Required API Permissions for Microsoft 365

Product version: 10.11.2

Last modified: 28 May 2024

Question

What API permissions must be provided to NAKIVO Backup & Replication to successfully back up and recover Exchange Online mailboxes, OneDrives, SharePoint Online sites, and Teams?

Answer

See below for a list of all permissions and the services that require them to be provided to NAKIVO Backup & Replication.

Microsoft Graph API

Permission

 Exchange Online Group Mailbox OneDrive for Business SharePoint and Group SharePoint Teams Application or Delegated Permission? Description
Calendars.Read

Discovery

Backup



Application

 Read calendars in all mailboxes
Calendars.ReadWrite

Recovery



Application

 Read and write calendars in all mailboxes
Notes.Read.All

Discovery

Backup

Discovery

Backup


Application

 Read all OneNote notebooks
Notes.ReadWrite.All

Recovery

Recovery


Application

 Read and write all OneNote notebooks
Mail.Read

Discovery

Backup



Application

 Read mail in all mailboxes
Mail.ReadWrite

Recovery



Application

 Read and write mail in all mailboxes
MailboxSettings.Read

Discovery

Backup

Recovery



Application

 Read all user mailbox settings
User.Read.All

Discovery

Backup

Recovery

Backup

Discovery

Application

 Read all users' full profiles
User.ReadWrite.All



Backup

Application

 Read and write all users' full profiles
Contacts.Read

Discovery

Backup



Application

 Read contacts in all mailboxes
Contacts.ReadWrite

Recovery



Application

 Read and write contacts in all mailboxes
Files.Read.All

Discovery

Backup

Discovery

Backup


 

Application

 Read files in all site collections
Files.ReadWrite.All

Recovery

Recovery


Recovery

Application

 Read and write files in all site collections
Group.ReadWrite.All

Recovery

Recovery

Application

Delegated (group mailbox only)

 Read and write all groups
GroupMember.Read.All

Discovery

Backup

 

Application

 Read all group memberships
Sites.ReadWrite.All


Recovery

Application

 Read and write items in all site collections
Sites.FullControl.All


Recovery

Application

 Have full control of all site collections
Sites.Manage.All


Recovery

Application

 Create, edit, and delete items and lists in all site collections
Team.ReadBasic.All



Discovery

Backup

Application

 Get a list of all teams
TeamSettings.ReadWrite.All



Recovery

Application

 Read and change all teams' settings
TeamMember.ReadWrite.All



Recovery

Application

 Add and remove members from all teams
Channel.Create



Recovery

Application

 Create channels
ChannelSettings.ReadWrite.All



Recovery

Application

 Read and write the names, descriptions, and settings of all channels
TeamworkTag.ReadWrite.All



Backup

Recovery

Application

 Read and write tags in Microsoft Teams
TeamsTab.ReadWrite.All



Backup

Recovery

Application

 Read and write tabs in Microsoft Teams
ChannelMessage.Read.All



Backup

Application

 Read all channel messages
TeamsAppInstallation.ReadWriteAndConsentForTeam.All         Recovery Application Manage Teams apps for all teams

Office 365 Exchange Online API

Permission Exchange Online Group Mailbox Application/Delegated Permission? Description
full_access_as_app

Recovery

Backup

Recovery

Application

 Backup group posts, recover group posts, recover type of ItemAttachment for email messages, recover a contact with personalNote larger than 4MB, recover sticky notes, recover huge email message or calendar event content

SharePoint API

The following API permission is only required if you are using certificate-based authentication with SharePoint Online:

Permission SharePoint and Group SharePoint Application/Delegated Permission? Description
Sites.FullControl.All

Recovery

Application

 Have full control of all site collections

The API permissions can be changed via your Azure Active Directory. For details, refer to Obtaining Microsoft 365 credentials (items 1-11).