Roles and Permissions: MSP Backup for M365
Roles and Permissions required for MSP Backup
MSP Backup requires specific User Account roles when configuring a M365 Organization for Backup. A user account must be assigned the following roles:
- Global Administrator — required to perform several key tasks, including adding organizations that use modern app-only authentication, creating backup applications, registering a Microsoft Entra application, and creating a Microsoft Entra application.
- Exchange:
- ApplicationImpersonation, and Global Administrator or Exchange Administrator — required to perform data restores for Microsoft Exchange.
- OneDrive:
- Global Administrator or SharePoint Administrator — required to perform data restores for Microsoft SharePoint and Microsoft OneDrive for Business.
- Teams:
- Global Administrator or Teams Administrator — required to perform data restores for Microsoft Teams.
- Public folders:
- Owner — required to back up public folder mailboxes.
- Owner — required to back up public folder mailboxes.
Notice:
- We only require the Global Administrator role to configure the Microsoft Entra Application with the proper permissions. Once the Application is created, you can remove the Global Administrator role.
- The Microsoft Entra Application will be named: ProbaxO365_AppOnly
Microsoft Entra applications created by MSP Backup, require certain account permissions and are automatically granted when adding organizations through our platform.
Required Permissions for Backup & Restore
|
API |
Permission Name |
Type |
Admin consent required |
Exchange Online |
SharePoint and OneDrive |
Teams |
| Microsoft Graph | Directory.Read.All | Delegated | Yes | ✔ | ✔ | ✔ |
| Directory.Read.All | Application | Yes | ✔ | ✔ | ✔ | |
| Directory.ReadWrite.All | Delegated | Yes | ✔ | |||
| Group.Read.All | Application | Yes | ✔ | ✔ | ✔ | |
| Group.ReadWrite.All | Delegated | Yes | ✔ | ✔ | ||
| Group.ReadWrite.All | Application | Yes | ✔ | ✔ | ||
| offline_access | Delegated | No | ✔ | ✔ | ✔ | |
| Sites.Read.All | Delegated | No | ✔ | ✔ | ||
| Sites.Read.All | Application | Yes | ✔ | ✔ | ||
| TeamSettings.ReadWrite.All | Application | Yes | ✔ |
|
API |
Permission Name |
Type |
Admin consent required |
Exchange Online |
SharePoint and OneDrive |
Teams |
|
Office 365 Exchange Online
|
EWS.AccessAsUser.All |
Delegated |
No |
✔ |
|
|
|
Exchange.ManageAsApp |
Application |
Yes |
✔ |
|
|
|
|
full_access_as_app |
Application |
Yes |
✔ |
|
✔ |
|
API |
Permission Name |
Type |
Admin consent required |
Exchange Online |
SharePoint and OneDrive |
Teams |
|
SharePoint
|
AllSites.FullControl |
Delegated |
Yes |
|
✔ |
✔ |
|
Sites.FullControl.All |
Application |
Yes |
|
✔ |
✔ |
|
|
User.Read.All |
Delegated |
Yes |
|
✔ |
✔ |
|
|
User.Read.All |
Application |
Yes |
|
✔ |
✔ |
To being protecting a Microsoft 365 organization using MSP Backup, please follow our guide: How To: Deploy Microsoft 365 Protection