full_access_as_app	Application	Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.
Mail.ReadWrite	Application	Back up and restore Exchange Online mailboxes.
Tasks.ReadWrite	Application	Back up and restore Exchange Online tasks.

Office 365 SharePoint Online

The following table explains the permissions required to use the Office 365 SharePoint Online services:

Permission	Type	Purpose
Sites.FullControl.All	Application	Back up and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites.
TermStore.Read.All	Application	Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.
User.Read.All	Application	Back up SharePoint site users.
User.Read.All	Delegated	Get site collection administrators during restore activity to a new site.

Microsoft Groups

The following table explains the permissions required to use Microsoft Groups:

Permission	Type	Purpose
Group.ReadWrite.All	Application	Backup and restore Microsoft Groups data.
Directory.ReadWrite.All	Application	Backup and restore groups specific settings (applies to only Microsoft 365 groups) and preferred data location (PDL)
RoleManagement.ReadWrite.Directory	Application	Backup only Microsoft Groups Sensitivity labels data.
AppRoleAssignment.ReadWrite.All	Application	Backup and restore Microsoft Groups Role Assignment data.
Group.ReadWrite.All	Delegated	Backup and restore Microsoft Groups data.
Directory.ReadWrite.All	Delegated	Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders.
RoleManagement.ReadWrite.Directory	Delegated	Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders.

Configure Druva inSync for Exchange Online

Configure Druva inSync for OneDrive

Configure Druva inSync for SharePoint Online

Configure Druva inSync for Teams

Configure Druva inSync for Public folder

Configure Druva inSync for Group

46640

New permissions required for Microsoft Graph API v1.0

Microsoft 365 Advanced

Supported apps/features

Required Permissions

Microsoft 365 Basic

Supported apps/features

Required Permissions

Exchange Online and Public Folder

Required Permissions

OneDrive and SharePoint

Required Permissions

Microsoft 365 Advanced

Supported apps/features

Required Permissions

Microsoft 365 Basic

Supported apps/features

Required Permissions

Exchange Online and Public Folder

Required Permissions

OneDrive and SharePoint

Required Permissions

Office 365 Exchange Online

Office 365 SharePoint Online

Microsoft Groups

SUPPORT community

support Resources

More links

Support Contacts

Overview

New permissions required for Microsoft Graph API v1.0

Graph API

App-specific permissions

Microsoft 365 Advanced

Supported apps/features

Required Permissions

Microsoft 365 Basic

Supported apps/features

Required Permissions

Exchange Online and Public Folder

Required Permissions

OneDrive and SharePoint

Required Permissions

Workload-specific permissions

Outlook API

App-specific permissions

Microsoft 365 Advanced

Supported apps/features

Required Permissions

Microsoft 365 Basic

Supported apps/features

Required Permissions

Exchange Online and Public Folder

Required Permissions

OneDrive and SharePoint

Required Permissions

Workload-specific permissions

Office 365 Exchange Online

Office 365 SharePoint Online

Microsoft Groups

Related articles

SUPPORT community

support Resources

More links

Support Contacts

Site Feedback