Tchater maintenant avec le support
Tchattez avec un ingénieur du support

On Demand Recovery Current - User Guide

Restore Consent Permissions

As well as the Basic consents required by On Demand Recovery, On Demand Recovery requires the following permissions to be granted consent for restore operations.

To view the list of Restore consent permissions in On Demand Recovery:

  1. Click Tenants in the navigation panel on the left and click Edit Consents for the required tenant.
  2. Go to the Restore tile, under Recovery.
  3. Under Status and Actions, click View Details.

Application permissions are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. Only an administrator or owner of the service principal can consent to application permissions.

Delegated permissions are permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves could not access.

For more information on application and delegated permissions, click here.

Type Permissions Application api name
Application

Application.ReadWrite.All

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Microsoft Graph
Application

AppRoleAssignment.ReadWrite.All

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.

Microsoft Graph
Application

Device.ReadWrite.All

Allows the app to read and write all device properties without a signed in user. Does not allow device creation or update of device alternative security identifiers.

Microsoft Graph
Application

Directory.ReadWrite.All

Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.

Microsoft Graph
Application

Group.ReadWrite.All

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Microsoft Graph
Application

Policy.Read.All

Allows the app to read all your organization's policies without a signed in user.

Microsoft Graph
Application

Policy.ReadWrite.ConditionalAccess

Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user.

Microsoft Graph
Application

RoleManagement.ReadWrite.Directory

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Microsoft Graph
Application

UserAuthenticationMethod.ReadWrite.All

Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Microsoft Graph
Application

User.ReadWrite.All

Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords.

Microsoft Graph
Delegated

Directory.AccessAsUser.All

Allows the app to have the same access to information in your work or school directory as you do.

Microsoft Graph
Delegated

Directory.ReadWrite.All

Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.

Microsoft Graph

Exchange Online PowerShell Consent

To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.

Service Credential Permissions

For some advanced features, a service account must be specified and are required in addition to consent permissions. A separate service account is used for backup operations for the following advanced features:

  • Conditional Access policies
  • Service Principal Default policies

Table 1: Backup Service Credential Permissions

For backup of advanced features, a service account must be specified in the backup settings. This service account is used to backup and read the following advanced features.

On Demand Recovery feature Required Directory role
Backup of Conditional Access policies Global Reader
Backup of Service Principal Default policies Global Reader

Office 365 Tenant Requirements (Mailbox Data Protection)

Office 365 and on-premises Exchange offer some native means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from the Recycle Bin, it is strongly recommended that you use Office 365 retention policy or Litigation Hold.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation