Skip to main content

How can we help you?

Druva Documentation

Microsoft 365 Permissions for Druva App

Overview

This article helps you understand the permissions that Druva requires to backup and restore your Microsoft 365 data. 

To know about how and where you need to give these permissions to authorize Druva, check this article; Configure Druva inSync for Microsoft 365.

To begin with, Druva requires both these permission types: application permissions and delegated permissions. 

Application: This will allow applications in Azure Active Directory (Azure AD) to perform actions using admin-driven consent.

Delegated: This will allow applications in Azure AD to perform actions on behalf of a particular user. 

For more information, see Microsoft Graph Permissions.

App-specific permissions

Permissions required for each app are listed below.

Microsoft 365 Advanced app

Supported apps/features

SharePoint Online
Public Folder
Exchange Online
OneDrive
Teams 

Groups

Multi-Geo

Required permissions

Permission

Type

Purpose

Microsoft Graph

Application.ReadWrite.All

Application

Revoke app access from the tenant.

AppRoleAssignment.ReadWrite.All

Application

Backup and restore Microsoft Groups Role Assignment data.

Channel.Create

Application

Restore Microsoft Teams channels.

Channel.ReadBasic.All

Application

Back up Microsoft Teams channel metadata.

ChannelMember.ReadWrite.All

Application

Back up and restore Microsoft Teams channel members.

ChannelMessage.Read.All

Application

Back up Microsoft Teams channel conversations (messages).

ChannelSettings.ReadWrite.All

Application

Backup and restore Microsoft Teams channel settings.

Directory.ReadWrite.All

Delegated

Read and write directory data

Directory.ReadWrite.All

Application

Read and write directory data

Files.Read.All

Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.

Group.ReadWrite.All

Delegated

Restore Microsoft Teams. 

Group.ReadWrite.All

Application

Backup and restore Microsoft Groups data.

GroupMember.ReadWrite.All

Application

Add a member to a Microsoft 365 group or a security group through the members’ navigation property.

MailboxSettings.Read

Application

Get user's mailbox type

RoleManagement.ReadWrite.Directory

Delegated

Read and write directory RBAC settings

RoleManagement.ReadWrite.Directory

Application

Read and write all directory RBAC settings

Sites.Read.All

Application

Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups.

TeamMember.ReadWrite.All

Application

Backup and restore Microsoft Teams members.

TeamSettings.ReadWrite.All

Application

Backup and restore Microsoft Teams settings.

TeamsTab.Read.All

Application

Backup Microsoft Teams tab's metadata.

User.Read.All

Application

Backup SharePoint site users.

Office 365 Exchange Online

Calendars.ReadWrite.All

Application

Backup and restore Exchange Online calendars.

Contacts.ReadWrite

Application

Backup and restore Exchange Online contacts.

EWS.AccessAsUser.All

Delegated

Backup and restore Exchange Online mailboxes in user context.

full_access_as_app

Application

Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

Mail.ReadWrite

Application

Backup and restore Exchange Online mailboxes.

Tasks.ReadWrite

Application

Backup and restore Exchange Online tasks.

SharePoint

Sites.FullControl.All

Application

Backup and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

Sites.Search.All

Delegated

Run search queries as a user

TermStore.Read.All

Application

Backup  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

User.Read.All

Application

Backup SharePoint site users.

Microsoft 365 Basic app

Supported apps/features

SharePoint Online
Public Folder
Exchange Online
OneDrive
Teams

Groups

Multi-Geo

Required permissions

Permission

Type

Purpose

Microsoft Graph

Application.ReadWrite.All

Application

Revoke app access from the tenant.

Channel.Create

Application

Restore Microsoft Teams channels.

Channel.ReadBasic.All

Application

Backup Microsoft Teams channel metadata.

ChannelMember.ReadWrite.All

Application

Backup and restore Microsoft Teams channel members.

ChannelMessage.Read.All

Application

Backup Microsoft Teams channel conversations (messages).

ChannelSettings.ReadWrite.All

Application

Backup and restore Microsoft Teams channel settings.

Directory.Read.All

Application

Read Groups settings while Teams backup.

Files.Read.All

Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.

Group.ReadWrite.All

Delegated

Restore Microsoft Teams. 

Group.ReadWrite.All

Application

Backup and restore Microsoft Groups data.

GroupMember.ReadWrite.All

Application

Add a member to a Microsoft 365 group or a security group through the members’ navigation property.

MailboxSettings.Read

Application

Get user's mailbox type

Sites.Read.All

Application

Read data from SharePoint sites and sites associated with Microsoft Teams.

TeamMember.ReadWrite.All

Application

Backup and restore Microsoft Teams members.

TeamSettings.ReadWrite.All

Application

Backup and restore Microsoft Teams settings.

TeamsTab.Read.All

Application

Back up Microsoft Teams tab's metadata.

User.Read.All

Application

Import users from Azure AD.

Office 365 Exchange Online

Calendars.ReadWrite.All

Application

Backup and restore Exchange Online calendars.

Contacts.ReadWrite

Application

Backup and restore Exchange Online contacts.

EWS.AccessAsUser.All

Delegated

Backup and restore Exchange Online mailboxes in admin context.

full_access_as_app

Application

Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

Mail.ReadWrite

Application

Backup and restore Exchange Online mailboxes.

