Product Version: 10.8
Last Modified: 5 October 2022
Question
What API permissions must be provided to NAKIVO Backup & Replication to successfully back up and recover Exchange Online mailboxes, OneDrives, SharePoint Online sites, and Teams?
Answer
See below for a list of all permissions and the services that require them to be provided to NAKIVO Backup & Replication.
Microsoft Graph API
Permission | Exchange Online | Group Mailbox | OneDrive for Business | SharePoint and Group SharePoint | Teams | Application or Delegated Permission? | Description |
|---|---|---|---|---|---|---|---|
| Calendars.Read | Discovery Backup | Application | Read calendars in all mailboxes | ||||
| Calendars.ReadWrite | Recovery | Application | Read and write calendars in all mailboxes | ||||
| Notes.Read.All | Discovery Backup | Discovery Backup | Application | Read all OneNote notebooks | |||
| Notes.ReadWrite.All | Recovery | Recovery | Application | Read and write all OneNote notebooks | |||
| Mail.Read | Discovery Backup | Application | Read mail in all mailboxes | ||||
| Mail.ReadWrite | Recovery | Application | Read and write mail in all mailboxes | ||||
| MailboxSettings.Read | Discovery Backup Recovery | Application | Read all user mailbox settings | ||||
| User.Read.All | Discovery Backup Recovery | Backup | Discovery | Application | Read all users' full profiles | ||
| User.ReadWrite.All | Backup | Read and write all users' full profiles | |||||
| Contacts.Read | Discovery Backup | Application | Read contacts in all mailboxes | ||||
| Contacts.ReadWrite | Recovery | Application | Read and write contacts in all mailboxes | ||||
| Files.Read.All | Discovery Backup | Discovery Backup | Backup | Application | Read files in all site collections | ||
| Files.ReadWrite.All | Recovery | Recovery | Recovery | Application | Read and write files in all site collections | ||
| Group.Read.All | Discovery Backup | Backup | Application (group mailbox only) Delegated (group mailbox only) | Read all groups | |||
| Group.ReadWrite.All | Recovery | Recovery | Application Delegated (group mailbox only) | Read and write all groups | |||
| GroupMember.Read.All | Discovery Backup | Backup | Application | Read all group memberships | |||
| Sites.Read.All | Discovery Backup | Application | Read items in all site collections | ||||
| Sites.ReadWrite.All | Recovery | Application | Read and write items in all site collections | ||||
| Sites.FullControl.All | Recovery | Application | Have full control of all site collections | ||||
| Sites.Manage.All | Recovery | Application | Create, edit, and delete items and lists in all site collections | ||||
| Team.ReadBasic.All | Discovery Backup | Application | Get a list of all teams | ||||
| TeamSettings.ReadWrite.All | Recovery | Application | Read and change all teams' settings | ||||
| TeamsAppInstallation.ReadWriteForTeam.All | Recovery | Application | Manage Teams apps for all teams | ||||
| TeamMember.Read.All | Backup | Application | Read the members of all teams | ||||
| TeamMember.ReadWrite.All | Recovery | Application | Add and remove members from all teams | ||||
| Channel.ReadBasic.All | Backup | Application | Read the names and descriptions of all channels | ||||
| Channel.Create | Recovery | Application | Create channels | ||||
| Channel.Delete.All | Recovery | Application | Delete channels | ||||
| ChannelSettings.Read.All | Backup | Application | Read the names, descriptions, and settings of all channels | ||||
| ChannelSettings.ReadWrite.All | Recovery | Application | Read and write the names, descriptions, and settings of all channels | ||||
| TeamworkTag.ReadWrite.All | Backup Recovery | Application | Read and write tags in Microsoft Teams | ||||
| TeamsTab.ReadWrite.All | Backup Recovery | Application | Read and write tabs in Microsoft Teams | ||||
| ChannelMessage.Read.All | Backup | Application Delegated | Read all channel messages | ||||
| ChannelMessage.Send | Recovery | Delegated | Send channel messages |
Office 365 Exchange Online API
| Permission | Exchange Online | Group Mailbox | Application/Delegated Permission? | Description |
|---|---|---|---|---|
| full_access_as_app | Recovery | Backup Recovery | Application | Backup group posts, recover group posts, recover type of ItemAttachment for email messages, recover a contact with personalNote larger than 4MB, recover sticky notes, recover huge email message or calendar event content |
SharePoint API
The following API permission is only required if you are using certificate-based authentication with SharePoint Online:
| Permission | SharePoint and Group SharePoint | Application/Delegated Permission? | Description |
|---|---|---|---|
| Sites.FullControl.All | Recovery | Application | Have full control of all site collections |
The API permissions can be changed via your Azure Active Directory. For details, refer to Obtaining Microsoft 365 credentials (items 1-11).