This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.
To add a tenant and grant admin consent for the On Demand Recovery module, the Azure Global administrator directory role is required. For more details, see Add an Azure AD tenant.
On Demand Recovery needs Basic consent at the Recovery section. If you plan to use SharePoint functionality, On Demand Recovery requires the Resource Processing for SharePoint Online consent. For more details about SharePoint Online restore, see Restoring SharePoint Online File Access.
After the tenant is added, you can change the permissions to the User administrator role. Basic backup and restore operations will work.
To use the whole product functionality, you need to specify a service account in backup settings.
The service account is used to backup and restore the following data:
|On Demand Recovery Feature||Required Directory role|
|Restoring conditional access policies||Conditional access administrator|
|Restoring MFA settings||User administrator|
|Restoring inactive mailboxes and backup required data||Exchange administrator|
|Restoring Gallery applications and SSO settings||Application administrator or Cloud application administrator|
|Restoring Application Proxy settings and connector groups||Application administrator|
The Application administrator role is required to restore the Application Proxy settings; the Global reader role is sufficient for the backup operation.
For instructions on how to add or remove an Azure AD tenant, please see the Tenant Management section in On Demand Global Settings User Guide.
Creation of backups is disabled by default. After the tenant is added, you must enable the backup creation as described in Step 6 on the Working with On Demand Recovery page.
Office 365 and on-premises Exchange offer some means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from Recycle Bin, we strongly recommend that you use Office 365 retention policy or Litigation Hold (for hybrid configuration).
Retention policies do two basic things: they either protect data from deletion and delete unnecessary items.
Retain content - content cannot be permanently deleted before the end of the retention period.
Delete content - unnecessary content is permanently deleted at the end of the retention period.
You can create and manage retention policies on the:
Policies page in the Microsoft 365 compliance center.
Retention page under Data governance in the Office 365 Security & Compliance Center.
As an alternative to retention policies, you can place a mailbox on Litigation Hold to preserve all mailbox content, including deleted items and original versions of modified items.
Quest On Demand provides permission-based roles to determine what permission level a user has and what tasks the user can perform.
For more details, see Adding users to an organization section in On Demand Global Settings User Guide.
Can manage backup settings
Can download hybrid credentials
Can run backup manually
Can unpack backups
Can run difference report
Can restore from objects
Can restore from differences
Can read backup history
Can read unpacked objects
Can read differences
Can read task history
Can read events
Can read restore attributes
Can read UI projects
Can read UI collections
Can manage events
On Demand administrators have full access to global settings and all module permissions.