Overview
This article helps you understand the permissions that Druva requires to backup and restore your Microsoft 365 data.
For more information about how and where to provide these permissions to authorize Druva, see Configure Druva inSync for Microsoft 365.
Druva requires the following permission types.
Application: This will allow applications in Azure Active Directory (Azure AD) to perform actions using admin-driven consent.
Delegated: This will allow applications in Azure AD to perform actions on behalf of a particular user.
New permissions required for Microsoft Graph API v1.0
The new permissions required for Microsoft Graph API v1.0 are listed below.
Permission | Type | Purpose |
Exchange Online | ||
Calendars.ReadWrite | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite.All | Application | Backup and restore Exchange Online tasks. |
SharePoint Online | ||
Sites.ReadWrite.All | Application | Backup and restore SharePoint Site using latest Graph APIs. |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API. |
For more information, see Microsoft Graph Permissions.
Graph API
App-specific permissions
Permissions required for each app are listed below.
Microsoft 365 Advanced
Supported apps/features
SharePoint Online | Public Folder | Exchange Online | OneDrive | Teams | Groups | Multi-Geo |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Required Permissions
Permission | Type | Purpose |
Application.ReadWrite.All | Application | Revoke app access from the tenant. |
Calendars.ReadWrite | Application | Read and write calendars in all mailboxes. |
Contacts.ReadWrite | Application | Read and write contacts in all mailboxes |
Directory.ReadWrite.All | Delegated | Read and write directory data. |
Directory.ReadWrite.All | Application | Read and write directory data. |
RoleManagement.ReadWrite.Directory | Application | Read and write directory RBAC settings |
RoleManagement.ReadWrite.Directory | Delegated | Read and write directory RBAC settings |
Mail.ReadWrite | Application | Read and write mail in all mailboxes |
MailboxSettings.Read | Application | Get user's mailbox type |
Sites.ReadWrite.All | Application | Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups. |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API. |
Tasks.ReadWrite.All | Application | Read and write all users’ tasks and task lists |
User.Read.All | Application | Backup SharePoint site users. |
Files.Read.All | Application | Read Microsoft Teams channel files and folders to facilitate backups.
Read users' OneDrive files. |
Sites.ReadWrite.All | Application | Backup and Restore SharePoint Site using latest Graph APIs. |
Exchange Online | ||
Calendars.ReadWrite | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite.All | Application | Backup and restore Exchange Online tasks. |
Microsoft Teams | ||
Channel.Create | Application | Restore Microsoft Teams channels. |
Channel.ReadBasic.All | Application | Backup Microsoft Teams channel metadata. |
ChannelMember.ReadWrite.All | Application | Backup and restore Microsoft Teams channel members. |
ChannelMessage.Read.All | Application | Backup Microsoft Teams channel conversations (messages). |
ChannelSettings.ReadWrite.All | Application | Backup and restore Microsoft Teams channel settings. |
Group.ReadWrite.All | Delegated | Restore Microsoft Teams. |
Sites.Read.All | Application | Read data from SharePoint sites and sites associated with Microsoft Teams and M365 Groups. |
TeamMember.ReadWrite.All | Application | Backup and restore Microsoft Teams members. |
TeamSettings.ReadWrite.All | Application | Backup and restore Microsoft Teams settings. |
TeamsTab.Read.All | Application | Back up Microsoft Teams tab's metadata. |
Microsoft Groups | ||
AppRoleAssignment.ReadWrite.All | Application | Backup and restore Microsoft Groups Role Assignment data. |
Group.ReadWrite.All | Application | Backup and restore Microsoft Groups data. |
GroupMember.ReadWrite.All | Application | Add a member to a Microsoft 365 group or a security group through the members’ navigation property. |
Tasks.Read | Application | Backup and restore Planner and Tasks |
SharePoint | ||
Sites.Read.All | Application | Backup SharePoint Site, including site content types, using Microsoft Graph API. |
Sites.Manage.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API. |
Sites.FullControl.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API. |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API. |
TermStore.ReadWrite.All | Application | Backup or restore of Managed Metadata Term Store in SharePoint Online. |
Microsoft 365 Basic
Supported apps/features
SharePoint Online | Public Folder | Exchange Online | OneDrive | Teams | Groups | Multi-Geo |
✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Required Permissions
Permission | Type | Purpose |
Application.ReadWrite.All | Application | Revoke app access from the tenant. |
Calendars.ReadWrite | Application | Read and write calendars in all mailboxes |
Contacts.ReadWrite | Application | Read and write contacts in all mailboxes. |
Mail.ReadWrite | Application | Read and write mail in all mailboxes. |
MailboxSettings.Read | Application | Get user's mailbox type |
Tasks.ReadWrite.All | Application | Read and write all users’ tasks and tasklists |
Sites.ReadWrite.All | Application | Read and write content on all sites. |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API. |
User.Read.All | Application | Import users from Azure AD. |
Files.Read.All | Application | Read Microsoft Teams channel files and folders to facilitate backups.
Read users' OneDrive files. |
Sites.ReadWrite.All | Application | Backup and Restore SharePoint Site using latest Graph APIs. |
Exchange Online | ||
Calendars.ReadWrite | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite.All | Application | Backup and restore Exchange Online tasks. |
Sites.ReadWrite.All | Application | Backup and Restore SharePoint Site using latest Graph APIs. |
Microsoft Teams | ||
Channel.Create | Application | Restore Microsoft Teams channels. |
Channel.ReadBasic.All | Application | Backup Microsoft Teams channel metadata. |
ChannelMember.ReadWrite.All | Application | Backup and restore Microsoft Teams channel members. |
ChannelMessage.Read.All | Application | Backup Microsoft Teams channel conversations (messages). |
ChannelSettings.ReadWrite.All | Application | Backup and restore Microsoft Teams channel settings. |
Directory.Read.All | Application | Read Groups settings while Teams backup. |
Group.ReadWrite.All | Delegated | Restore Microsoft Teams. |
Sites.Read.All | Application | Read data from SharePoint sites and sites associated with Microsoft Teams. |
TeamMember.ReadWrite.All | Application | Backup and restore Microsoft Teams members. |
TeamSettings.ReadWrite.All | Application | Backup and restore Microsoft Teams settings. |
TeamsTab.Read.All | Application | Back up Microsoft Teams tab's metadata. |
Microsoft Groups | ||
Group.ReadWrite.All | Application | Backup and restore Microsoft Groups data. |
GroupMember.ReadWrite.All | Application | Add a member to a Microsoft 365 group or a security group through the members’ navigation property. |
SharePoint | ||
Sites.Read.All | Application | Backup SharePoint Site, including site content types, using Microsoft Graph API. |
Sites.Manage.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API. |
Sites.FullControl.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API. |
TermStore.ReadWrite.All | Application | Backup or restore of Managed Metadata Term Store in SharePoint Online. |
Exchange Online and Public Folder
Required Permissions
Permission | Type | Purpose |
Application.ReadWrite.All | Application | Revoke app access from the tenant. |
Calendars.ReadWrite | Application | Read and write calendars in all mailboxes |
Contacts.ReadWrite | Application | Read and write contacts in all mailboxes |
Directory.Read.All | Application | Import users from Azure AD. |
Mail.ReadWrite | Application | Read and write mail in all mailboxes |
MailboxSettings.Read | Application | Read all user mailbox settings |
Tasks.ReadWrite.All | Application | Read and write all users’ tasks and task lists |
User.Read.All | Delegated | Read all users' full profiles |
Exchange Online | ||
Calendars.ReadWrite | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite.All | Application | Backup and restore Exchange Online tasks. |
OneDrive and SharePoint
Required Permissions
Permission | Type | Purpose |
Application.ReadWrite.All | Application | Revoke app access from the tenant. |
User.Read.All | Application | Import users from Azure AD. |
Files.Read.All | Application | Read Microsoft Teams channel files and folders to facilitate backups.
