Cloud Backup for Azure

    When you create a Cloud Backup for Azure app profile in AvePoint Online Services, the AvePoint Cloud Backup for Azure app will be automatically set up in your Microsoft Entra ID.

    The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Backup for Azure app.

    APIPermissionTypePurposeLast update
    Microsoft GraphAdministrativeUnit.ReadWrite.All(Read and write administrative units)ApplicationAllows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user.
    Microsoft GraphApplication.ReadWrite.All(Read and write all apps)ApplicationAllows the app to create, read, update and delete applications and service principals on behalf of the signed-in user.
    Microsoft GraphAppRoleAssignment.ReadWrite.All(Manage app permission grants and app role assignments)ApplicationAllows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.
    Microsoft GraphAuditLog.Read.All(Read all audit log data)ApplicationAllows the app to read and query your audit log activities, without a signed-in user.December 2023
    Microsoft GraphDirectory.ReadWrite.All(Read and write directory data)ApplicationAllows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords.
    Microsoft GraphGroup.ReadWrite.All(Read and write all groups)ApplicationAllows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendars, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content.
    Microsoft GraphRoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings)ApplicationAllows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles, and memberships.
    Microsoft GraphUser.ReadWrite.All(Read and write all users’ full profiles)ApplicationAllows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user.
    Microsoft GraphUser.Read(Sign in and read user profile)DelegatedAllows users to sign in to AvePoint Online Services with Microsoft 365 accounts.
    Microsoft GraphBitlockerKey.Read.All(Read BitLocker keys)DelegatedEnables the app to access BitLocker keys for the signed-in user's devices, allowing it to read the recovery key.October 2023
    Microsoft GraphBitlockerKey.Read.All(Read all BitLocker keys)ApplicationEnables the app to access BitLocker keys for the signed-in user's devices, allowing it to read the recovery key.December 2024
    Microsoft GraphPolicy.Read.All(Read your organization's policies)ApplicationAllows the app to read all your organization's policies without a signed in user.April 2025
    Microsoft GraphOrganization.Read.All(Read organization information)ApplicationRetrieves all organizational branding.November 2022
    Microsoft GraphPolicy.ReadWrite.AuthenticationMethod(Read and write all authentication method policies)ApplicationRetrieves all authentication method policies and configurations.November 2022
    Microsoft GraphPolicy.ReadWrite.ConditionalAccess(Read and write your organization's conditional access policies.)ApplicationAllows the app to read and write your organization's conditional access policies, without a signed-in user.March 2023
    Microsoft GraphPolicy.ReadWrite.Authorization(Read and write your organization’s authorization policy)ApplicationAllows the app to update the group general settings to enable or disable the capability for the users to create security groups.June 2023
    Microsoft GraphUserAuthenticationMethod.ReadWrite.All (preview)(Read and write all users' authentication methods)ApplicationAllows the application to read and write authentication methods of all users in your organization without a signed-in user. Authentication methods include information like a user’s phone number and Authenticator app settings. This does not allow the app to see sensitive information, such as the password, or to sign in or use the authentication methods.November 2022
    Microsoft GraphDeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune device configuration and policies)ApplicationAllows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.February 2024
    Microsoft GraphDeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps)ApplicationAllows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.February 2024
    Microsoft GraphDeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps)DelegatedAllows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.April 2024
    Microsoft GraphDeviceManagementRBAC.Read.All(Read Microsoft Intune RBAC settings)ApplicationAllows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.June 2024
    Microsoft GraphDomain.Read.All(Read domains)ApplicationAllows the app to read all domain properties without a signed-in user.April 2025
    Office 365 Exchange OnlineExchange.ManageAsApp(Manage Exchange As Application)ApplicationAllows the backup and restore of the distribution lists in MFA-enabled tenants.November 2022