Tchater maintenant avec le support
Tchattez avec un ingénieur du support

On Demand Recovery Current - User Guide

Adding an Azure Active Directory Tenant

For instructions on how to add or remove an Azure AD tenant, see the Tenant Management section in the On Demand Global Settings User Guide.


NOTE: Although GCC High tenants can be added on the Tenants page for use in other On Demand modules, On Demand Recovery does not support restoring objects from GCC High tenants. This type of tenant will not be available for selection in On Demand Recovery. GCC tenants are also not supported.

 

When a tenant is added, the creation of backups is disabled by default. You must enable the backup creation as described in Step 6 in Working with On Demand Recovery.

Required Permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure Account Used to Grant Consents

The ability for On Demand service principals to access and operate with tenant assets requires explicit permissions. The Tenant Administrator grants these permissions through consents.

Each tenant that is added has granted consent to the initial Core – Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Recovery. There are two service principals for On Demand Recovery; On Demand Recovery Basic and On Demand Recovery Restore. For more information on explicit permission for each service principal, see Basic Consent Permissions and Restore Consent Permissions.

  • On Demand Recovery requires Basic consent in the Recovery section. Basic consent is used for all read operations including backups.
    • For backup operations, the Global Reader role can be used.
  • On Demand Recovery requires Restore consent in the Recovery section. Restore consent is used for all write operations including restore.
    • For restore operations, the Privileged Authentication Administrator, User Administrator, Windows 365 Administrator and Conditional Access Administrator roles must be used. In addition, if any Conditional Access policies use a custom security attribute, the Attribute Definition Reader role will also be required.

For some advanced features, a separate service account is required and you must specify this service account in the backup settings.

Basic Consent Permissions

In addition to the base consents required by On Demand, On Demand Recovery requires the following consents and permissions.

To view the list of Basic consent permissions in On Demand Recovery:

  1. Click Tenants in the navigation panel on the left and click Edit Consents for the required tenant.
  2. Go to the Basic tile, under Recovery.
  3. Under Status and Actions, click View Details.

Application permissions are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. Only an administrator or owner of the service principal can consent to application permissions.

Delegated permissions are permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves could not access.

For more information on application and delegated permissions, click here.

Type Permissions Application api name
Application

Application.Read.All

Allows the app to read all applications and service principals without a signed-in user.

Microsoft Graph
Application

DelegatedPermissionGrant.Read.All

Allows the app to read all delegated permission grants, without a signed-in user.

Microsoft Graph
Application

Device.Read.All

Allows the app to read your organization's devices' configuration information without a signed-in user.

Microsoft Graph
Application

Directory.Read.All

Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

Microsoft Graph
Application

Group.Read.All

Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

Microsoft Graph
Application

Policy.Read.All

Allows the app to read all your organization's policies without a signed in user.

Microsoft Graph
Application

RoleManagement.Read.Directory

Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships.

Microsoft Graph
Application

User.Read.All

Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.

Microsoft Graph
Application

UserAuthenticationMethod.Read.All

Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Microsoft Graph
Delegated

email

Allows the app to read your users' primary email address.

Microsoft Graph
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation