Home > Get Started > Enable Backup for Entra External ID > Default Permissions Granted to the Service App
Download this articleDefault Permissions Granted to the Service App
If you want to protect Entra External ID data, you can choose to create a Cloud Backup for Entra External ID service app profile or create a custom Azure app profile with delegated permissions through AvePoint Online Services > Management > App management page.
The following API permissions will be automatically added to the service app with consent from your Global administrator account. You can also choose the specific permissions to grant to your custom Azure app based on the services or data types you want to protect and your intended usage. Currently, the required permissions do not have alternative options.
API - Microsoft Graph
| Permissions | Type | Why You Need | Permission Category |
|---|---|---|---|
| AppRoleAssignment.ReadWrite.All (Manage app permission grants and app role assignments) | Application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. | Identifier |
| Application.ReadWrite.All (Read and write all applications) | Application | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. | Identifier |
| AuditLog.Read.All (Read all audit log data) | Application | Allows the app to read and query your audit log activities, without a signed-in user. | Identifier |
| CustomAuthenticationExtension.ReadWrite.All ( Read and write all custom authentication extensions) | Application | Allows the app to read or write your organization's custom authentication extensions without a signed-in user. | Identifier |
| Directory.ReadWrite.All (Read and write directory data) | Application | Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | Identifier |
| Domain.ReadWrite.All (Read and write domains) | Application | Allows the app to read and write all domain properties without a signed in user. Also allows the app to add, verify and remove domains. | Identifier |
| EventListener.ReadWrite.All (Read all authentication event listeners) | Application | Allows the app to read or write your organization's authentication event listeners without a signed-in user. | Identifier |
| Group.ReadWrite.All (Read and write all groups) | Application | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | Identifier |
| IdentityProvider.ReadWrite.All (Read and write identity providers) | Application | Allows the app to read and write your organization's identity (authentication) providers' properties without a signed in user. | Identifier |
| IdentityUserFlow.ReadWrite.All (Read and write all identity user flows) | Application | Allows the app to read or write your organization's user flows, without a signed-in user. | Identifier |
| Organization.ReadWrite.All (Read and write organization information) | Application | Allows the app to read and write the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information. | Identifier |
| OrganizationalBranding.ReadWrite.All (Read organizational branding information) | Application | Allows the app to read and write the organizational branding information, without a signed-in user. | Identifier |
| Policy.ReadWrite.ApplicationConfiguration (Read and write your organization's application configuration policies) | Application | Allows the app to read and write your organization's application configuration policies, without a signed-in user. This includes policies such as activityBasedTimeoutPolicy, claimsMappingPolicy, homeRealmDiscoveryPolicy, tokenIssuancePolicy and tokenLifetimePolicy. | Identifier |
| RoleEligibilitySchedule.ReadWrite.Directory (Read, update, and delete all eligible role assignments and schedules for your company's directory) | Application | Allows the app to read and manage the eligible role-based access control (RBAC) assignments and schedules for your company's directory, without a signed-in user. This includes managing eligible directory role membership, and reading directory role templates, directory roles and eligible memberships. | Identifier |
| RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings) | Application | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | Identifier |
| User.ReadWrite.All (Read and write all users' full profiles) | Application | Allows the app to read and update user profiles without a signed in user. | Identifier |
| UserAuthenticationMethod.ReadWrite.All (Read and write all users' authentication methods) | Application | Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | Identifier |
On this page