Microsoft 365 Permissions for Druva App
Overview
To leverage data protection services for your Microsoft 365 account, the Druva app requires you to authorize access to your Microsoft 365 tenant. The authorization is mandatory so that the app has the required permissions to backup and restore the Microsoft 365 data. For more information, see authorization to access Microsoft 365 tenant.
When you configure a Microsoft 365 account for backup from the inSync Management Console, you are redirected to the Microsoft Azure console, from where you can grant access to the tenant.
Permission Types
The requested permissions comprise of the following types:
| Permission Type | Description |
|---|---|
|
Application |
Allows an application in Azure Active Directory (AD) to perform actions using admin-driven consent. |
|
Delegated |
Allows an application in Azure Active Directory (AD) to perform actions on behalf of a particular user. |
For more information, see Microsoft Graph Permissions.
Microsoft Graph
The following table explains the permissions required to use the Microsoft Graph APIs:
| # | Permission | Type | Purpose |
|---|---|---|---|
| 1. |
Application.Read.All |
Application |
Permission to check if the auxiliary app has access to the associated Microsoft 365 tenant. |
| 2. |
Channel.Create |
Application |
Restore Microsoft Teams channels. |
| 3. |
Channel.ReadBasic.All |
Application |
Backup of Microsoft Teams channel metadata. |
| 4. |
ChannelMessage.Read.All |
Application |
Backup of Microsoft Teams channel conversations (messages). |
| 5. |
ChannelMember.ReadWrite.All |
Application |
Backup and restore of Microsoft Teams channel members. |
| 6. |
ChannelSettings.ReadWrite.All |
Application |
Backup and restore of Microsoft Teams channel settings. |
| 7. |
Directory.ReadWrite.All |
Application |
Import Azure Active Directory (AD) users to inSync and check for Multi-Geo tenancy. |
| 8. |
Files.Read.All |
Application |
Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files. |
| 9. |
Group.Create |
Application |
Restore or create Microsoft Teams using group id. |
| 10. |
Group.Read.All |
Delegated |
Support Microsoft Teams discovery, search, and group information. |
| 11. |
Group.ReadWrite.All |
Application |
Support Microsoft Teams discovery, search, and group information. |
| 12. |
GroupMember.ReadWrite.All |
Application |
Add a member to a Microsoft 365 group or a security group through the members’ navigation property. |
| 13. |
Sites.Read.All |
Application |
Read data from associated Microsoft Teams sites. |
| 14. |
TeamMember.ReadWrite.All |
Application |
Backup and restore of Microsoft Teams members. |
| 15. |
TeamSettings.ReadWrite.All |
Application |
Backup and restore of Microsoft Teams settings. |
| 16. |
TeamsTab.Read.All |
Application |
Backup of Microsoft Teams tabs metadata. |
| 17. |
User.ReadWrite.All |
Application |
|
Office 365 Exchange Online
The following table explains the permissions required to use the Office 365 Exchange Online services:
| # | Permission | Type | Purpose |
|---|---|---|---|
| 1. |
Application.ReadWrite.All |
Application |
Delete service principal from the associated tenant and also used to revoke app access from the tenant. |
| 2. |
Calendars.Read |
Application |
Backup of Exchange Online calendars. |
| 3. |
Calendars.Read |
Delegated |
Backup of Exchange Online calendars. |
| 4. |
Calendars.ReadWrite.All |
Application |
Backup and restore of Exchange Online calendars. |
| 5. |
Contacts.Read |
Application |
Backup of Exchange Online contacts. |
| 6. |
Contacts.Read |
Delegated |
Backup of Exchange Online contacts. |
| 7. |
Contacts.ReadWrite |
Application |
Backup and restore of Exchange Online contacts. |
| 8. |
EWS.AccessAsUser.All |
Delegated |
Backup and restore of Exchange Online mailboxes in admin context. |
| 9. |
full_access_as_app |
Application |
Backup, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
| 10. |
Mail.Read |
Application |
Backup of Exchange Online mailboxes. |
| 11. |
Mail.Read |
Delegated |
Backup of Exchange Online mailboxes. |
| 12. |
Mail.ReadWrite |
Application |
Backup and restore of Exchange Online mailboxes. |
| 13. |
Tasks.ReadWrite |
Application |
Backup and restore of Exchange Online tasks. |
| 14. |
Tasks.ReadWrite |
Delegated |
Backup and restore of Exchange Online tasks. |
| 15. |
Tasks.ReadWrite.Shared |
Delegated |
Backup and restore of an Exchange Online user and shared tasks. |
Office 365 SharePoint Online
The following table explains the permissions required to use the Office 365 SharePoint Online services:
| # | Permission | Type | Purpose |
|---|---|---|---|
| 1. |
AllSites.Read |
Delegated |
Read all site content, such as Settings, List, and Libraries. |
| 2. |
Sites.FullControl.All |
Application |
Backup and restore of SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
| 3. |
TermStore.Read.All |
Application |
Backup of Managed Metadata Service of SharePoint Online site collections and Microsoft 365 Group Team sites. |
| 4. |
TermStore.Read.All |
Delegated |
Backup of Managed Metadata Service of SharePoint Online site collections and Microsoft 365 Group Team sites. |
| 5. |
User.Read.All |
Application |
Backup of SharePoint site users. |
| 6. |
User.Read.All |
Delegated |
Get site collection administrators during restore activity to a new site. |
Windows Azure Active Directory (AD)
The following table explains the permissions required to use the Windows Azure Active Directory (AD) services:
| # | Permission | Type | Purpose |
|---|---|---|---|
| 1. |
Directory.Read.All |
Application |
Scan and import Azure Active Directory (AD) users to inSync. |