Home > required-permissions > App Profile Authentication > Required Permissions of Microsoft Delegated App
Export to PDFRequired Permissions of Microsoft Delegated App
If you want to perform the following, you must configure a default Microsoft Delegated app or a custom Azure app with delegated permissions.
- Restore Teams channel conversations as new posts to the channel.
*Note: In this case, the authentication user of the delegated app must have the Teams license. Only the backup data generated in a new backup cycle after June 1, 2021, can be used to restore the conversations as posts.
-
Protect Power BI workspaces.
-
Protect Power Automate cloud flows.
-
Protect Power Apps data (standard Canvas apps and component libraries).
-
Restore Planner task comments
Consent from a Microsoft 365 Global Administrator is required when creating a delegated app profile and must be retained. The consent user of the delegated app for Power Automate must also have the Environment Admin/System Administrator role. However, the consent can be revoked in the following cases:
-
If you only use this delegated app to restore Teams channel conversations as posts or restore Planner task comments, the consent can be revoked, and the Global admin role can be removed.
-
If you only use this delegated app to protect the Power BI content, the consent can be revoked, but the authentication user must have a Power BI Pro license or a Premium Per User (PPU) license, and have at least the Fabric Administrator role (the former Power BI admin role) for Auto Discovery scan and the backup.
-
If you only use this delegated app to protect Power Automate, the consent can be revoked as well, but the authentication user must have at least the Environment Admin/System Administrator role and the Power Platform admin role for Auto Discovery scan and the backup.
-
If you use this delegated app to protect the Power Apps data, the consent can be revoked, but the authentication user must have at least the Power Platform admin role and Environment Admin/System Administrator role for Auto Discovery scan and the backup, and the Power Apps for Microsoft 365 license to proceed.
Refer to the table below for the permissions granted to the Microsoft Delegated app.
| API | Permissions | Why we need it? | Feature Category |
|---|---|---|---|
| Microsoft Graph | offline_access(Maintain access to data you have given it access to) | Maintains access over an extended period without requiring the user to re-authorize frequently | All |
| Microsoft Graph | openid(Sign users in) | Allows to authenticate users by retrieving their consent. | All |
| Microsoft Graph | profile(View users’ basic profile) | Retrieves users’ profile information. | All |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from channels) | Adds members to channels in Microsoft Teams. | Restore channel conversations as posts |
| Microsoft Graph | ChannelMessage.Send(Send channel messages) | Sends messages to channels in Microsoft Teams. | Restore channel conversations as posts |
| Microsoft Graph | Directory.Read.All(Read directory data) | Retrieves all user’s full profiles and user domain information. | Power BI & Power Automate & Power Apps |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Retrieves the conversation thread. | Restore Planner task comments |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from teams) | Adds members to Microsoft Teams. | Restore channel conversations as posts |
| Commercial environment: Power BI ServicesGCC or GCC High environment: Microsoft Power BI Government Community Cloud | Capacity.Read.All(View all capacities) | Retrieves capacities (including multi-geo) | Power BI |
| Commercial environment: Power BI ServicesGCC or GCC High environment: Microsoft Power BI Government Community Cloud | Dataset.ReadWrite.All(Read and write all datasets) | Performs backup and restore for reports. | Power BI |
| Commercial environment: Power BI ServicesGCC or GCC High environment: Microsoft Power BI Government Community Cloud | Report.ReadWrite.All(Read and write all reports) | Performs backup for reports. | Power BI |
| Commercial environment: Power BI ServicesGCC or GCC High environment: Microsoft Power BI Government Community Cloud | Tenant.ReadWrite.All(Read and write all content in tenant) | Retrieves the workspaces and backs up, or adds users to the workspace. | Power BI |
| Commercial environment: Power BI ServicesGCC or GCC High environment: Microsoft Power BI Government Community Cloud | Workspace.ReadWrite.All(Read and write all workspaces) | Gets and restores workspaces | Power BI |
| Commercial environment: PowerApps ServiceGCC environment: PowerApps Service – GCCGCC High environment: PowerApps Service – GCC L4 | User(Access PowerApps Service API) | Retrieves Power Automate Cloud Flows for Auto Discovery scan and for Cloud Backup. | Power Automate |
| Commercial environment: PowerApps ServiceGCC environment: PowerApps Service – GCCGCC High environment: PowerApps Service – GCC L4 | User(Access PowerApps Service API) | Retrieves standard Canvas apps and component libraries in Power Apps for Auto Discovery scan and for Cloud Backup. | Power Apps |
| Commercial environment: Dynamics CRMGCC or GCC High environment: Dataverse | User_impersonation(Access Common Data Service as organization users) | Retrieves Power Automate desktop flows and Business process flows for Auto Discovery scan. | Power Automate |
| Commercial environment: Dynamics CRMGCC or GCC High environment: Dataverse | User_impersonation(Access Common Data Service as organization users) | Retrieves standard Canvas apps and component libraries in Power Apps for Auto Discovery scan. | Power Apps |