Home > Get Started > Enable Backup for Azure AD B2C
Export to PDFEnable Backup for Azure AD B2C
To back up Azure AD B2C data, you can choose to create a service app, or use a custom Azure app with required permissions. For details on creating a custom Azure app in your tenant, refer to .
Complete the steps below:
-
Before you enable the backup service for Azure AD B2C, go to AvePoint Online Services to configure a service app profile for that Microsoft 365 tenant. For detailed instructions on creating a service app profile, refer to .
*Note: The user creating the service app profile and granting consent must be a member of your tenant's domain, instead of an external user.
-
After the service app is ready, go to the Backup page of the Cloud Backup for IaaS + PaaS to configure the backup scope for the Azure AD B2C. Note that if you have multiple tenants to protect, you must create a service app for each of them.
-
For details on configuring the backup scope, refer to Create a New Backup Scope for Azure AD B2C .
-
For details on the support list, refer to Azure AD B2C .
Create a Service App and Grant Consent
To use Azure AD B2C backup and restore services, create a service app to connect to your tenant and grant the requested permissions for this app.
*Note: The user creating the service app profile and granting consent must be a member of your tenant's domain, instead of an external user.
Follow the steps below to create the service app:
-
On the Management > App management page, click Create on the action bar.
-
In the Select services step, select Cloud Backup for IaaS + PaaS.
-
In the Choose setup method step, select Modern mode and click Next.
-
In the Consent to apps step, click Consent next to the Cloud Backup for Azure AD B2C.
-
On the Microsoft 365 sign-in page, sign in with a Microsoft 365 Global Administrator account.
-
On the Permissions required page, review the permissions required and click Accept to continue. For the API permissions that this app requests, refer to Default Permissions Granted to the Service App.
-
The app profile you created will be displayed on the App management page, and the Cloud Backup for Azure AD B2C app will be added to your Microsoft Entra admin center > enterprise applications.
Default Permissions Granted to the Service App
If you want to protect Azure AD B2C data, you can choose to create a Cloud Backup for Azure AD B2C service app profile or create a custom Azure app profile with delegated permissions through AvePoint Online Services > Management > App management page.
- The following API permissions will be automatically added to the service app with consent from your Global administrator account. You can also choose the specific permissions to grant your custom Azure app for the services or data types that you want to protect upon the usage purpose.
| API | Permissions | Type | Why You Need | Permission Category | Alternative Permission for backup only |
|---|---|---|---|---|---|
| Microsoft Graph | AppRoleAssignment.ReadWrite.All(Manage app permission grants and app role assignments) | Application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. | Azure AD B2C > backup and restore user > app role assignment | Directory.Read.All |
| Microsoft Graph | Application.ReadWrite.All(Read and write all applications) | Application | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. | Azure AD B2C > backup and restore app registration | Application.Read.All |
| Microsoft Graph | AuditLog.Read.All(Read all audit log data) | Application | Allows the app to read and query your audit log activities, without a signed-in user. | Azure AD B2C > backup and restore userflow and userattributeAzure AD B2C > backup and restore identity providerAzure AD B2C > backup and restore app registration | |
| Microsoft Graph | Directory.Read.All(Read directory data) | Application | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | Azure AD B2C > create planAzure AD B2C > backup and restore userflow and userattributeAzure AD B2C > backup and restore identity providerAzure AD B2C > backup and restore app registration | |
| Microsoft Graph | GroupMember.ReadWrite.All(Read and write all group memberships) | Application | Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. | Azure AD B2C > backup and restore user > member of group | User.Read.All |
| Microsoft Graph | IdentityProvider.ReadWrite.All(Read and write identity providers) | Application | Allows the app to read and write your organization's identity (authentication) providers' properties without a signed in user. | Azure AD B2C > backup and restore identity provider | IdentityProvider.Read.All |
| Microsoft Graph | IdentityUserFlow.ReadWrite.All(Read and write all identity user flows) | Application | Allows the app to read or write your organization's user flows, without a signed-in user. | Azure AD B2C > backup and restore userflow and userattribute | IdentityUserFlow.Read.All |
| Microsoft Graph | RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings) | Application | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | Azure AD B2C > backup and restore user > unified role assignment | RoleManagement.Read.Directory |
| Microsoft Graph | UserAuthenticationMethod.ReadWrite.All(Read and write all users' authentication methods) | Application | Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Azure AD B2C > backup and restore user > authentication user | User.Read.All |
| Microsoft Graph | User.EnableDisableAccount.All(Enable and disable user accounts) | Application | Allows the app to enable and disable users' accounts, without a signed-in user. | Azure AD B2C > backup and restore user > accountEnabled | User.Read.All |
| Microsoft Graph | User.ManageIdentities.All(Manage all users' identities) | Application | Allows the app to read, update and delete identities that are associated with a user's account, without a signed in user. This controls the identities users can sign-in with. | Azure AD B2C > backup and restore user > identities | User.Read.All |
| Microsoft Graph | User.ReadWrite.All(Read and write all users' full profiles) | Application | Allows the app to read and update user profiles without a signed in user. | Azure AD B2C > backup and restore user | User.Read.All |
| Microsoft Graph | User-Mail.ReadWrite.All(Read and write all secondary mail addresses for users) | Application | Allows the app to read and write secondary mail addresses for all users, without a signed-in user. | Azure AD B2C > backup and restore user > otherMails | User.Read.All |
| Microsoft Graph | User-Phone.ReadWrite.All(Read and write all user mobile phone and business phones) | Application | Allows the app to read and write the mobile phone and business phones for all users, without a signed-in user. | Azure AD B2C > backup and restore user > businessPhones/mobilePhone | User.Read.All |