This section lists the minimum user account permissions required to perform specific On Demand Recovery tasks.
The service account that is used to backup and restore Multi-Factor Authentication (MFA) settings, inactive mailboxes, conditional access polices, and Application Proxy settings must have the following permissions:
The service account is used to backup and restore the following data:
Table 1: Required permissions for the service account by feature
|On Demand Recovery feature||Required Directory role|
|Restoring conditional access policies||Conditional access administrator|
|Restoring MFA settings||User administrator|
|Restoring inactive mailboxes and backup required data||Exchange administrator|
|Restoring Gallery applications and SSO settings||Application administrator or Cloud application administrator|
|Restoring Application Proxy settings and connector||Application administrator|
|NOTE: The Application administrator role is required to restore the Application Proxy settings. The Global reader role is sufficient for the backup operation.|
For instructions on how to add or remove an Azure AD tenant, see the Tenant Management section in the On Demand Global Settings User Guide.
|NOTE: Although GCC High tenants can be added on the Tenants page for use in other On Demand modules, On Demand Recovery does not support restoring objects from GCC High tenants. This type of tenant will not be available for selection in On Demand Recovery.|
When a tenant is added, the creation of backups is disabled by default. You must enable the backup creation as described in Step 6 in Working with On Demand Recovery.