AvePoint Learn
Request article
Contact support
Request article
Contact support
English

    Home > Required Permissions > App Profile Authentication > Required Permissions of AvePoint Cloud Backup Express App

    Export to PDF

    Required Permissions of AvePoint Cloud Backup Express App

    To protect Exchange Online mailboxes, SharePoint Online site collections, OneDrive, Team sites and Group sites with AvePoint Cloud Backup Express, you must configure a Cloud Backup Express service app for the Auto discovery and data protection.

    When consenting to the Cloud Backup Express app profile, the authentication user must be a Microsoft 365 Global Administrator. To re-authorize the Cloud Backup Express app, the authentication user who provides consent to the app must have the Microsoft 365 Backup Administrator role.

    Refer to the table below for the API permission requirement for AvePoint Cloud Backup Express app.

    API
    Permission
    Type
    Why do we need it?
    Office 365 Exchange Online
    Exchange.ManageAsApp
    (Manage Exchange as Application)
    Application
    Scan mailboxes.
    Office 365 SharePoint Online
    Sites.FullControl.All
    (Have full control of all site collections)
    Application
    Scan SharePoint Online site collections.
    User.Read.All
    (Read all users' full profiles)
    Application
    Retrieve the Microsoft 365 users’ user profiles.
    Microsoft Graph
    BackupRestore-Configuration.ReadWrite.All
    (Read and edit all backup configuration policies)
    Application
    Update backup settings and trigger backup jobs in Microsoft 365.
    BackupRestore-Control.ReadWrite.All
    (Update or read the status of the Microsoft 365 backup service)
    Application
    Improve the tenant offboarding logic to handle cases where delegated tokens are unavailable.
    BackupRestore-Restore.ReadWrite.All
    (Read all restore sessions and start restore sessions from backups)
    Application
    Perform data recovery.
    BackupRestore-Search.Read.All
    (Search for metadata properties in all backup snapshots)
    Application
    Retrieve recovery points.
    Directory.Read.All
    (Read directory data)
    Application
    Retrieve users and Groups.
    Group.Read.All
    (Read all groups)
    Application
    Scan Microsoft 365 Groups and Teams.
    Reports.Read.All
    (Read all usage reports)
    Application
    Retrieve Microsoft 365 data size.
    Sites.Read.All
    (Read items in all site collections)
    Application
    Read and list sites for the sync of recovery points.
    User.Read.All
    (Read all users' full profiles)
    Application
    Read and list users for the sync of recovery points.
    BackupRestore-Configuration.ReadWrite.All
    Delegated
    Perform data deletion for Data Subject Access Requests.
    BackupRestore-Control.ReadWrite.All
    (Manage backup controller)
    Delegated
    Manage app for bill consuming and enable backup service.