Home > Manage App Profiles > API Permissions Required by AvePoint Apps > Apps for Individual Services > Cloud Backup for IaaS + PaaS > Cloud Backup for Azure
Export to PDFCloud Backup for Azure
When you create a Cloud Backup for Azure app profile in AvePoint Online Services, the AvePoint Cloud Backup for Azure app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Backup for Azure app.
| API | Permission | Type | Purpose | Last update |
|---|---|---|---|---|
| Microsoft Graph | AdministrativeUnit.ReadWrite.All(Read and write administrative units) | Application | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. | |
| Microsoft Graph | Application.ReadWrite.All(Read and write all apps) | Application | Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. | |
| Microsoft Graph | AppRoleAssignment.ReadWrite.All(Manage app permission grants and app role assignments) | Application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. | |
| Microsoft Graph | AuditLog.Read.All(Read all audit log data) | Application | Allows the app to read and query your audit log activities, without a signed-in user. | December 2023 |
| Microsoft Graph | Directory.ReadWrite.All(Read and write directory data) | Application | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords. | |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendars, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content. | |
| Microsoft Graph | RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings) | Application | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles, and memberships. | |
| Microsoft Graph | User.ReadWrite.All(Read and write all users’ full profiles) | Application | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. | |
| Microsoft Graph | User.Read(Sign in and read user profile) | Delegated | Allows users to sign in to AvePoint Online Services with Microsoft 365 accounts. | |
| Microsoft Graph | BitlockerKey.Read.All(Read BitLocker keys) | Delegated | Enables the app to access BitLocker keys for the signed-in user's devices, allowing it to read the recovery key. | October 2023 |
| Microsoft Graph | BitlockerKey.Read.All(Read all BitLocker keys) | Application | Enables the app to access BitLocker keys for the signed-in user's devices, allowing it to read the recovery key. | December 2024 |
| Microsoft Graph | Policy.Read.All(Read your organization's policies) | Application | Allows the app to read all your organization's policies without a signed in user. | April 2025 |
| Microsoft Graph | Organization.Read.All(Read organization information) | Application | Retrieves all organizational branding. | November 2022 |
| Microsoft Graph | Policy.ReadWrite.AuthenticationMethod(Read and write all authentication method policies) | Application | Retrieves all authentication method policies and configurations. | November 2022 |
| Microsoft Graph | Policy.ReadWrite.ConditionalAccess(Read and write your organization's conditional access policies.) | Application | Allows the app to read and write your organization's conditional access policies, without a signed-in user. | March 2023 |
| Microsoft Graph | Policy.ReadWrite.Authorization(Read and write your organization’s authorization policy) | Application | Allows the app to update the group general settings to enable or disable the capability for the users to create security groups. | June 2023 |
| Microsoft Graph | UserAuthenticationMethod.ReadWrite.All (preview)(Read and write all users' authentication methods) | Application | Allows the application to read and write authentication methods of all users in your organization without a signed-in user. Authentication methods include information like a user’s phone number and Authenticator app settings. This does not allow the app to see sensitive information, such as the password, or to sign in or use the authentication methods. | November 2022 |
| Microsoft Graph | DeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune device configuration and policies) | Application | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. | February 2024 |
| Microsoft Graph | DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps) | Application | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | February 2024 |
| Microsoft Graph | DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps) | Delegated | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | April 2024 |
| Microsoft Graph | DeviceManagementRBAC.Read.All(Read Microsoft Intune RBAC settings) | Application | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. | June 2024 |
| Microsoft Graph | Domain.Read.All(Read domains) | Application | Allows the app to read all domain properties without a signed-in user. | April 2025 |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Allows the backup and restore of the distribution lists in MFA-enabled tenants. | November 2022 |
On this page