Application Permissions Required for Backup
| API Type | Permission Name | Usage | Required |
|---|---|---|---|
| Microsoft Graph (Application) | Directory.Read.All | Allows the app to read directory data, including users and groups. | Yes |
| Microsoft Graph (Application) | Files.Read.All | Allows the app to read all files in all site collections. | Yes |
| Microsoft Graph (Application) | Policy.Read.All | Allows the app to read organizational policy configurations. | Yes |
| Microsoft Graph (Application) | Reports.Read.All | Allows the app to read Microsoft 365 service usage reports. | Yes |
| Microsoft Graph (Application) | Sites.FullControl.All* | Allows the app to have full control of all SharePoint site collections. | Yes* |
| Microsoft Graph (Application) | User.Read.All | Allows the app to read user profile information. | Yes |
*Condition:
Sites.FullControl.All is required to protect files that have DLP policies enabled.
Application Permissions Required for Backup and Restore
| API Type | Permission Name | Usage | Required |
|---|---|---|---|
| Microsoft Graph (Application) | Application.ReadWrite.OwnedBy* | Allows the app to create and rotate its own application secrets. | No* |
| Microsoft Graph (Application) | Directory.Read.All | Allows the app to read directory data, including users and groups. | Yes |
| Microsoft Graph (Application) | Files.ReadWrite.All | Allows the app to read, create, update, and delete files in all site collections. | Yes |
| Microsoft Graph (Application) | Policy.Read.All | Allows the app to read organizational policy configurations. | Yes |
| SharePoint Online (Application) | Sites.FullControl.All | Allows the app to have full control of all SharePoint site collections. | Yes |
| Microsoft Graph (Application) | User.Read.All | Allows the app to read user profile information. | Yes |
*Condition:
Application.ReadWrite.OwnedBy is required only if automatic secret (key) rotation is enabled and to generate the Azure certificate.