Skip to main content

How can we help you?

Druva Documentation

Microsoft 365 Permissions for Druva App

Overview

To leverage data protection services for your Microsoft 365 account, the Druva app requires you to authorize access to your Microsoft 365 tenant. The authorization is mandatory so that the app has the required permissions to backup and restore the Microsoft 365 data. For more information, see authorization to access Microsoft 365 tenant.

When you configure a Microsoft 365 account for backup from the inSync Management Console, you are redirected to the Microsoft Azure console, from where you can grant access to the tenant.

Permission Types

The requested permissions comprise of the following types:

Permission Type Description

Application

Allows an application in Azure Active Directory (AD) to perform actions using admin-driven consent.

Delegated

Allows an application in Azure Active Directory (AD) to perform actions on behalf of a particular user. 

For more information, see Microsoft Graph Permissions.

Microsoft Graph

The following table explains the permissions required to use the Microsoft Graph APIs:

# Permission Type Purpose
1. 

Application.Read.All

Application

Permission to check if the auxiliary app has access to the associated Microsoft 365 tenant.

2. 

Channel.Create

Application

Restore Microsoft Teams channels.

3. 

Channel.ReadBasic.All

Application

Backup of Microsoft Teams channel metadata.

4. 

ChannelMessage.Read.All

Application

Backup of Microsoft Teams channel conversations (messages).

5.

ChannelMember.ReadWrite.All

Application

Backup and restore of Microsoft Teams channel members.

6. 

ChannelSettings.ReadWrite.All

Application

Backup and restore of Microsoft Teams channel settings.

7.

Directory.ReadWrite.All

Application

Import Azure Active Directory (AD) users to inSync and check for Multi-Geo tenancy.

8. 

Files.Read.All

Application

Read Microsoft Teams channel files and folders to facilitate backups. 

Read users' OneDrive files.

9. 

Group.Create

Application

Restore or create Microsoft Teams using group id.

10.

Group.Read.All

Delegated

Support Microsoft Teams discovery, search, and group information.

11.

Group.ReadWrite.All

Application

Support Microsoft Teams discovery, search, and group information.

12.

GroupMember.ReadWrite.All

Application

Add a member to a Microsoft 365 group or a security group through the members’ navigation property.

13.

Sites.Read.All

Application

Read data from associated Microsoft Teams sites.

14.

TeamMember.ReadWrite.All

Application

Backup and restore of Microsoft Teams members.

15.

TeamSettings.ReadWrite.All

Application

Backup and restore of Microsoft Teams settings.

16.

TeamsTab.Read.All

Application

Backup of Microsoft Teams tabs metadata.

17.

User.ReadWrite.All

Application

  • Discover user’s OneDrive site

  • Create user objects for owners or members of Microsoft Teams

  • Search users within Azure Active Directory (AD)

Office 365 Exchange Online

The following table explains the permissions required to use the Office 365 Exchange Online services:

# Permission Type Purpose
1. 

Application.ReadWrite.All

Application

Delete service principal from the associated tenant and also used to revoke app access from the tenant.

2. 

Calendars.Read

Application

Backup of Exchange Online calendars.

3. 

Calendars.Read

Delegated

Backup of Exchange Online calendars.

4. 

Calendars.ReadWrite.All

Application

Backup and restore of Exchange Online calendars.

5.

Contacts.Read

Application

Backup of Exchange Online contacts.

6. 

Contacts.Read

Delegated

Backup of Exchange Online contacts.

7.

Contacts.ReadWrite

Application

Backup and restore of Exchange Online contacts.

8. 

EWS.AccessAsUser.All

Delegated

Backup and restore of Exchange Online mailboxes in admin context.

9. 

full_access_as_app

Application

Backup, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.

10.

Mail.Read

Application

Backup of Exchange Online mailboxes.

11.

Mail.Read

Delegated

Backup of Exchange Online mailboxes.

12.

Mail.ReadWrite

Application

Backup and restore of Exchange Online mailboxes.

13.

Tasks.ReadWrite

Application

Backup and restore of Exchange Online tasks.

14.

Tasks.ReadWrite

Delegated

Backup and restore of Exchange Online tasks.

15.

Tasks.ReadWrite.Shared

Delegated

Backup and restore of an Exchange Online user and shared tasks.

Office 365 SharePoint Online 

The following table explains the permissions required to use the Office 365 SharePoint Online services:

# Permission Type Purpose
1. 

AllSites.Read

Delegated

Read all site content, such as Settings, List, and Libraries.

2. 

Sites.FullControl.All

Application

Backup and restore of SharePoint Online site collections, including  Microsoft 365 Group Team sites and modern sites.

3. 

TermStore.Read.All

Application

Backup of Managed Metadata Service of SharePoint Online site collections and Microsoft 365 Group Team sites.

4. 

TermStore.Read.All

Delegated

Backup of Managed Metadata Service of SharePoint Online site collections and Microsoft 365 Group Team sites.

5.

User.Read.All

Application

Backup of SharePoint site users.

6. 

User.Read.All

Delegated

Get site collection administrators during restore activity to a new site.

Windows Azure Active Directory (AD) 

The following table explains the permissions required to use the Windows Azure Active Directory (AD) services:

# Permission Type Purpose
1. 

Directory.Read.All

Application

Scan and import Azure Active Directory (AD) users to inSync.

  • Was this article helpful?