Microsoft 365 Permissions for Druva App
Overview
This article helps you understand the permissions that Druva requires to backup and restore your Microsoft 365 data.
To know about how and where you need to give these permissions to authorize Druva, check this article; Configure Druva inSync for Microsoft 365.
To begin with, Druva requires both these permission types: application permissions and delegated permissions.
Application: This will allow applications in Azure Active Directory (Azure AD) to perform actions using admin-driven consent.
Delegated: This will allow applications in Azure AD to perform actions on behalf of a particular user.
For more information, see Microsoft Graph Permissions.
App-specific permissions
Permissions required for each app are listed below.
Microsoft 365 Advanced app
Supported apps/features
|
|
|
|
|
Groups |
|
---|---|---|---|---|---|---|
|
|
|
|
|
✅ |
|
Required permissions
Permission |
Type |
Purpose |
---|---|---|
Microsoft Graph |
||
Application.ReadWrite.All |
Application |
Revoke app access from the tenant. |
AppRoleAssignment.ReadWrite.All |
Application |
Backup and restore Microsoft Groups Role Assignment data. |
Channel.Create |
Application |
Restore Microsoft Teams channels. |
Channel.ReadBasic.All |
Application |
Back up Microsoft Teams channel metadata. |
ChannelMember.ReadWrite.All |
Application |
Back up and restore Microsoft Teams channel members. |
ChannelMessage.Read.All |
Application |
Back up Microsoft Teams channel conversations (messages). |
ChannelSettings.ReadWrite.All |
Application |
Backup and restore Microsoft Teams channel settings. |
Directory.ReadWrite.All |
Delegated |
Read and write directory data |
Directory.ReadWrite.All |
Application |
Read and write directory data |
Files.Read.All |
Application |
Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files. |
Group.ReadWrite.All |
Delegated |
Restore Microsoft Teams. |
Group.ReadWrite.All |
Application |
Backup and restore Microsoft Groups data. |
GroupMember.ReadWrite.All |
Application |
Add a member to a Microsoft 365 group or a security group through the members’ navigation property. |
MailboxSettings.Read |
Application |
Get user's mailbox type |
RoleManagement.ReadWrite.Directory |
Delegated |
Read and write directory RBAC settings |
RoleManagement.ReadWrite.Directory |
Application |
Read and write all directory RBAC settings |
Sites.Read.All |
Application |
Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups. |
TeamMember.ReadWrite.All |
Application |
Backup and restore Microsoft Teams members. |
TeamSettings.ReadWrite.All |
Application |
Backup and restore Microsoft Teams settings. |
TeamsTab.Read.All |
Application |
Backup Microsoft Teams tab's metadata. |
User.Read.All |
Application |
Backup SharePoint site users. |
Office 365 Exchange Online |
||
Calendars.ReadWrite.All |
Application |
Backup and restore Exchange Online calendars. |
Contacts.ReadWrite |
Application |
Backup and restore Exchange Online contacts. |
EWS.AccessAsUser.All |
Delegated |
Backup and restore Exchange Online mailboxes in user context. |
full_access_as_app |
Application |
Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite |
Application |
Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite |
Application |
Backup and restore Exchange Online tasks. |
SharePoint |
||
Sites.FullControl.All |
Application |
Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
Sites.Search.All |
Delegated |
Run search queries as a user |
TermStore.Read.All |
Application |
Backup Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All |
Delegated |
Get site collection administrators during restore activity to a new site. |
User.Read.All |
Application |
Backup SharePoint site users. |
Microsoft 365 Basic app
Supported apps/features
|
|
|
|
|
Groups |
|
---|---|---|---|---|---|---|
|
|
|
|
|
❌ |
❌ |
Required permissions
Permission |
Type |
Purpose |
---|---|---|
Microsoft Graph |
||
Application.ReadWrite.All |
Application |
Revoke app access from the tenant. |
Channel.Create |
Application |
Restore Microsoft Teams channels. |
Channel.ReadBasic.All |
Application |
Backup Microsoft Teams channel metadata. |
ChannelMember.ReadWrite.All |
Application |
Backup and restore Microsoft Teams channel members. |
ChannelMessage.Read.All |
Application |
Backup Microsoft Teams channel conversations (messages). |
ChannelSettings.ReadWrite.All |
Application |
Backup and restore Microsoft Teams channel settings. |
Directory.Read.All |
Application |
Read Groups settings while Teams backup. |
Files.Read.All |
Application |
Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files. |
Group.ReadWrite.All |
Delegated |
Restore Microsoft Teams. |
Group.ReadWrite.All |
Application |
Backup and restore Microsoft Groups data. |
GroupMember.ReadWrite.All |
Application |
Add a member to a Microsoft 365 group or a security group through the members’ navigation property. |
MailboxSettings.Read |
Application |
Get user's mailbox type |
Sites.Read.All |
Application |
Read data from SharePoint sites and sites associated with Microsoft Teams. |
TeamMember.ReadWrite.All |
Application |
Backup and restore Microsoft Teams members. |
TeamSettings.ReadWrite.All |
Application |
Backup and restore Microsoft Teams settings. |
TeamsTab.Read.All |
Application |
Back up Microsoft Teams tab's metadata. |
User.Read.All |
Application |
Import users from Azure AD. |
Office 365 Exchange Online |
||
Calendars.ReadWrite.All |
Application |
Backup and restore Exchange Online calendars. |
Contacts.ReadWrite |
Application |
Backup and restore Exchange Online contacts. |
EWS.AccessAsUser.All |
Delegated |
Backup and restore Exchange Online mailboxes in admin context. |
full_access_as_app |
Application |
Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite |
Application |
Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite |
Application |
Backup and restore Exchange Online tasks. |
SharePoint |
||
Sites.FullControl.All |
Application |
Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