Read users' OneDrive files. |
Sites.ReadWrite.All | Application | Backup and Restore SharePoint Site using latest Graph APIs. |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API. |
Microsoft Teams | ||
Group.Read.All | Application | Support Teams Meeting Recording Exclusion. |
Sites.Read.All | Application | Read data from SharePoint sites and sites associated with Microsoft Teams. |
SharePoint | ||
Sites.Read.All | Application | Backup SharePoint Site, including site content types, using Microsoft Graph API. |
Sites.Manage.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API. |
Sites.FullControl.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API. |
TermStore.ReadWrite.All | Application | Backup or restore of Managed Metadata Term Store in SharePoint Online. |
Workload-specific permissions
Permissions required for Microsoft Graph are listed below.
Permission | Type | Purpose |
Application.ReadWrite.All | Application | Delete service principal from the associated tenant and revoke app access from the tenant. |
Files.Read.All | Application | Read Microsoft Teams channel files and folders to facilitate backups.
Read users' OneDrive files. |
User.Read.All | Application | Import users from Azure AD. |
MailboxSettings.Read | Application | Get user's mailbox type |
Sites.ReadWrite.All | Application | Backup and Restore SharePoint Site using latest Graph APIs. |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API. |
Microsoft Teams | ||
Channel.Create | Application | Restore Microsoft Teams channels. |
Channel.ReadBasic.All | Application | Back up Microsoft Teams channel metadata. |
ChannelMessage.Read.All | Application | Back up Microsoft Teams channel conversations (messages). |
ChannelMember.ReadWrite.All | Application | Back up and restore Microsoft Teams channel members. |
ChannelSettings.ReadWrite.All | Application | Back up and restore Microsoft Teams channel settings. |
Directory. Read. All | Application | Back up and restore Microsoft Teams. |
Directory.ReadWrite.All | Application | Restore Microsoft Teams.
📝 Note
This permission is needed only when you are using the Microsoft 365 Advanced app to protect Groups and to use the Multi-Geo support feature. The Microsoft 365 Basic app does not need this permission. For more information, see Configure Druva inSync for Microsoft 365.
|
Group.ReadWrite.All | Delegated | Restore Microsoft Teams. |
GroupMember.ReadWrite.All | Application | Add a member to a Microsoft 365 group or a security group through the members’ navigation property. |
Sites.Read.All | Application | Read data from SharePoint sites and sites associated with Microsoft Teams. |
TeamMember.ReadWrite.All | Application | Back up and restore Microsoft Teams members. |
TeamSettings.ReadWrite.All | Application | Back up and restore Microsoft Teams settings. |
TeamsTab.Read.All | Application | Back up Microsoft Teams tab's metadata. |
Exchange Online | ||
Calendars.ReadWrite | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite.All | Application | Backup and restore Exchange Online tasks. |
SharePoint | ||
Sites.Read.All | Application | Backup SharePoint Site, including site content types, using Microsoft Graph API. |
Sites.Manage.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API. |
Sites.FullControl.All | Application | Restore of all SharePoint sites, including site content types, using Microsoft Graph API |
Sites.FullControl.All | Application | Backup and restore of all SharePoint sites, including content type hub, using Microsoft Graph API. |
TermStore.ReadWrite.All | Application | Backup or restore of Managed Metadata Term Store in SharePoint Online. |
Outlook API
App-specific permissions
Permissions required for each app are listed below.
