Roles and Permissions: MSP Backup for M365
Roles and Permissions required for MSP Backup
MSP Backup requires specific User Account roles when configuring a M365 Organization for Backup. A user account must be assigned the following roles:
- Global Administrator — required to perform several key tasks, including adding organizations that use modern app-only authentication, creating backup applications, registering a Microsoft Entra application, and creating a Microsoft Entra application.
- Exchange:
- ApplicationImpersonation, and Global Administrator or Exchange Administrator — required to perform data restores for Microsoft Exchange.
- OneDrive:
- Global Administrator or SharePoint Administrator — required to perform data restores for Microsoft SharePoint and Microsoft OneDrive for Business.
- Teams:
- Global Administrator or Teams Administrator — required to perform data restores for Microsoft Teams.
- Public folders:
- Owner — required to back up public folder mailboxes.
- Owner — required to back up public folder mailboxes.
Notice:
- We only require the Global Administrator role to configure the Microsoft Entra Application with the proper permissions. Once the Application is created, you can remove the Global Administrator role.
- The Microsoft Entra Application will be named: ProbaxO365_AppOnly
Microsoft Entra applications created by MSP Backup, require certain account permissions and are automatically granted when adding organizations through our platform.
Required Permissions for Backup & Restore
API |
Permission Name |
Type |
Admin consent required |
Exchange Online |
SharePoint and OneDrive |
Teams |
Microsoft Graph | Directory.Read.All | Delegated | Yes | ✔ | ✔ | ✔ |
Directory.Read.All | Application | Yes | ✔ | ✔ | ✔ | |
Directory.ReadWrite.All | Delegated | Yes | ✔ | |||
Group.Read.All | Application | Yes | ✔ | ✔ | ✔ | |
Group.ReadWrite.All | Delegated | Yes | ✔ | ✔ | ||
Group.ReadWrite.All | Application | Yes | ✔ | ✔ | ||
offline_access | Delegated | No | ✔ | ✔ | ✔ | |
Sites.Read.All | Delegated | No | ✔ | ✔ | ||
Sites.Read.All | Application | Yes | ✔ | ✔ | ||
TeamSettings.ReadWrite.All | Application | Yes | ✔ |
API |
Permission Name |
Type |
Admin consent required |
Exchange Online |
SharePoint and OneDrive |
Teams |
Office 365 Exchange Online
|
EWS.AccessAsUser.All |
Delegated |
No |
✔ |
|
|
Exchange.ManageAsApp |
Application |
Yes |
✔ |
|
|
|
full_access_as_app |
Application |
Yes |
✔ |
|
✔ |
API |
Permission Name |
Type |
Admin consent required |
Exchange Online |
SharePoint and OneDrive |
Teams |
SharePoint
|
AllSites.FullControl |
Delegated |
Yes |
|
✔ |
✔ |
Sites.FullControl.All |
Application |
Yes |
|
✔ |
✔ |
|
User.Read.All |
Delegated |
Yes |
|
✔ |
✔ |
|
User.Read.All |
Application |
Yes |
|
✔ |
✔ |
To being protecting a Microsoft 365 organization using MSP Backup, please follow our guide: How To: Deploy Microsoft 365 Protection