Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

Required Permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure account used for adding tenants to On Demand

  • To add a tenant and grant admin consent for the On Demand Recovery module, the Azure Global administrator directory role is required. For more details, see Add an Azure AD tenant.
    On Demand Recovery requires Basic consent in the Recovery section.
  • After the tenant is added, you can change the permissions to the User administrator role. Basic backup and restore operations will work.
    To use the whole product functionality, you must specify a service account in backup settings.

Consent permissions

In addition to the base consents required by On Demand, On Demand Recovery requires the following consents and permissions.

To view the list of Basic consent permissions in On Demand Recovery:

  1. Click Tenants in the navigation panel on the left.
  2. Go to the Basic tile, under Recovery.
  3. Under Status and Actions, click View Details.
Type Permissions Application api name
Application

Directory.ReadWrite.All

Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.

Microsoft Graph
Application

Group.Read.All

Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.

Microsoft Graph
Application

Group.ReadWrite.All

Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.

Microsoft Graph
Application

Directory.Read.All

Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

Microsoft Graph
Application

RoleManagement.ReadWrite.Directory

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Microsoft Graph
Application

AppRoleAssignment.ReadWrite.All

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.

Microsoft Graph
Application

Directory.Read.All

Allows the app to read data in your company or school directory, such as users, groups and apps.

Windows Azure Active Directory
Application

Directory.ReadWrite.All

Allows the app to read and write data in your company or school directory, such as users, and groups. Does not allow user or group deletion.

Windows Azure Active Directory
Delegated

Directory.ReadWrite.All

Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.

Microsoft Graph
Delegated

Directory.AccessAsUser.All

Allows the app to have the same access to information in the directory as the signed-in user.

Microsoft Graph
Delegated

Group.Read.All

Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access.

Microsoft Graph
Delegated

Group.ReadWrite.All

Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.

Microsoft Graph
Delegated

Directory.Read.All

Allows the app to read data in your organization's directory, such as users, groups and apps.

Microsoft Graph
Delegated

RoleManagement.ReadWrite.Directory

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

Microsoft Graph
Delegated

AppRoleAssignment.ReadWrite.All

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user.

Microsoft Graph
Delegated

User.Read

Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allow the app to read basic company information of signed-in users.

Windows Azure Active Directory
Delegated

Group.Read.All

Allows the app to read basic group properties and memberships on behalf of the signed-in user.

Windows Azure Active Directory
Delegated

Group.ReadWrite.All

Allows the app to create groups on behalf of the signed-in user and read all group properties and memberships. Additionally, this allows the app to update group properties and memberships for the groups the signed-in user owns.

Windows Azure Active Directory
Delegated

Directory.ReadWrite.All

Allows the app to read and write data in your company or school directory, such as users, and groups. Does not allow user or group deletion.

Windows Azure Active Directory
Delegated

Directory.Read.All

Allows the app to read data in your company or school directory, such as users, groups, and apps.

Windows Azure Active Directory
Exchange Online PowerShell

To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.

Service account permissions

The service account that is used to backup and restore multifactor authentication (MFA) settings, inactive mailboxes, Conditional Access polices, and Application Proxy settings must have the following permissions:

  • For backup operations, this account must be a member of Exchange administrator or User administrator Azure AD role.
  • To back up Application Proxy, the account must be a member of Application administrator role.

The service account is used to backup and restore the following data:

  • Conditional Access policies
  • Multifactor authentication (MFA) settings
  • Identifiers of inactive mailboxes
  • Legacy Gallery applications and SSO settings data
  • Application Proxy settings and connector groups

Table 1: Required permissions for the service account by feature

On Demand Recovery feature Required Directory role
Restoring Conditional Access policies Conditional Access administrator
Restoring MFA settings User administrator
Restoring inactive mailboxes and backup required data Exchange administrator
Restoring Legacy Gallery applications and SSO settings Application administrator or Cloud application administrator
Restoring Application Proxy settings and connector Application administrator
NOTE: The Application administrator role is required to restore the Application Proxy settings. The Global reader role is sufficient for the backup operation.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating