Home > Get Started > Enable Backup for Microsoft Entra ID or Admin Portal Settings > Default Permissions Granted to the Service App
Export to PDFDefault Permissions Granted to the Service App
As of the December 2023 release, you can choose to use a custom Azure app with specific permissions for the data that you only want to protect.
All the API permissions required for Microsoft Entra ID and Admin Portal Settings services are listed in this table and they are automatically added to the service app after consent. For custom app permissions, you can choose to only add the corresponding permissions to protect the specific data types or add their alternative permissions (if available) for backup only purpose*.*
If you want to protect Microsoft Entra ID or the Admin Portal Settings, you can choose to create a Cloud Backup for Azure service app profile or create a custom Azure app profile with delegated permissions through AvePoint Online Services > Management > App management page. Note that if you do not use the Microsoft Entra ID backup service to protect the BitLocker recovery keys for the devices, you can choose to create any type of custom Azure app.
The following API permissions will be automatically added to the service app with consent from your Global administrator account. You can also choose the specific permissions to grant your custom Azure app for the services or data types that you want to protect upon the usage purpose.
NOTE
If you remove the Global administrator role for the user after consenting, to ensure the protection of BitLocker keys, the consent user must be in one of the following roles: Cloud device administrator, Helpdesk administrator, Intune service administrator, Security administrator, Security reader, or Global reader. Otherwise, the user must be the registered owner of the device that the BitLocker recovery key was originally backed up from.
API - Microsoft Graph
| Permissions | Type | Why You Need | Permission Category | Alternative Permission for backup only |
|---|---|---|---|---|
| AdministrativeUnit.ReadWrite.All (Read and write administrative units.) | Application | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. | Microsoft Entra ID > backup and restore of Administrative Units. | AdministrativeUnit.Read.All (Read all administrative units.) |
| Application.ReadWrite.All (Read and write all apps.) | Application | Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. | Microsoft Entra ID > backup and restore of applications. | Application.Read.All (Read all applications) |
| AppRoleAssignment.ReadWrite.All (Manage app permission grants and app role assignments.) | Application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. | Microsoft Entra ID > backup and restore of application role assignment. | |
| AuditLog.Read.All (Read all audit log data.) | Application | Allows the app to read and query your audit log activities, without a signed-in user. | Microsoft Entra ID > backup of the Audit Logs and Sign-in Logs. | |
| BitlockerKey.Read.All (Read all BitLocker keys) | Application | Allows an app to read BitLocker keys for all devices, without a signed-in user. Allows read of the recovery key. | Microsoft Entra ID > backup of Device BitLocker keys. | |
| BitlockerKey.Read.All (Read all BitLocker keys) | Delegated | Allows an app to read BitLocker keys for all devices, without a signed-in user. Allows read of the recovery key. | Microsoft Entra ID > backup of Device BitLocker keys. | |
| DeviceManagementApps.Read.All (Read Microsoft Intune apps.) | Application | Allows the app to read the properties, group assignments, and status of apps, app configurations, and app protection policies managed by Microsoft Intune. | Admin Portal Settings > backup of the app configuration policies in Microsoft Intune. | |
| DeviceManagementApps.ReadWrite.All (Read and write Microsoft Intune apps.) | Application | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | Admin Portal Settings > restore of the supported Intune settings, such as apps properties, app configurations, and app protection policies. | |
| *DeviceManagementApps.ReadWrite.All (Read and write Microsoft Intune apps.) | Delegated | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | Admin Portal Settings > restore of the supported Intune settings, such as apps properties, app configurations, and app protection policies. | DeviceManagementApps.Read.All |
| DeviceManagementConfiguration.Read.All (Read Microsoft Intune device configuration and policies.) | Application | Allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups. | Admin Portal Settings > backup of device policies in Microsoft Intune. | |
| DeviceManagementConfiguration.ReadWrite.All (Read and write all Microsoft Intune device configuration and policies.) | Application | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. | Admin Portal Settings > restore of device policies in Microsoft Intune | |
