Home > Get Started > Enable Backup for Azure AD B2C > Default Permissions Granted to the Service App
Export to PDFDefault Permissions Granted to the Service App
If you want to protect Azure AD B2C data, you can choose to create a Cloud Backup for Azure AD B2C service app profile or create a custom Azure app profile with delegated permissions through AvePoint Online Services > Management > App management page.
The following API permissions will be automatically added to the service app with consent from your Global administrator account. You can also choose the specific permissions to grant your custom Azure app for the services or data types that you want to protect upon the usage purpose.
| API | Permissions | Type | Why You Need | Permission Category | Alternative Permission for backup only |
|---|---|---|---|---|---|
| Microsoft Graph | AppRoleAssignment.ReadWrite.All (Manage app permission grants and app role assignments) | Application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. | Azure AD B2C > backup and restore user > app role assignment | Directory.Read.All |
| Microsoft Graph | Application.ReadWrite.All (Read and write all applications) | Application | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. | Azure AD B2C > backup and restore app registration | Application.Read.All |
| Microsoft Graph | AuditLog.Read.All (Read all audit log data) | Application | Allows the app to read and query your audit log activities, without a signed-in user. | Azure AD B2C > backup and restore userflow and userattribute Azure AD B2C > backup and restore identity provider Azure AD B2C > backup and restore app registration | |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | Azure AD B2C > create plan Azure AD B2C > backup and restore userflow and userattribute Azure AD B2C > backup and restore identity provider Azure AD B2C > backup and restore app registration | |
| Microsoft Graph | GroupMember.ReadWrite.All (Read and write all group memberships) | Application | Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. | Azure AD B2C > backup and restore user > member of group | User.Read.All |
| Microsoft Graph | IdentityProvider.ReadWrite.All (Read and write identity providers) | Application | Allows the app to read and write your organization's identity (authentication) providers' properties without a signed in user. | Azure AD B2C > backup and restore identity provider | IdentityProvider.Read.All |
| Microsoft Graph | IdentityUserFlow.ReadWrite.All (Read and write all identity user flows) | Application | Allows the app to read or write your organization's user flows, without a signed-in user. | Azure AD B2C > backup and restore userflow and userattribute | IdentityUserFlow.Read.All |
| Microsoft Graph | RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings) | Application | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | Azure AD B2C > backup and restore user > unified role assignment | RoleManagement.Read.Directory |
| Microsoft Graph | UserAuthenticationMethod.ReadWrite.All (Read and write all users' authentication methods) | Application | Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Azure AD B2C > backup and restore user > authentication user | User.Read.All |
| Microsoft Graph | User.EnableDisableAccount.All (Enable and disable user accounts) | Application | Allows the app to enable and disable users' accounts, without a signed-in user. | Azure AD B2C > backup and restore user > accountEnabled | User.Read.All |
| Microsoft Graph | User.ManageIdentities.All (Manage all users' identities) | Application | Allows the app to read, update and delete identities that are associated with a user's account, without a signed in user. This controls the identities users can sign-in with. | Azure AD B2C > backup and restore user > identities | User.Read.All |
| Microsoft Graph | User.ReadWrite.All (Read and write all users' full profiles) | Application | Allows the app to read and update user profiles without a signed in user. | Azure AD B2C > backup and restore user | User.Read.All |
| Microsoft Graph | User-Mail.ReadWrite.All (Read and write all secondary mail addresses for users) | Application | Allows the app to read and write secondary mail addresses for all users, without a signed-in user. | Azure AD B2C > backup and restore user > otherMails | User.Read.All |
| Microsoft Graph | User-Phone.ReadWrite.All (Read and write all user mobile phone and business phones) | Application | Allows the app to read and write the mobile phone and business phones for all users, without a signed-in user. | Azure AD B2C > backup and restore user > businessPhones/mobilePhone | User.Read.All |
On this page