Chat now with support
Chat with Support

On Demand Recovery Current - User Guide

Adding an Azure Active Directory Tenant

For instructions on how to add or remove an Azure AD tenant, see the Tenant Management section in the On Demand Global Settings User Guide.

NOTE: Although GCC High tenants can be added on the Tenants page for use in other On Demand modules, On Demand Recovery does not support restoring objects from GCC High tenants. This type of tenant will not be available for selection in On Demand Recovery. GCC tenants are also not supported.


When a tenant is added, the creation of backups is disabled by default. You must enable the backup creation as described in Step 6 in Working with On Demand Recovery.

Required Permissions

This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.

Azure Account Used to Grant Consents

The ability for On Demand service principals to access and operate with tenant assets requires explicit permissions. The Tenant Administrator grants these permissions through consents.

Each tenant that is added has granted consent to the initial Core – Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Recovery. There are two service principals for On Demand Recovery; On Demand Recovery Basic and On Demand Recovery Restore. For more information on explicit permission for each service principal, see Basic Consent Permissions and Restore Consent Permissions.

  • On Demand Recovery requires Basic consent in the Recovery section. Basic consent is used for all read operations including backups.
    • For backup operations, the Global Reader role can be used.
  • On Demand Recovery requires Restore consent in the Recovery section. Restore consent is used for all write operations including restore.
    • For restore operations, the Privileged Authentication Administrator, User Administrator, Windows 365 Administrator and Conditional Access Administrator roles must be used. In addition, if any Conditional Access policies use a custom security attribute, the Attribute Definition Reader role will also be required.

For some advanced features, a separate service account is required and you must specify this service account in the backup settings.

Role definitions for On Demand Recovery

  • User Administrator: User Administrator role is required to check if user is soft-deleted. It checks if the user is in the Recycle Bin or not.
  • Privileged Authentication Administrator: Privileged Authentication Administrator role is required to set the MFA setting of the user to enforced state from either enabled or disabled state.
  • Windows 365 Administrator: Windows 365 Administrator role is required to restore devices and their owner or owned links.
  • Conditional Access Administrator: Conditional Access Administrator role is required to restore Conditional Access policies.
  • Attribute Definition Reader: Attribute Definition Reader is role is required only if Conditional Access policy uses filters for application on custom security attributes. If the filters are on default schema attributes, this role is not required while restoring or updating Conditional Access policies.

Basic Consent Permissions

In addition to the base consents required by On Demand, On Demand Recovery requires the following consents and permissions.

To view the list of Basic consent permissions in On Demand Recovery:

  1. Click Tenants in the navigation panel on the left and click Edit Consents for the required tenant.
  2. Go to the Basic tile, under Recovery.
  3. Under Status and Actions, click View Details.

Application permissions are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. Only an administrator or owner of the service principal can consent to application permissions.

Delegated permissions are permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves could not access.

For more information on application and delegated permissions, click here.

Type Permissions Application api name


Allows the app to read all applications and service principals without a signed-in user.

Microsoft Graph


Allows the app to read all delegated permission grants, without a signed-in user.

Microsoft Graph


Allows the app to read your organization's devices' configuration information without a signed-in user.

Microsoft Graph


Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.

Microsoft Graph


Allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.

Microsoft Graph


Allows the app to read all your organization's policies without a signed in user.

Microsoft Graph


Allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships.

Microsoft Graph


Allows the app to read the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user.

Microsoft Graph


Allows the app to read authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a users phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.

Microsoft Graph


Allows the app to read your users' primary email address.

Microsoft Graph
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating