#App Profile Authentication

App profile authentication (Cloud Backup for Microsoft 365 service apps, default Microsoft 365 apps, or use a custom Azure app) ensures that all Auto Discovery and Cloud Backup for Microsoft 365 jobs are tagged as the activities of that app, and ensures that we do not need to store any service accounts and passwords, with only the consent being recorded. The consent can be monitored in your Microsoft Entra ID and can be revoked at any time.

You can consent to apps separately for the services you want to protect. If you do not have service apps, AvePoint Cloud Backup will use the default Microsoft 365 app or custom Azure app to scan or protect the data. To protect Exchange Online mailboxes and SharePoint Online site collections with AvePoint Cloud Backup Express, you must configure a Cloud Backup Express service app for the Auto discovery and data protection.

• If you want to use Cloud Backup for SharePoint Online, OneDrive, Exchange Online, Public Folders, Microsoft 365 Groups, and Teams service in app context, you need a Cloud Backup for Microsoft 365 service app or Microsoft 365 app connected to your tenant. If you use the Teams Chat service, you need to configure a Cloud Backup for Microsoft 365 service app or a custom app for Teams Chat.

• If you use the Viva Engage service, you need to configure the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions), and the Viva Engage app. Alternatively, you can have a custom Azure app with delegated permissions.

  • For the permissions required by the Microsoft 365 app, refer to Required Permissions of Microsoft 365 App Profile.

  • For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App.

    The authentication user for the Viva Engage app must be a Microsoft 365 Global Administrator with the Viva Engage product license. To re-authorize the Viva Engage app, the authentication user must have the Verified Admin role and the Yammer administrator role with the Viva Engage product license.

  • To use custom Azure app with delegated permissions, you must grant at least all permissions listed in Required Permissions of Microsoft 365 App Profile and Required Permissions of Viva Engage App to the app.

• If you want to use Cloud Backup for Project Online, you can use an app profile to scan the Project Online site collections. In this way, the service account does not require the Site Collection Administrator role. However, the Project Online data cannot be protected in the app context (using app profile authentication). Therefore, a service account with enough permissions is still required for the backup and restore for Project Online. For the required permissions of a service account, refer to Service Account Authentication.

• If you want to use Cloud Backup for Power BI, Power Automate, or Power Apps in app context, restore the Teams channel conversations as new posts to the channel, or restore Planner task comments, you must configure an app profile for the Microsoft Delegated app or a custom Azure app with delegated permissions. If you want to restore the Teams channel conversations as new posts, the authentication user must have the Teams license.

  For the permissions required by the Microsoft Delegated app, refer to Required Permissions of Microsoft Delegated App.

To view the lists of data types that are supported or unsupported for each service type, refer to Appendices: Supported and Unsupported Data Types. For the permission requirements of an app profile for a specific service type, refer to the sections below.