Application Permissions for the Azure App for SharePoint Online

Application Permissions Required for Backup

API Type	Permission Name	Usage	Required
Microsoft Graph (Application)	Application.Read.All	Allows the app to read application properties in the organization.	Yes
Microsoft Graph (Application)	Directory.Read.All	Allows the app to read directory data, including users and groups.	Yes
Microsoft Graph (Application)	Group.Read.All	Allows the app to read all group properties and memberships.	Yes
Microsoft Graph (Application)	Policy.Read.All	Allows the app to read organizational policy configurations.	Yes
Microsoft Graph (Application)	Reports.Read.All	Allows the app to read Microsoft 365 service usage reports.	Yes
Microsoft Graph (Application)	Sites.FullControl.All	Allows the app to have full control of all site collections.	Yes
SharePoint Online (Application)	Sites.FullControl.All	Allows the app to have full control of all SharePoint site collections for backup operations.	Yes

API Type	Permission Name	Usage	Required
Microsoft Graph (Application)	Application.ReadWrite.OwnedBy*	Allows the app to create and rotate its own application secrets.	No*
Microsoft Graph (Application)	Directory.Read.All	Allows the app to read directory data, including users and groups.	Yes
Microsoft Graph (Application)	Group.ReadWrite.All	Allows the app to create, read, update, and delete Microsoft 365 Groups.	Yes
Microsoft Graph (Application)	Policy.Read.All	Allows the app to read organizational policy configurations.	Yes
Microsoft Graph (Application)	Reports.Read.All	Allows the app to read Microsoft 365 service usage reports.	No
Microsoft Graph (Application)	Sites.FullControl.All	Allows the app to have full control of all site collections.	Yes
SharePoint Online (Application)	Sites.FullControl.All	Allows the app to have full control of all SharePoint site collections for backup operations.	Yes

Application.ReadWrite.OwnedBy is required only if automatic secret (key) rotation is enabled.