As well as the Basic consents required by On Demand Recovery, On Demand Recovery requires the following permissions to be granted consent for restore operations.
To view the list of Restore consent permissions in On Demand Recovery:
- Click Tenants in the navigation panel on the left and click Edit Consents for the required tenant.
- Go to the Restore tile, under Recovery.
- Under Status and Actions, click View Details.
Application permissions are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. Only an administrator or owner of the service principal can consent to application permissions.
Delegated permissions are permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves could not access.
For more information on application and delegated permissions, click here.
| Type | Permissions | Application API Name |
|---|---|---|
| Application |
AdministrativeUnit.ReadWrite.All Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user. |
Microsoft Graph |
| Application |
Application.ReadWrite.All Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user. |
Microsoft Graph |
| Application |
AppRoleAssignment.ReadWrite.All Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. |
Microsoft Graph |
| Application |
Device.ReadWrite.All Allows the app to read and write all device properties without a signed in user. Does not allow device creation or update of device alternative security identifiers. |
Microsoft Graph |
| Application |
Directory.ReadWrite.All Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords. |
Microsoft Graph |
| Application |
Group.ReadWrite.All Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user. |
Microsoft Graph |
| Application |
Policy.Read.All Allows the app to read all your organization's policies without a signed in user. |
Microsoft Graph |
| Application |
Policy.ReadWrite.Authorization Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default. |
Microsoft Graph |
| Application |
Policy.ReadWrite.AuthenticationFlows Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user. |
Microsoft Graph |
| Application |
Policy.ReadWrite.ConditionalAccess Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user. |
Microsoft Graph |
| Application |
Policy.ReadWrite.ExternalIdentities Allows the application to read and update the organization's external identities policy without a signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave. |
Microsoft Graph |
| Application |
RoleManagement.ReadWrite.Directory Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. |
Microsoft Graph |
| Application |
UserAuthenticationMethod.ReadWrite.All Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. |
Microsoft Graph |
| Application |
User.ManageIdentities.All Allows the app to read, update and delete identities that are associated with a user's account that the signed-in user has access to. This controls the identities users can sign-in with. |
Microsoft Graph |
| Application |
User.ReadWrite.All Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords. |
Microsoft Graph |
| Delegated |
Directory.AccessAsUser.All Allows the app to have the same access to information in your work or school directory as you do. |
Microsoft Graph |
| Delegated |
Directory.ReadWrite.All Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords. |
Microsoft Graph |