Microsoft 365 Advanced
Supported apps/features
SharePoint Online | Public Folder | Exchange Online | OneDrive | Teams | Groups | Multi-Geo |
✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Required Permissions
Permission | Type | Purpose |
Office 365 Exchange Online | ||
Calendars.ReadWrite.All | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
EWS.AccessAsUser.All | Delegated | Backup and restore Exchange Online mailboxes in user context. |
full_access_as_app | Application | Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite | Application | Backup and restore Exchange Online tasks. |
SharePoint | ||
Sites.FullControl.All | Application | Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
Sites.Search.All | Delegated | Run search queries as a user |
TermStore.Read.All | Application | Backup Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All | Delegated | Get site collection administrators during restore activity to a new site. |
User.Read.All | Application | Backup SharePoint site users. |
Microsoft 365 Basic
Supported apps/features
SharePoint Online | Public Folder | Exchange Online | OneDrive | Teams | Groups | Multi-Geo |
✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
Required Permissions
Permission | Type | Purpose |
Office 365 Exchange Online | ||
Calendars.ReadWrite.All | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
EWS.AccessAsUser.All | Delegated | Backup and restore Exchange Online mailboxes in admin context. |
full_access_as_app | Application | Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite | Application | Backup and restore Exchange Online tasks. |
SharePoint | ||
Sites.FullControl.All | Application | Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
Sites.Search.All | Delegated | Run search queries as a user |
TermStore.Read.All | Application | Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All | Delegated | Get site collection administrators during restore activity to a new site. |
User.Read.All | Application | Backup SharePoint site users. |
Exchange Online and Public Folder
Required Permissions
Permission | Type | Purpose |
Office 365 Exchange Online | ||
Calendars.ReadWrite.All | Application | Backup and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Backup and restore Exchange Online contacts. |
EWS.AccessAsUser.All | Delegated | Backup and restore Exchange Online mailboxes in admin context. |
full_access_as_app | Application | Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite | Application | Backup and restore Exchange Online mailboxes. |
Tasks.ReadWrite | Application | Backup and restore Exchange Online tasks. |
OneDrive and SharePoint
Required Permissions
Permission | Type | Purpose |
SharePoint | ||
Sites.FullControl.All | Application | Backup and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
Sites.Search.All | Delegated | Run search queries as a user |
TermStore.Read.All | Application | Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All | Delegated | Get site collection administrators during restore activity to a new site. |
User.Read.All | Application | Backup SharePoint site users. |
Workload-specific permissions
Permissions required for each workload are listed below.
Office 365 Exchange Online
The following table explains the permissions required to use the Office 365 Exchange Online services:
Permission | Type | Purpose |
Calendars.ReadWrite.All | Application | Back up and restore Exchange Online calendars. |
Contacts.ReadWrite | Application | Back up and restore Exchange Online contacts. |
EWS.AccessAsUser.All | Delegated | Back up and restore Exchange Online mailboxes in admin context. |
full_access_as_app | Application | Back up, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes. |
Mail.ReadWrite | Application | Back up and restore Exchange Online mailboxes. |
Tasks.ReadWrite | Application | Back up and restore Exchange Online tasks. |
Office 365 SharePoint Online
The following table explains the permissions required to use the Office 365 SharePoint Online services:
Permission | Type | Purpose |
Sites.FullControl.All | Application | Back up and restore SharePoint Online site collections, including Microsoft 365 Group Team sites and modern sites. |
TermStore.Read.All | Application | Back up Managed Metadata Service SharePoint Online site collections and Microsoft 365 Group Team sites. |
User.Read.All | Application | Back up SharePoint site users. |
User.Read.All | Delegated | Get site collection administrators during restore activity to a new site. |
Microsoft Groups
The following table explains the permissions required to use Microsoft Groups:
Permission | Type | Purpose |
Group.ReadWrite.All | Application | Backup and restore Microsoft Groups data. |
Directory.ReadWrite.All | Application | Backup and restore groups specific settings (applies to only Microsoft 365 groups) and preferred data location (PDL) |
RoleManagement.ReadWrite.Directory | Application | Backup only Microsoft Groups Sensitivity labels data. |
AppRoleAssignment.ReadWrite.All | Application | Backup and restore Microsoft Groups Role Assignment data. |
Group.ReadWrite.All | Delegated | Backup and restore Microsoft Groups data. |
Directory.ReadWrite.All | Delegated | Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders. |
RoleManagement.ReadWrite.Directory | Delegated | Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders. |