Required API Permissions for Microsoft 365
Product version: 10.8
Last modified: 5 October 2022
Question
What API permissions must be provided to NAKIVO Backup & Replication to successfully back up and recover Exchange Online mailboxes, OneDrives, SharePoint Online sites, and Teams?
Answer
See below for a list of all permissions and the services that require them to be provided to NAKIVO Backup & Replication.
Microsoft Graph API
|
Permission |
Exchange Online | Group Mailbox | OneDrive for Business | SharePoint and Group SharePoint | Teams | Application or Delegated Permission? | Description |
|---|---|---|---|---|---|---|---|
| Calendars.Read |
Discovery Backup |
|
|
|
|
Application |
Read calendars in all mailboxes |
| Calendars.ReadWrite |
Recovery |
|
|
|
|
Application |
Read and write calendars in all mailboxes |
| Notes.Read.All |
Discovery Backup |
Discovery Backup |
|
|
|
Application |
Read all OneNote notebooks |
| Notes.ReadWrite.All |
Recovery |
Recovery |
|
|
|
Application |
Read and write all OneNote notebooks |
| Mail.Read |
Discovery Backup |
|
|
|
|
Application |
Read mail in all mailboxes |
| Mail.ReadWrite |
Recovery |
|
|
|
|
Application |
Read and write mail in all mailboxes |
| MailboxSettings.Read |
Discovery Backup Recovery |
|
|
|
|
Application |
Read all user mailbox settings |
| User.Read.All |
Discovery Backup Recovery |
Backup |
Discovery |
|
|
Application |
Read all users' full profiles |
| User.ReadWrite.All |
|
|
|
|
Backup |
|
Read and write all users' full profiles |
| Contacts.Read |
Discovery Backup |
|
|
|
|
Application |
Read contacts in all mailboxes |
| Contacts.ReadWrite |
Recovery |
|
|
|
|
Application |
Read and write contacts in all mailboxes |
| Files.Read.All |
|
Discovery Backup |
Discovery Backup |
|
Backup |
Application |
Read files in all site collections |
| Files.ReadWrite.All |
|
Recovery |
Recovery |
|
Recovery |
Application |
Read and write files in all site collections |
| Group.Read.All |
|
Discovery Backup |
|
|
Backup |
Application (group mailbox only) Delegated (group mailbox only) |
Read all groups |
| Group.ReadWrite.All |
|
Recovery |
|
|
Recovery |
Application Delegated (group mailbox only) |
Read and write all groups |
| GroupMember.Read.All |
|
Discovery Backup |
|
|
Backup |
Application |
Read all group memberships |
| Sites.Read.All |
|
|
|
Discovery Backup |
|
Application |
Read items in all site collections |
| Sites.ReadWrite.All |
|
|
|
Recovery |
|
Application |
Read and write items in all site collections |
| Sites.FullControl.All |
|
|
|
Recovery |
|
Application |
Have full control of all site collections |
| Sites.Manage.All |
|
|
|
Recovery |
|
Application |
Create, edit, and delete items and lists in all site collections |
| Team.ReadBasic.All |
|
|
|
|
Discovery Backup |
Application |
Get a list of all teams |
| TeamSettings.ReadWrite.All |
|
|
|
|
Recovery |
Application |
Read and change all teams' settings |
| TeamsAppInstallation.ReadWriteForTeam.All |
|
|
|
|
Recovery |
Application |
Manage Teams apps for all teams |
| TeamMember.Read.All |
|
|
|
|
Backup |
Application |
Read the members of all teams |
| TeamMember.ReadWrite.All |
|
|
|
|
Recovery |
Application |
Add and remove members from all teams |
| Channel.ReadBasic.All |
|
|
|
|
Backup |
Application |
Read the names and descriptions of all channels |
| Channel.Create |
|
|
|
|
Recovery |
Application |
Create channels |
| Channel.Delete.All |
|
|
|
|
Recovery |
Application |
Delete channels |
| ChannelSettings.Read.All |
|
|
|
|
Backup |
Application |
Read the names, descriptions, and settings of all channels |
| ChannelSettings.ReadWrite.All |
|
|
|
|
Recovery |
Application |
Read and write the names, descriptions, and settings of all channels |
| TeamworkTag.ReadWrite.All |
|
|
|
|
Backup Recovery |
Application |
Read and write tags in Microsoft Teams |
| TeamsTab.ReadWrite.All |
|
|
|
|
Backup Recovery |
Application |
Read and write tabs in Microsoft Teams |
| ChannelMessage.Read.All |
|
|
|
|
Backup |
Application Delegated |
Read all channel messages |
| ChannelMessage.Send |
|
|
|
|
Recovery |
Delegated |
Send channel messages |
Office 365 Exchange Online API
| Permission | Exchange Online | Group Mailbox | Application/Delegated Permission? | Description |
|---|---|---|---|---|
| full_access_as_app |
Recovery |
Backup Recovery |
Application |
Backup group posts, recover group posts, recover type of ItemAttachment for email messages, recover a contact with personalNote larger than 4MB, recover sticky notes, recover huge email message or calendar event content |
SharePoint API
The following API permission is only required if you are using certificate-based authentication with SharePoint Online:
| Permission | SharePoint and Group SharePoint | Application/Delegated Permission? | Description |
|---|---|---|---|
| Sites.FullControl.All |
Recovery |
Application |
Have full control of all site collections |
The API permissions can be changed via your Azure Active Directory. For details, refer to Obtaining Microsoft 365 credentials (items 1-11).