Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

Required Permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure Account used for adding Azure tenant to the On Demand

  • To add a tenant and grant admin consent for the On Demand Recovery module, the Azure Global administrator directory role is required. For more details, see Add an Azure AD tenant.
    On Demand Recovery needs Basic consent at the Recovery section. If you plan to use SharePoint functionality, On Demand Recovery requires the Resource Processing for SharePoint Online consent. For more details about SharePoint Online restore, see Restoring SharePoint Online File Access.

  • After the tenant is added, you can change the permissions to the User administrator role. Basic backup and restore operations will work.
    To use the whole product functionality, you need to specify a service account in backup settings.

About the service account


The service account is used to backup and restore the following data:

  • Conditional access policies
  • Multi-Factor Authentication (MFA) settings
  • Identifiers of Inactive mailboxes
  • Gallery applications and SSO settings data
  • Application Proxy settings and connector groups

Required permissions for the service account depending on the feature

On Demand Recovery Feature Required Directory role
Restoring conditional access policies Conditional access administrator
Restoring MFA settings User administrator
Restoring inactive mailboxes and backup required data Exchange administrator
Restoring Gallery applications and SSO settings Application administrator or Cloud application administrator
Restoring Application Proxy settings and connector groups Application administrator

The Application administrator role is required to restore the Application Proxy settings; the Global reader role is sufficient for the backup operation.


Adding an Azure Active Directory Tenant

For instructions on how to add or remove an Azure AD tenant, please see the Tenant Management section in On Demand Global Settings User Guide.


Creation of backups is disabled by default. After the tenant is added, you must enable the backup creation as described in Step 6 on the Working with On Demand Recovery page.


Office 365 Tenant Requirements (Mailbox Data Protection)

Office 365 and on-premises Exchange offer some means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from Recycle Bin, we strongly recommend that you use Office 365 retention policy or Litigation Hold (for hybrid configuration).

Office 365 retention policy

Retention policies do two basic things: they either protect data from deletion and delete unnecessary items.

  • Retain content - content cannot be permanently deleted before the end of the retention period.

  • Delete content - unnecessary content is permanently deleted at the end of the retention period.

You can create and manage retention policies on the:

  • Policies page in the Microsoft 365 compliance center.

  • Retention page under Data governance in the Office 365 Security & Compliance Center.

For details, see

Litigation Hold

As an alternative to retention policies, you can place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items.

For more information, see


Access Control

Quest On Demand provides permission-based roles to determine what permission level a user has and what tasks the user can perform.

For more details, see Adding users to an organization section in On Demand Global Settings User Guide.

List of permissions that can be assigned to Recovery Users
  • Can manage backup settings

  • Can download hybrid credentials

  • Can run backup manually

  • Can unpack backups

  • Can run difference report

  • Can restore from objects

  • Can restore from differences

  • Can read backup history

  • Can read unpacked objects

  • Can read differences

  • Can read task history

  • Can read events

  • Can read restore attributes

  • Can read UI projects

  • Can read UI collections

  • Can manage events


On Demand administrators have full access to global settings and all module permissions.


Related Documents