Home > App Management > Manage App Profiles for Microsoft Tenants > API Permissions Required by Default AvePoint Apps for Microsoft Tenants > Cloud Backup for Microsoft 365
Export to PDFCloud Backup for Microsoft 365
Refer to the table below for the apps that you can use for Cloud Backup for Microsoft 365 and the requirements to consent to app permissions.
| Category | App type in AOS | App setup method | Feature/Module | App name in Entra ID | New or updated? | Consent |
|---|---|---|---|---|---|---|
| Service app | Cloud Backup for Microsoft 365 (All Permissions) | Modern mode | SharePoint Online OneDrive Project Online (for auto discovery only) Exchange Online Public Folders (for auto discovery only) Microsoft 365 Groups Teams Viva Engage (for auto discovery only) | AvePoint Cloud Backup for Microsoft365 (All Permissions) | No changes | The user who consents the app permissions must be a global administrator. |
| Service app | Cloud Backup for Microsoft 365 (SharePoint Permissions) | Modern mode | SharePoint Online OneDrive Project Online (for auto discovery only) | AvePoint Cloud Backup for Microsoft365 (SharePoint Permissions) | No changes | The user who consents the app permissions must be a global administrator. |
| Service app | Cloud Backup for Microsoft 365 (Exchange Permissions) | Modern mode | Exchange Online Public Folders (for auto discovery only) | AvePoint Cloud Backup for Microsoft365 (Exchange Permissions) | No changes | The user who consents the app permissions must be a global administrator. |
| Service app | Cloud Backup for Microsoft 365 delegated app | Modern mode | Restore Teams channel conversations as posts Protect Power Automate/Power Apps Protect Power BI Restore Planner task comments | AvePoint Online Services – Delegated App | No changes | To restore Teams channel conversations as posts, the user who consents the app permissions must have the Global Administrator role and the Teams license. To protect Power Automate/Power Apps, the user who consents the app permissions must have the Global Administrator role and the Environment Admin/System Administrator role. To protect Power BI, the user who consents the app permissions must have a Power BI Pro license or a Premium Per User (PPU) license, and have the Fabric Administrator role (the former Power BI admin role) |
| Service app | Viva Engage | Modern mode / Classic mode | Viva Engage | AvePoint Online Services Administration for Viva Engage | No changes | The user who consents to the app permissions must be a Microsoft 365 Global Administrator with the Viva Engage product license. To re-authorize the Viva Engage app, the authentication user must have the Verified Admin role and the Yammer administrator role with the Viva Engage product license. |
| Service app | Cloud Backup Express | Modern mode | SharePoint Online OneDrive Exchange Online Teams Groups | AvePoint Cloud Backup Express | No changes | The user who consents to the app permissions must be a Microsoft 365 Global Administrator. To re-authorize the Cloud Backup Express app, the authentication user who provides consent to the app must have the Microsoft 365 Backup Administrator role. |
| Classic app | Microsoft 365 (All permissions) | Classic mode | SharePoint Online OneDrive Project Online (for auto discovery only) Exchange Online Public Folders (for auto discovery only) Microsoft 365 Groups Teams Viva Engage (for auto discovery only) | AvePoint Online Services Administration for Microsoft365 | No changes | The user who consents the app permissions must be a global administrator. |
| Classic app | Delegated app | Classic mode / Modern mode | Restore Teams channel conversations as posts Protect Power Automate/Power Apps Protect Power BI Restore Planner task comments | AvePoint Online Services - Delegated App | No changes | To restore Teams channel conversations as posts, the user who consents the app permissions must have the Global Administrator role and the Teams license. To protect Power Automate/Power Apps, the user who consents the app permissions must have the Global Administrator role and the Environment Admin/System Administrator role. To protect Power BI, the user who consents the app permissions must have a Power BI Pro license or a Premium Per User (PPU) license, and have the Fabric Administrator role (the former Power BI admin role) |
| Classic app | Viva Engage | Classic mode / Modern mode | Viva Engage | AvePoint Online Services Administration for Viva Engage | No changes | The user who consents to the app permissions must be a Microsoft 365 Global Administrator with the Viva Engage product license. To re-authorize the Viva Engage app, the authentication user must have the Verified Admin role and the Yammer administrator role with the Viva Engage product license. |
-
Protect Exchange Online and Public Folder (for auto discovery only) with AvePoint Cloud Backup – Use Cloud Backup for Microsoft 365 (Exchange Permissions) or Microsoft 365 (Exchange Permissions).
-
Protect SharePoint Online, OneDrive, and Project Online (for auto discovery only) with AvePoint Cloud Backup – Use Cloud Backup for Microsoft 365 (SharePoint Permissions) or Microsoft 365 (SharePoint Permissions).
-
Protect Microsoft 365 Groups, Teams, and Viva Engage (for auto discovery only) with AvePoint Cloud Backup – Use Cloud Backup for Microsoft 365 (All Permissions) or Microsoft 365 (All Permissions).
NOTEThe apps created with all permissions also support protecting SharePoint Online, OneDrive, Project Online (for auto discovery only), Exchange Online, and Public Folders (for auto discovery only) with AvePoint Cloud Backup.
-
Restore Teams conversations as posts, restore Planner task comments, protect Power Automate/Power Apps, and protect Power BI with AvePoint Cloud Backup – Use Cloud Backup for Microsoft 365 Delegated App.
-
Protect Viva Engage (data protection) with AvePoint Cloud Backup – Use Viva Engage.
-
Protect SharePoint Online, OneDrive, Exchange Online with AvePoint Cloud Backup Express – Use Cloud Backup Express.
Permissions Required by Cloud Backup for Microsoft 365 (All Permissions)
When you create a Cloud Backup for Microsoft 365 (All permissions) app profile in AvePoint Online Services, the AvePoint Cloud Backup for Microsoft365 (All Permissions) app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Backup for Microsoft365 (All Permissions) app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | TeamSettings.ReadWrite.All (Read and change all teams' settings) | Application | Back up and restore teams’ settings. | No |
| Microsoft Graph | TeamsTab.ReadWrite.All (Read and write tabs in Microsoft Teams) | Application | Back up and restore teams’ tabs. | No |
| Microsoft Graph | Sites.ReadWrite.All (Read and write items in all site collections) | Application | Back up and restore Microsoft Teams and Microsoft 365 Groups team sites data. | No |
| Microsoft Graph | Team.Create (Create teams) | Application | Restore teams. | No |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Application | Scan Microsoft 365 Groups via Auto Discovery. Back up and restore Microsoft Teams and Microsoft 365 Groups data. | No |
| Microsoft Graph | Sites.Manage.All (Create, edit, and delete items and lists in all site collections) | Application | Back up and restore the lists in OneDrive, and it is required if the SharePoint list has content approval settings enabled. | No |
| Microsoft Graph | Files.ReadWrite.All (Read and write files in all site collections) | Application | Back up and restore the OneDrive files. | No |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve information for the members of Groups/Teams. Retrieve the Groups from recycle bin. | No |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Retrieve the Microsoft 365 Users’ user profiles. | No |
| Microsoft Graph | TeamMember.ReadWrite.All (Add and remove members from all teams) | Application | Back up and restore teams’ members. | No |
| Microsoft Graph | Chat.Read.All (Read all chat messages) | Application | Back up the Teams chat messages. | No |
| Microsoft Graph | ChannelMessage.Read.All (Read all channel messages) | Application | Back up and restore the members and messages of the Team’s private channels. | No |
| Microsoft Graph | TeamsAppInstallation.ReadWriteForTeam.All (Manage Teams apps for all teams) | Application | Back up and restore teams’ apps. | No |
| Microsoft Graph | ChannelMember.ReadWrite.All (Add and remove members from all channels) | Application | Back up and restore the members and messages of the Team’s private channels. | No |
| Microsoft Graph | Tasks.ReadWrite.All (Read and write all users’ tasks and task lists) | Application | Backup up and restore Planner data. | No |
| Microsoft Graph | ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels) | Application | Retrieve channel information for the data protection of Teams service. | No |
| Microsoft Graph | Channel.Create (Create channels) | Application | Restore teams’ channels. | No |
| Microsoft Graph | Sites.FullControl.All (Have full control of all site collections) | Application | Back up and restore site collections. | No |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Retrieve data size directly to improve the efficiency of Subscription Consumption Report. | No |
| Microsoft Graph | MailboxItem.ImportExport.All (Allows the app to perform backup and restore for all mailbox items) | Application | Retrieve mailbox items. | Yes |
| Microsoft Graph | MailboxFolder.ReadWrite.All (Read and write all the users' mailbox folders) | Application | Back up and restore mailbox folders. | Yes |
| Microsoft Graph | MailboxItem.Read.All (Read all the users' mailbox items) | Application | Back up and restore mailbox items. | Yes |
| Microsoft Graph | Teamwork.Migrate.All (Create chat and channel messages with anyone's identity and with any timestamp) | Application | Restore channel conversation messages for Teams. | Yes |
| Office 365 Exchange Online | full_access_as_app (Use Exchange Web Services with full access to all mailboxes) | Application | Back up and restore mailboxes. | No |
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange as Application) | Application | Scan in-place archived mailboxes. | No |
| SharePoint/Office 365 SharePoint Online | User.ReadWrite.All (Read and write user profiles) | Application | Back up and restore Microsoft 365 user profiles related information in sites. | No |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All (Read and write managed metadata) | Application | Back up and restore Managed Metadata Service. | No |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Back up and restore site collections. | No |
Permissions Required by Cloud Backup for Microsoft 365 (SharePoint Permissions)
When you create a Cloud Backup for Microsoft 365 (SharePoint permissions) app profile in AvePoint Online Services, the AvePoint Cloud Backup for Microsoft365 (SharePoint Permissions) app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Backup for Microsoft365 (SharePoint Permissions) app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | Sites.ReadWrite.All (Read and write items in all site collections) | Application | Back up and restore the OneDrive content. | No |
| Microsoft Graph | Sites.Manage.All (Create, edit, and delete items and lists in all site collections) | Application | Back up and restore the lists in OneDrive, and it is required if the SharePoint list has content approval settings enabled. | No |
| Microsoft Graph | Files.ReadWrite.All (Read and write files in all site collections) | Application | Back up and restore the OneDrive files. | No |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve your Microsoft 365 tenant information. | No |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Retrieve the UPN for the authors or editors. | No |
| Microsoft Graph | Sites.FullControl.All (Have full control of all site collections) | Application | Back up some files in specific conditions, such as DLP-sensitive files. | No |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Retrieve data size directly, which improves the efficiency of the Subscription Consumption Report. | No |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant) | Application | Retrieve information of published sensitivity labels from Microsoft 365. | No |
| Office 365 Management APIs | ActivityFeed.Read (Read activity data for your organization) | Application | Retrieve activity data in your organization to generate reports. | No |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve information of SharePoint Online site collections that are scanned by auto discovery. | No |
| SharePoint/Office 365 SharePoint Online | User.ReadWrite.All (Read and write user profiles) | Application | Retrieve information of Microsoft 365 user profiles related to OneDrive that are scanned by auto discovery. | No |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All (Read and write managed metadata) | Application | Back up and restore Managed Metadata Service of SharePoint Online site collections and Microsoft 365 Group team sites. | No |
| Windows Azure Active Directory | User.Read (Sign in and read user profile) | Delegated | Support signing into Cloud Backup for Microsoft 365 with Microsoft 365 accounts. | No |
Permissions Required by Cloud Backup for Microsoft 365 (Exchange Permissions)
When you create a Cloud Backup for Microsoft 365 (Exchange permissions) app profile in AvePoint Online Services, the AvePoint Cloud Backup for Microsoft365 (Exchange Permissions) app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Backup for Microsoft365 (Exchange Permissions) app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Office 365 Exchange Online | full_access_as_app (Use Exchange Web Services with full access to all mailboxes) | Application | Scan, back up, and restore mailboxes. | No |
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange as Application) | Application | Scan in-place archived mailboxes. | No |
| Windows Azure Active Directory | User.Read (Sign in and read user profile) | Delegated | Support signing into Cloud Backup for Microsoft 365 with Microsoft 365 accounts. | No |
| Microsoft Graph | MailboxSettings.Read (Read all user mailbox settings) | Application | Scan Exchange Online mailboxes. | No |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve your Microsoft 365 tenant information. | No |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Verify the impersonation accounts for Public Folders, and back up and restore mailboxes. | No |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Retrieve data size directly, which improves the efficiency of the subscription consumption report. | No |
| Microsoft Graph | MailboxItem.ImportExport.All (Allows the app to perform backup and restore for all mailbox items) | Application | Retrieve mailbox items. | Yes |
| Microsoft Graph | MailboxFolder.ReadWrite.All (Read and write all the users' mailbox folders) | Application | Back up and restore mailbox folders. | Yes |
| Microsoft Graph | MailboxItem.Read.All (Read all the users' mailbox items) | Application | Back up and restore mailbox items. | Yes |
Permissions Required by Cloud Backup for Microsoft 365 Delegated App
The AvePoint Online Services – Delegated App can be created through App management > Classic mode > Delegated app > Cloud Backup for Microsoft 365, or through Modern mode > Cloud Backup for Microsoft 365 > Cloud Backup for Microsoft 365 delegated app.
*Note: If you are new to Cloud Backup services for Power Platform objects, you must re-authorize your Delegated app for Power Automate / Power Apps / Power BI.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | openid (Sign users in) | Delegated | Allows to authenticate users by retrieving their consent. | No |
| Microsoft Graph | profile (View users’ basic profile) | Delegated | Retrieves users’ profile information. | No |
| Microsoft Graph | offline_access (Maintain access to data you have given it access to) | Delegated | Maintains access over an extended period without requiring the user to re-authorize frequently | No |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Delegated | Gets conversation thread. | No |
| Microsoft Graph | ChannelMessage.Send (Send channel messages) | Delegated | Sends messages to channels in Microsoft Teams. | No |
| Microsoft Graph | TeamMember.ReadWrite.All (Add and remove members from teams) | Delegated | Adds members to Microsoft Teams. | No |
| Microsoft Graph | ChannelMember.ReadWrite.All (Add and remove members from channels) | Delegated | Adds members to channels in Microsoft Teams. | No |
| Microsoft Graph | Directory.Read.All (Read directory data) | Delegated | Retrieves the profile and domain information of all users in your Microsoft 365 tenant. | No |
| Commercial environment: Power BI Services GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Tenant.ReadWrite.All (Read and write all content in tenant) | Delegated | Retrieves the workspaces and backs up, or adds users to a workspace. | No |
| Commercial environment: Power BI Services GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Workspace.ReadWrite.All (Read and write all workspaces) | Delegated | Gets and restores workspaces | No |
| Commercial environment: Power BI Services GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Capacity.Read.All (View all capacities) | Delegated | Retrieves capacities (including multi-geo) | No |
| Commercial environment: Power BI Services GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Report.ReadWrite.All (Read and write all reports) | Delegated | Performs backup for reports. | No |
| Commercial environment: Power BI Services GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Dataset.ReadWrite.All (Read and write all datasets) | Delegated | Performs backup and restore for reports. | No |
| Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | User (Access the PowerApps Service API) | Delegated | Retrieves information on Cloud Flows in Power Automate. Retrieves Power Apps Canvas apps and component libraries for auto discovery and backup. | No |
| Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | user_impersonation (Access Common Data Service as organization users) | Delegated | Retrieves information on Desktop Flows and Business Process Flows in Power Automate. Retrieves Power Apps Canvas apps and component libraries. | No |
Permissions Required by Cloud Backup Express
When you create a Cloud Backup Express app profile in AvePoint Online Services, the AvePoint Cloud Backup Express app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Backup Express app.
NOTE
When creating the Cloud Backup Express app profile, the consent user must be a Microsoft 365 Global Administrator. To re-authorize the Cloud Backup Express app, the consent us must have the Microsoft 365 Backup Administrator role.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange as Application) | Application | Scan mailboxes. | No |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Scan SharePoint Online site collections. | No |
| SharePoint/Office 365 SharePoint Online | User.Read.All (Read user profiles) | Application | Retrieve the Microsoft 365 Users’ user profiles. | No |
| Microsoft Graph | BackupRestore-Configuration.ReadWrite.All (Read and edit all backup configuration policies) | Application | Update backup settings and trigger backup jobs in Microsoft 365. | No |
| Microsoft Graph | BackupRestore-Control.ReadWrite.All (Update or read the status of the Microsoft 365 backup service) | Application | Improve the tenant offboarding logic to handle cases where delegated tokens are unavailable. | Yes |
| Microsoft Graph | BackupRestore-Restore.ReadWrite.All (Read all restore sessions and start restore sessions from backups) | Application | Perform data recovery. | No |
| Microsoft Graph | BackupRestore-Search.Read.All (Search for metadata properties in all backup snapshots) | Application | Retrieve recovery points. | No |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve users and Groups. | No |
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Scan Microsoft 365 Groups and Teams. | No |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Retrieve Microsoft 365 data size. | No |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Read and list sites for the sync of recovery points. | No |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Read and list users for the sync of recovery points. | No |
| Microsoft Graph | BackupRestore-Configuration.ReadWrite.All (Read and edit backup configuration policies) | Delegated | Perform data deletion for Data subject access requests | No |
| Microsoft Graph | BackupRestore-Control.ReadWrite.All (Manage backup controller) | Delegated | Manage app for bill consuming and enable backup service. | No |
On this page