Sites.Search.All |
Delegated |
Run search queries as a user |
TermStore.Read.All |
Application |
Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All |
Delegated |
Get site collection administrators during restore activity to a new site. |
User.Read.All |
Application |
Backup SharePoint site users. |
Exchange Online and Public Folder
Required permissions
Permission |
Type |
Purpose |
---|---|---|
Microsoft Graph |
||
Application.ReadWrite.All |
Application |
Revoke app access from the tenant. |
Directory.Read.All |
Application |
Import users from Azure AD. |
MailboxSettings.Read |
Application |
Get user's mailbox type |
User.Read.All |
Delegated |
Get the email address of the user and use it to retrieve the headers required by Public folder APIs. |
Office 365 Exchange Online |
||
Calendars.ReadWrite.All |
Application |
Backup and restore Exchange Online calendars. |
Contacts.ReadWrite |
Application |
Backup and restore Exchange Online contacts. |
EWS.AccessAsUser.All |
Delegated |
Backup and restore Exchange Online mailboxes in admin context. |
full_access_as_app |
Application |
Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite |
Application |
Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite |
Application |
Backup and restore Exchange Online tasks. |
OneDrive and SharePoint
Required permissions
Permission |
Type |
Purpose |
---|---|---|
Microsoft Graph |
||
Application.ReadWrite.All |
Application |
Revoke app access from the tenant. |
Files.Read.All |
Application |
Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files. |
Group.Read.All |
Application |
Support Teams Meeting Recording Exclusion. |
Sites.Read.All |
Application |
Read data from SharePoint sites and sites associated with Microsoft Teams. |
User.Read.All |
Application |
Import users from Azure AD. |
SharePoint |
||
Sites.FullControl.All |
Application |
Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
Sites.Search.All |
Delegated |
Run search queries as a user |
TermStore.Read.All |
Application |
Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All |
Delegated |
Get site collection administrators during restore activity to a new site. |
User.Read.All |
Application |
Backup SharePoint site users. |
Workload-specific permissions
Permissions required for each workload are listed below.
Microsoft Graph
The following table explains the permissions required to use the Microsoft Graph APIs:
Permission | Type | Purpose |
---|---|---|
Application.ReadWrite.All |
Application |
Delete service principal from the associated tenant and revoke app access from the tenant. |
Channel.Create |
Application |
Restore Microsoft Teams channels. |
Channel.ReadBasic.All |
Application |
Back up Microsoft Teams channel metadata. |
ChannelMessage.Read.All |
Application |
Back up Microsoft Teams channel conversations (messages). |
ChannelMember.ReadWrite.All |
Application |
Back up and restore Microsoft Teams channel members. |
ChannelSettings.ReadWrite.All |
Application |
Back up and restore Microsoft Teams channel settings. |
Directory. Read. All | Application | Back up and restore Microsoft Teams. |
Directory.ReadWrite.All |
Application |
Restore Microsoft Teams.
|
Files.Read.All |
Application |
Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files. |
Group.ReadWrite.All | Delegated |
Restore Microsoft Teams.
|
GroupMember.ReadWrite.All |
Application |
Add a member to a Microsoft 365 group or a security group through the members’ navigation property. |
Sites.Read.All |
Application |
Read data from SharePoint sites and sites associated with Microsoft Teams. |
TeamMember.ReadWrite.All |
Application |
Back up and restore Microsoft Teams members. |
TeamSettings.ReadWrite.All |
Application |
Back up and restore Microsoft Teams settings. |
TeamsTab.Read.All |
Application |
Back up Microsoft Teams tab's metadata. |
User.Read.All |
Application |
Import users from Azure AD. |
MailboxSettings.Read | Application | Get user's mailbox type |
Office 365 Exchange Online
The following table explains the permissions required to use the Office 365 Exchange Online services:
Permission | Type | Purpose |
---|---|---|
Calendars.ReadWrite.All |
Application |
Back up and restore Exchange Online calendars. |
Contacts.ReadWrite |
Application |
Back up and restore Exchange Online contacts. |
EWS.AccessAsUser.All |
Delegated |
Back up and restore Exchange Online mailboxes in admin context. |
full_access_as_app |
Application |
Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite |
Application |
Back up and restore Exchange Online mailboxes. |
Tasks.ReadWrite |
Application |
Back up and restore Exchange Online tasks. |
Office 365 SharePoint Online
The following table explains the permissions required to use the Office 365 SharePoint Online services:
Permission | Type | Purpose |
---|---|---|
Sites.FullControl.All |
Application |
Back up and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
TermStore.Read.All |
Application |
Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All |
Application |
Back up SharePoint site users. |
User.Read.All |
Delegated |
Get site collection administrators during restore activity to a new site. |
Microsoft Groups
The following table explains the permissions required to use Microsoft Groups:
Permission | Type | Purpose |
---|---|---|
Group.ReadWrite.All |
Application |
Backup and restore Microsoft Groups data. |
Directory.ReadWrite.All |
Application |
Backup and restore groups specific settings (applies to only Microsoft 365 groups) and preferred data location (PDL) |
RoleManagement.ReadWrite.Directory |
Application |
Backup only Microsoft Groups Sensitivity labels data. |
AppRoleAssignment.ReadWrite.All |
Application |
Backup and restore Microsoft Groups Role Assignment data. |
Group.ReadWrite.All |
Delegated |
Backup and restore Microsoft Groups data. |
Directory.ReadWrite.All |
Delegated |
Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders.. |
RoleManagement.ReadWrite.Directory |
Delegated |
Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders. |