AvePoint Learn
Request article
Contact support
Request article
Contact support
English

    Home > Required Permissions > App Profile Authentication > Required Permissions of Microsoft 365 App Profile

    Export to PDF

    Required Permissions of Microsoft 365 App Profile

    Refer to the table below for the API permission requirement for the Microsoft 365 app. They are the API permissions that are automatically granted to the AvePoint Online Services Administration for Microsoft365 application added to your tenant by default app profile, and also the minimum API permissions that you must grant to the custom app for using Cloud Backup for Microsoft 365 services to protect different data types in your tenant.

    For a full list of permissions that are automatically granted to the default app, refer to the Microsoft 365 (All permissions) section in AvePoint Online Services User Guide. For the API permission requirement for the Cloud Backup Express service app, refer to Required Permissions of AvePoint Cloud Backup Express App.

    NOTE

    If you use AvePoint Cloud Backup to protect not only the Microsoft 365 Groups or Teams, you will notice that other than Teams Chat, the permissions required for Microsoft 365 Groups or Teams are sufficient to protect the SharePoint Online, OneDrive, Exchange Online, and Exchange Public Folder. Note that the Project Online service does not support app profile authentication.

    Service
    App Profile Type
    APIs
    Permission
    Why You Need
    SharePoint Online
    Cloud Backup for Microsoft 365 app (SharePoint permissions)
    SharePoint
    Application Permission:
    Sites.FullControl.All
    (Have full control of all site collections)
    Back up and restore site collections.
    Application Permission:
    TermStore.ReadWrite.All
    (Read and write managed metadata)
    Back up and restore Managed Metadata Service.
    Application Permission:
    User.ReadWrite.All
    (Read and write user profiles)
    Back up and restore Microsoft 365 user profiles related information in sites.
    OneDrive
    Cloud Backup for Microsoft 365 app (SharePoint permissions)
    Microsoft Graph
    Application Permission:
    Files.ReadWrite.All
    (Read and write files in all site collections)
    Back up and restore the OneDrive files.
    Application Permission:
    Sites.FullControl.All
    (Have full control of all site collections)
    Back up some files in specific conditions, such as DLP-sensitive files.
    Application Permission:
    Sites.Manage.All
    (Create, edit, and delete items and lists in all site collections)
    Back up and restore the lists in OneDrive, and it is required if the SharePoint list has content approval settings enabled.
    Application Permission:
    Sites.ReadWrite.All
    (Read and write items in all site collections)
    Back up and restore the OneDrive content.
    Application Permission:
    User.Read.All
    (Read all users’ full profiles)
    Retrieve the UPN for the authors or editors.
    SharePoint
    Application Permission:
    Sites.FullControl.All
    (Have full control of all site collections)
    Back up and restore the OneDrive sites.
    Exchange Online / Public Folder
    Cloud Backup for Microsoft 365 app (Exchange permissions)
    Exchange
    Application Permission:
    Exchange.ManageAsApp
    (Manage Exchange as Application)
    Scan in-place archived mailboxes.
    Application Permission:
    full_access_as_app
    (Use Exchange Web Services with full access to all mailboxes)
    Back up and restore mailboxes.
    Microsoft Graph
    Application Permission:
    User.Read.All
    (Read all users' full profiles)
    Verify impersonation accounts for Public Folders, and back up and restore mailboxes.
    Application Permission:
    MailboxItem.ImportExport.All
    (Allows the app to perform backup and restore for all mailbox items)
    Back up and restore mailbox items.
    Application Permission:
    MailboxFolder.ReadWrite.All
    (Read and write all the users' mailbox folders)
    Back up and restore mailbox folders.
    Application Permission:
    MailboxItem.Read.All
    (Read all the users' mailbox items)
    Retrieve mailbox items.
    Microsoft 365 Groups / Teams / Viva Engage
    Microsoft 365 app (All permissions) / Cloud Backup for Microsoft 365 app (All permissions)
    SharePoint
    Application Permission:
    Sites.FullControl.All
    (Have full control of all site collections)
    Back up and restore site collections.
    Application Permission:
    TermStore.ReadWrite.All
    (Read and write managed metadata)
    Back up and restore Managed Metadata Service.
    Application Permission:
    User.ReadWrite.All
    (Read and write user profiles)
    Back up and restore Microsoft 365 user profiles related information in sites.
    Exchange
    Application Permission:
    Exchange.ManageAsApp
    (Manage Exchange as Application)
    Scan in-place archived mailboxes.
    Application Permission:
    full_access_as_app
    (Use Exchange Web Services with full access to all mailboxes)
    Back up and restore mailboxes.
    Microsoft Graph
    Channel.Create
    (Create channels)
    Restore teams’ channels.
    ChannelMessage.Read.All
    (Read all channel messages)
    ChannelMember.ReadWrite.All
    (Add and remove members from all channels)
    Back up and restore the members and messages of the Team’s private channels.
    ChannelSettings.ReadWrite.All
    (Read and write the names, descriptions, and settings of all channels)
    Retrieve channel information.
    Directory.Read.All
    (Read directory data)
    Retrieve information for members of Groups / Teams and recycle bin groups.
    Files.Read.All
    (Read files in all site collections)
    Back up teams’ files.
    Group.ReadWrite.All
    (Read and write all groups)
    Scan Microsoft 365 Groups and back up / restore Groups & Teams data.
    Reports.Read.All
    (Read all usage reports)
    Retrieve data size for subscription reports.
    Sites.ReadWrite.All
    (Read and write items in all site collections [preview])
    Back up and restore Microsoft Teams and Microsoft 365 Groups team sites data.
    Tasks.ReadWrite.All
    (Read and write all users’ tasks and tasklists)
    Back up and restore Planner data.
    Team.Create
    (Create teams)
    Restore teams.
    TeamMember.ReadWrite.All
    (Add and remove members from all teams)
    Back up and restore teams’ members.
    TeamsAppInstallation.ReadWriteForTeam.All
    (Manage Teams apps for all teams)
    Back up and restore teams’ apps.
    TeamSettings.ReadWrite.All
    (Read and change all teams’ settings)
    Back up and restore teams’ settings.
    TeamsTab.ReadWrite.All
    (Read and write tabs in Microsoft Teams)
    Back up and restore teams’ tabs.
    Teamwork.Migrate.All
    (Create chat and channel messages with anyone's identity and with any timestamp)
    Restore channel conversation messages for Teams.
    Microsoft Teams Chat
    Cloud Backup for Microsoft 365 (All permissions) / Custom app
    Microsoft Graph
    Application Permission:
    Chat.Read.All
    (Read all chat messages)
    Back up the Teams chat messages.
    Application Permission:
    User.Read.All
    (Read all users' profiles)
    Retrieve the Microsoft 365 users’ profiles.