Converse agora com nosso suporte
Chat com o suporte

On Demand Recovery Current - User Guide

About On Demand Recovery On Demand Recovery Module Overview Before You Start Sign up for Quest On Demand Adding a Microsoft Entra Tenant Required Permissions Microsoft 365 Tenant Requirements (Mailbox Data Protection) Access Control Working with On Demand Recovery Backup Unpacking Restoring Objects Restoring Directory Roles and Application Roles Restoring Users Restoring Groups Restoring Service Principal Objects Restoring Applications Restoring Application Proxy Settings Restoring Multifactor Authentication Settings Restoring Group Licenses Restoring Devices Restoring Conditional Access Policies Backup and Restore of Tenant Level Settings Backup and Restore Administrative Units Integration with Recovery Manager for Active Directory Working with Inactive Mailboxes Hybrid Connection Port and Protocol Requirements Restoring Email Address or Phone for Self-Service Password Reset Reporting Advanced Search How does On Demand Recovery Handle Object Attributes? What is Not Protected by Microsoft Entra Connect but Can Be Restored by On Demand Recovery?

Restore Consent Permissions

As well as the Basic consents required by On Demand Recovery, On Demand Recovery requires the following permissions to be granted consent for restore operations.

To view the list of Restore consent permissions in On Demand Recovery:

  1. Click Tenants in the navigation panel on the left and click Edit Consents for the required tenant.
  2. Go to the Restore tile, under Recovery.
  3. Under Status and Actions, click View Details.

Application permissions are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. Only an administrator or owner of the service principal can consent to application permissions.

Delegated permissions are permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves could not access.

For more information on application and delegated permissions, click here.

Type Permissions Application API Name
Application

AdministrativeUnit.ReadWrite.All

Allows the app to create, read, update, and delete administrative units and manage administrative unit membership without a signed-in user.

Microsoft Graph
Application

Application.ReadWrite.All

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Microsoft Graph
Application

AppRoleAssignment.ReadWrite.All

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.

Microsoft Graph
Application

Device.ReadWrite.All

Allows the app to read and write all device properties without a signed in user. Does not allow device creation or update of device alternative security identifiers.

Microsoft Graph
Application

Directory.ReadWrite.All

Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.

Microsoft Graph
Application

Group.ReadWrite.All

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Microsoft Graph
Application

Policy.Read.All

Allows the app to read all your organization's policies without a signed in user.

Microsoft Graph
Application

Policy.ReadWrite.Authorization

Allows the app to read and write your organization's authorization policy without a signed in user. For example, authorization policies can control some of the permissions that the out-of-the-box user role has by default.

Microsoft Graph
Application

Policy.ReadWrite.AuthenticationFlows

Allows the app to read and write all authentication flow policies for the tenant, without a signed-in user.

Microsoft Graph
Application

Policy.ReadWrite.ConditionalAccess

Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user.

Microsoft Graph
Application

Policy.ReadWrite.ExternalIdentities

Allows the application to read and update the organization's external identities policy without a signed-in user. For example, external identities policy controls if users invited to access resources in your organization via B2B collaboration or B2B direct connect are allowed to self-service leave.

Microsoft Graph
Application

RoleManagement.ReadWrite.Directory

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Microsoft Graph
Application

UserAuthenticationMethod.ReadWrite.All

Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Microsoft Graph
Application

User.ManageIdentities.All

Allows the app to read, update and delete identities that are associated with a user's account that the signed-in user has access to. This controls the identities users can sign-in with.

Microsoft Graph
Application

User.ReadWrite.All

Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords.

Microsoft Graph
Delegated

Directory.AccessAsUser.All

Allows the app to have the same access to information in your work or school directory as you do.

Microsoft Graph
Delegated

Directory.ReadWrite.All

Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.

Microsoft Graph

Exchange Online PowerShell Consent

To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.

Service Credential Permissions

For some advanced features, a service account must be specified and are required in addition to consent permissions. A separate service account is used for backup operations for the following advanced features:

  • Conditional Access policies
  • Service Principal Default policies
  • Multifactor authentication settings
  • Data related to inactive mailboxes

Table 1: Backup Service Credential Permissions

For backup of advanced features, a service account must be specified in the backup settings. This service account is used to backup and read the following advanced features.

On Demand Recovery feature Required Directory role
Backup of Conditional Access policies Global Reader
Backup of Service Principal Default policies Global Reader
Backup of multifactor authentication settings Global Reader
Backup of data related to inactive mailboxes Global Reader

Table 2: Restore Service Credential Permissions

For restore of advanced features, a service account must be specified in the restore settings. This service account is used to restore and write the following advanced features.

On Demand Recovery feature Required Directory role
Restore of multifactor authentication Authentication Administrator
Restore of data related to inactive mailboxes Authentication Administrator
Restore of Conditional Access policies Conditional Access Administrator

Trusted IP Settings

To configure Trusted IP settings, use this table to allow the following subnets for relevant region:

    Region IP Prefixes
    US

    52.233.76.96/29, 20.230.254.72/29

    EU

    13.69.216.192/29, 13.69.214.48/29

    Canada

    20.104.81.8/29, 4.205.3.248/29

    UK

    51.145.35.32/29, 20.254.44.208/29

    Australia 20.191.252.152/29, 68.218.80.112/29

For more details, see Configure Azure Multi-Factor Authentication settings.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação