Home > required-permissions > App Profile Authentication > Required Permissions of Microsoft 365 App Profile
Export to PDFRequired Permissions of Microsoft 365 App Profile
Refer to the table below for the API permission requirement for the Microsoft 365 app. They are the API permissions that are automatically granted to the AvePoint Online Services Administration for Microsoft365 application added to your tenant by default app profile, and also the minimum API permissions that you must grant to the custom app for using Cloud Backup for Microsoft 365 services to protect different data types in your tenant.
For a full list of permissions that are automatically granted to the default app, refer to the section in . For the API permission requirement for the Cloud Backup Express service app, refer to Required Permissions of AvePoint Cloud Backup Express App.
*Note: If you use AvePoint Cloud Backup to protect not only the Microsoft 365 Groups or Teams, you will notice that other than Teams Chat, the permissions required for Microsoft 365 Groups or Teams are sufficient to protect the SharePoint Online, OneDrive, Exchange Online, and Exchange Public Folder. Note that the Project Online service does not support app profile authentication.
| Service | App Profile Type | APIs | Permission | Why You Need |
|---|---|---|---|---|
| SharePoint Online | Cloud Backup for Microsoft 365 app (SharePoint permissions) | SharePoint | Application Permission:Sites.FullControl.All(Have full control of all site collections) | Back up and restore site collections. |
| SharePoint Online | Cloud Backup for Microsoft 365 app (SharePoint permissions) | SharePoint | Application Permission:TermStore.ReadWrite.All(Read and write managed metadata) | Back up and restore Managed Metadata Service. |
| SharePoint Online | Cloud Backup for Microsoft 365 app (SharePoint permissions) | SharePoint | Application Permission:User.ReadWrite.All(Read and write user profiles) | Back up and restore Microsoft 365 user profiles related information in sites. |
| OneDrive | Cloud Backup for Microsoft 365 app (SharePoint permissions) | Microsoft Graph | Application Permission:Files.ReadWrite.All(Read and write files in all site collections) | Back up and restore the OneDrive files. |
| OneDrive | Cloud Backup for Microsoft 365 app (SharePoint permissions) | Microsoft Graph | Application Permission:Sites.FullControl.All(Have full control of all site collections) | Back up some files in specific conditions, such as DLP-sensitive files. |
| OneDrive | Cloud Backup for Microsoft 365 app (SharePoint permissions) | Microsoft Graph | Application Permission:Sites.Manage.All(Create, edit, and delete items and lists in all site collections) | Back up and restore the lists in OneDrive, and it is required if the SharePoint list has content approval settings enabled. |
| OneDrive | Cloud Backup for Microsoft 365 app (SharePoint permissions) | Microsoft Graph | Application Permission:Sites.ReadWrite.All(Read and write items in all site collections) | Back up and restore the OneDrive content. |
| OneDrive | Cloud Backup for Microsoft 365 app (SharePoint permissions) | Microsoft Graph | Application Permission:User.Read.All(Read all users’ full profiles) | Retrieve the UPN for the authors or editors. |
| OneDrive | Cloud Backup for Microsoft 365 app (SharePoint permissions) | SharePoint | Application Permission:Sites.FullControl.All(Have full control of all site collections) | Back up and restore the OneDrive sites. |
| Exchange Online/Public Folder | Cloud Backup for Microsoft 365 app (Exchange permissions) | Exchange | Application Permission:Exchange.ManageAsApp (Manage Exchange as Application) | Scan in-place archived mailboxes. |
| Exchange Online/Public Folder | Cloud Backup for Microsoft 365 app (Exchange permissions) | Exchange | Application Permission:full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Back up and restore mailboxes. |
| Exchange Online/Public Folder | Cloud Backup for Microsoft 365 app (Exchange permissions) | Microsoft Graph | Application Permission:User.Read.All(Read all users' full profiles) | Verify the impersonation accounts for Public Folders. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | SharePoint | Application Permission:Sites.FullControl.All(Have full control of all site collections) | Back up and restore site collections. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | SharePoint | Application Permission:TermStore.ReadWrite.All(Read and write managed metadata) | Back up and restore Managed Metadata Service. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | SharePoint | Application Permission:User.ReadWrite.All(Read and write user profiles) | Back up and restore Microsoft 365 user profiles related information in sites. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Exchange | Application Permission:Exchange.ManageAsApp (Manage Exchange as Application) | Scan in-place archived mailboxes. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Exchange | Application Permission:full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Back up and restore mailboxes. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Channel.Create(Create channels) | Restore teams’ channels. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:ChannelMessage.Read.All(Read all channel messages)ChannelMember.ReadWrite.All(Add and remove members from all channels) | Back up and restore the members and messages of the Team’s private channels. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:ChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels) | Retrieve channel information for the data protection of Teams service. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Directory.Read.All(Read directory data) | Retrieve information for the members of Groups/Teams.Retrieve the Groups from recycle bin. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Files.Read.All(Read files in all site collections) | Back up teams’ files. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Group.ReadWrite.All(Read and write all groups) | Scan Microsoft 365 Groups via Auto Discovery.Back up and restore Microsoft Teams and Microsoft 365 Groups data. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Reports.Read.All(Read all usage reports) | Retrieve data size directly to improve the efficiency of subscription consumption report in Subscriptions. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Sites.ReadWrite.All(Read and write items in all site collections [preview]) | Back up and restore Microsoft Teams and Microsoft 365 Groups team sites data. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Tasks.ReadWrite.All(Read and write all users’ tasks and tasklists) | Back up and restore Planner data. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:TeamMember.ReadWrite.All(Add and remove members from all teams) | Back up and restore teams’ members. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:TeamsAppInstallation.ReadWriteForTeam.All(Manage Teams apps for all teams) | Back up and restore teams’ apps. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:TeamSettings.ReadWrite.All(Read and change all teams’ settings) | Back up and restore teams’ settings. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:TeamsTab.ReadWrite.All(Read and write tabs in Microsoft Teams) | Back up and restore teams’ tabs. |
| Microsoft 365 Groups/Teams/Viva Engage*Note: If the Team/Group/Viva Engage domain is not the default domain, the app must have the Exchange Administrator role to update the domain during the restore job. For details, refer to How to Assign the Exchange Administrator Role to an App? | Microsoft 365 app (All permissions)/Cloud Backup for Microsoft 365 app (All permissions)*Note: If you use the Viva Engage service, you need to configure the Viva Engage app besides the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions). For the permissions required by the Viva Engage app, refer to Required Permissions of Viva Engage App. | Microsoft Graph | Application Permission:Team.Create(Create teams) | Restore teams. |
| Microsoft Teams Chat*Note: Teams Chat service supports to use the default Microsoft Graph API or Microsoft Graph Teams Export API model B. | Only support custom app | Microsoft Graph | Application PermissionChat.Read.All(Read all chat messages) | Back up the Teams chat messages. |
| Microsoft Teams Chat*Note: Teams Chat service supports to use the default Microsoft Graph API or Microsoft Graph Teams Export API model B. | Only support custom app | Microsoft Graph | Application PermissionUser.Read.All(Read all users’ full profiles) | Retrieve the Microsoft 365 Users’ user profiles. |
On this page