Application Permissions Required for Exchange Online Backup
| API Type | Permission Name | Usage | Required |
|---|---|---|---|
| Exchange Web Services (Application) | full_access_as_app | Allows the app to back up and restore mailboxes by using EWS. | Yes |
| Microsoft Graph (Application) | Directory.Read.All | Allows the app to read directory data, including users and groups. | Yes |
| Microsoft Graph (Application) | Group.Read.All | Allows the app to discover all groups. | Yes |
| Microsoft Graph (Application) | MailboxConfigItem.Read | Allows the app to read mailbox configuration settings. | Yes |
| Microsoft Graph (Application) | MailboxFolder.Read.All | Allows the app to read all mailbox folders in all user mailboxes. | Yes |
| Microsoft Graph (Application) | MailboxItem.Export.All | Allows the app to export mailbox items from all user mailboxes. | Yes |
| Microsoft Graph (Application) | MailboxItem.Read.All | Allows the app to read all mailbox items across all user mailboxes. | Yes |
| Microsoft Graph (Application) | MailboxSettings.Read | Allows the app to read mailbox settings for all users. | Yes |
| Microsoft Graph (Application) | Policy.Read.All | Allows the app to read organizational policy configurations. | Yes |
| Microsoft Graph (Application) | User.Read.All | Allows the app to discover full profiles of all users. | Yes |
Application Permissions Required for Exchange Online Backup and Restore
| API Type | Permission Name | Usage | Required |
|---|---|---|---|
| Exchange Web Services (Application) | full_access_as_app | Allows the app to back up and restore mailboxes by using EWS. | Yes |
| Microsoft Graph (Application) | Application.ReadWrite.OwnedBy* | Allows the app to create and rotate its own application secrets. | No*(1) |
| Microsoft Graph (Application) | Directory.Read.All | Allows the app to read directory data, including users and groups. | Yes |
| Microsoft Graph (Application) | Group.Read.All | Allows the app to discover all groups. | Yes |
| Microsoft Graph (Application) | MailboxConfigItem.ReadWrite | Allows the app to read and modify mailbox configuration settings. | Yes |
| Microsoft Graph (Application) | MailboxFolder.ReadWrite.All | Allows the app to read and write all mailbox folders in all user mailboxes. | Yes*(2) |
| Microsoft Graph (Application) | MailboxItem.ImportExport.All | Allows the app to back up and restore mailboxes. | Yes*(2) |
| Microsoft Graph (Application) | MailboxItem.Read.All | Allows the app to read all mailbox items across all user mailboxes. | No*(2) |
| Microsoft Graph (Application) | MailboxSettings.Read | Allows the app to read mailbox settings for all users. | Yes |
| Microsoft Graph (Application) | Policy.Read.All | Allows the app to read organizational policy configurations. | Yes |
| Microsoft Graph (Application) | User.Read.All | Allows the app to discover full profiles of all users. | Yes*(2) |
| Microsoft Graph (Delegated) | Directory.AccessAsUser.All* | Allows the app to access directory data as the signed-in user. | No*(3) |
*Conditions:
-
(1) The Application.ReadWrite.OwnedBy permission is required for auto key rotation. If you want Metallic to auto rotate secret keys, then have this permission assigned.
If you choose to assign this permission to your Azure app, you may need to run this PowerShell command to add the Azure app as owner of itself:
az ad app owner add --id <app-id> --owner-object-id <object-id>Where: -
<app-id>: The Application (client) ID of your Azure app (e.g., 062f19f5-9dbf-48fe-adf7-94539bd3fa8e) -<object-id>: The Object ID of your Azure app (e.g., 55f5965a-48bd-49ee-bcbd-21a55bd18af1) -
(2) These Microsoft Graph application permissions are required for EWS backup and restore operations.
-
(3) The Directory.AccessAsUser.All permission is required only in delegated authentication scenarios (not required for app-only backup/restore setups).