Tasks.ReadWrite

Application

Backup and restore Exchange Online tasks.

SharePoint

Sites.FullControl.All

Application

Backup and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

Sites.Search.All

Delegated

Run search queries as a user

TermStore.Read.All

Application

Back up  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

User.Read.All

Application

Backup SharePoint site users.

Exchange Online and Public Folder

Required permissions

Permission

Type

Purpose

Microsoft Graph

Application.ReadWrite.All

Application

Revoke app access from the tenant.

Directory.Read.All

Application

Import users from Azure AD.

MailboxSettings.Read

Application

Get user's mailbox type

User.Read.All

Delegated

Get the email address of the user and use it to retrieve the headers required by Public folder APIs.

Office 365 Exchange Online

Calendars.ReadWrite.All

Application

Backup and restore Exchange Online calendars.

Contacts.ReadWrite

Application

Backup and restore Exchange Online contacts.

EWS.AccessAsUser.All

Delegated

Backup and restore Exchange Online mailboxes in admin context.

full_access_as_app

Application

Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

Mail.ReadWrite

Application

Backup and restore Exchange Online mailboxes.

Tasks.ReadWrite

Application

Backup and restore Exchange Online tasks.

OneDrive and SharePoint

Required permissions

Permission

Type

Purpose

Microsoft Graph

Application.ReadWrite.All

Application

Revoke app access from the tenant.

Files.Read.All

Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.

Group.Read.All

Application

Support Teams Meeting Recording Exclusion. 

Sites.Read.All

Application

Read data from SharePoint sites and sites associated with Microsoft Teams.

User.Read.All

Application

Import users from Azure AD.

SharePoint

Sites.FullControl.All

Application

Backup and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

Sites.Search.All

Delegated

Run search queries as a user

TermStore.Read.All

Application

Back up  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

User.Read.All

Application

Backup SharePoint site users.

Workload-specific permissions

Permissions required for each workload are listed below.

Microsoft Graph

The following table explains the permissions required to use the Microsoft Graph APIs:

Permission Type Purpose

Application.ReadWrite.All

Application

Delete service principal from the associated tenant and revoke app access from the tenant.

Channel.Create

Application

Restore Microsoft Teams channels.

Channel.ReadBasic.All

Application

Back up Microsoft Teams channel metadata.

ChannelMessage.Read.All

Application

Back up Microsoft Teams channel conversations (messages).

ChannelMember.ReadWrite.All

Application

Back up and restore Microsoft Teams channel members.

ChannelSettings.ReadWrite.All

Application

Back up and restore Microsoft Teams channel settings.

Directory. Read. All Application Back up and restore Microsoft Teams.

Directory.ReadWrite.All

Application

Restore Microsoft Teams. 

Note: This permission is needed only when you are using the Microsoft 365 Advanced app to protect Groups and to use the Multi-Geo support feature. The Microsoft 365 Basic app does not need this permission. For more information, see Configure Druva inSync for Microsoft 365.

Files.Read.All

Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.

Group.ReadWrite.All Delegated

Restore Microsoft Teams. 

 

GroupMember.ReadWrite.All

Application

Add a member to a Microsoft 365 group or a security group through the members’ navigation property.

Sites.Read.All

Application

Read data from SharePoint sites and sites associated with Microsoft Teams.

TeamMember.ReadWrite.All

Application

Back up and restore Microsoft Teams members.

TeamSettings.ReadWrite.All

Application

Back up and restore Microsoft Teams settings.

TeamsTab.Read.All

Application

Back up Microsoft Teams tab's metadata.

User.Read.All

Application

Import users from Azure AD.

MailboxSettings.Read Application Get user's mailbox type

Office 365 Exchange Online

The following table explains the permissions required to use the Office 365 Exchange Online services:

Permission Type Purpose

Calendars.ReadWrite.All

Application

Back up and restore Exchange Online calendars.

Contacts.ReadWrite

Application

Back up and restore Exchange Online contacts.

EWS.AccessAsUser.All

Delegated

Back up and restore Exchange Online mailboxes in admin context.

full_access_as_app

Application

Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

Mail.ReadWrite

Application

Back up and restore Exchange Online mailboxes.

Tasks.ReadWrite

Application

Back up and restore Exchange Online tasks.

Office 365 SharePoint Online 

The following table explains the permissions required to use the Office 365 SharePoint Online services:

Permission Type Purpose

Sites.FullControl.All

Application

Back up and restore SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

TermStore.Read.All

Application

Back up  Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites.

User.Read.All

Application

Back up SharePoint site users.

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

Microsoft Groups

The following table explains the permissions required to use Microsoft Groups:

Permission Type Purpose

Group.ReadWrite.All

Application

Backup and restore Microsoft Groups data.

Directory.ReadWrite.All

Application

Backup and restore groups specific settings (applies to only Microsoft 365 groups) and preferred data location (PDL)

RoleManagement.ReadWrite.Directory

Application

Backup only Microsoft Groups Sensitivity labels data.

AppRoleAssignment.ReadWrite.All

Application

Backup and restore Microsoft Groups Role Assignment data.

Group.ReadWrite.All

Delegated

Backup and restore Microsoft Groups data.

Directory.ReadWrite.All

Delegated

Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders..

RoleManagement.ReadWrite.Directory

Delegated

Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders.

  • Was this article helpful?