| DeviceManagementRBAC.Read.All (Read Microsoft Intune RBAC settings) | Application | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. | Admin Portal Settings > backup of the supported Intune settings, such as policy properties. | |
| DeviceManagementScripts.ReadWrite.All (Read and write Microsoft Intune Scripts) | Application | Allows the app to read and write Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts, without a signed-in user. | Admin Portal Settings > backup and restore of Intune Devices Scripts settings. | DeviceManagementScripts.Read.All (Allows the app to read Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts, without a signed-in user.) |
| Directory.ReadWrite.All (Read and write directory data.) | Application | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. | Microsoft Entra ID > backup and restore of users and groups. | Directory.Read.All (Read directory data.) |
| Domain.Read.All (Read domains) | Application | Allows the app to read all domain properties without a signed-in user. | Microsoft Entra ID > restore users. | |
| Group.ReadWrite.All (Read and write all groups.) | Application | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendars, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content. | Microsoft Entra ID > backup and restore of groups. | Group.Read.All (Read all groups.) |
| Organization.Read.All (Read organization information) | Application | Retrieves all the organizational brandings. | Admin Portal Settings > backup of Company Branding Settings. | |
| Policy.Read.All (Read your organization's policies) | Application | Allows the app to read all your organization's policies without a signed in user. | Microsoft Entra ID > restore users to another tenant. Admin Portal Settings > backup of Conditional Access and Named Locations. | |
| Policy.ReadWrite.ApplicationConfiguration (Read and write your organization’s application configuration policies.) | Application | Allows the app to read and write your organization’s application configuration policies on behalf of the signed-in user. | Microsoft Entra ID > backup and restore for the SSO configurations of Enterprise applications. | |
| Policy.ReadWrite.AuthenticationMethod (Read and write all authentication method policies) | Application | Retrieves all the authentication method policies and configurations. | Admin Portal Settings > backup of Authentication Methods. | |
| Policy.ReadWrite.Authorization (Read and write your organization’s authorization policy.) | Application | Allows the app to update the group general settings to enable or disable the capability for users to create security groups. | Admin Portal Settings > backup and restore of the group general settings. | |
| Policy.ReadWrite.ConditionalAccess (Read and write your organization's conditional access policies.) | Application | Allows the app to read and write your organization's conditional access policies, without a signed-in user. | Admin Portal Settings > backup and restore of the conditional access. | Policy.Read.ConditionalAccess (Read your organization's conditional access policies) |
| RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings.) | Application | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | Microsoft Entra ID > backup and restore of roles and administrators. | |
| User.Read (Sign in and read user profile.) | Delegated | Allows users to sign into AvePoint Online Services with Microsoft 365 accounts. | Sign into AvePoint Online Services with Microsoft 365 accounts. | |
| User.ReadWrite.All (Read and write all users’ full profiles.) | Application | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. | Microsoft Entra ID > backup and restore of users. | User.Read.All (Read all users' full profiles) |
| UserAuthenticationMethod.ReadWrite.All (Read and write all users' authentication methods) | Application | Allows the application to read and write authentication methods of all users in your organization without a signed-in user. Authentication methods include information like a user’s phone number and Authenticator app settings. This does not allow the app to see sensitive information, such as the password, or to sign in or use the authentication methods. | Microsoft Entra ID > backup and restore of User Authentication Methods. | UserAuthenticationMethod.Read.All (Read all users’ authentication methods.) |
API - Office 365 Exchange Online
| Permissions | Type | Why You Need | Permission Category | Alternative Permission for backup only |
|---|---|---|---|---|
| Exchange.ManageAsApp (Manage Exchange as application) | Application | Allows the backup and restore of the distribution lists. | Microsoft Entra ID > backup and restore of distribution lists. Admin Portal Settings > backup and restore of Exchange and Defender settings. |
On this page