On Demand Recovery Current

As well as the Basic consents required by On Demand Recovery, On Demand Recovery requires the following permissions to be granted consent for restore operations.

To view the list of Restore consent permissions in On Demand Recovery:

Click Tenants in the navigation panel on the left and click Edit Consents for the required tenant.
Go to the Restore tile, under Recovery.
Under Status and Actions, click View Details.

Application permissions are used in the app-only access scenario, without a signed-in user present. The application will be able to access any data that the permission is associated with. Only an administrator or owner of the service principal can consent to application permissions.

Delegated permissions are permissions that allow the application to act on a user's behalf. The application will never be able to access anything the signed in user themselves could not access.

For more information on application and delegated permissions, click here.

Type	Permissions	Application api name
Application	Application.ReadWrite.All Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.	Microsoft Graph
Application	AppRoleAssignment.ReadWrite.All Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.	Microsoft Graph
Application	Device.ReadWrite.All Allows the app to read and write all device properties without a signed in user. Does not allow device creation or update of device alternative security identifiers.	Microsoft Graph
Application	Directory.ReadWrite.All Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.	Microsoft Graph
Application	Group.ReadWrite.All Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.	Microsoft Graph
Application	Policy.Read.All Allows the app to read all your organization's policies without a signed in user.	Microsoft Graph
Application	Policy.ReadWrite.ConditionalAccess Allows the app to read and write your organization's conditional access policies on behalf of the signed-in user.	Microsoft Graph
Application	RoleManagement.ReadWrite.Directory Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.	Microsoft Graph
Application	UserAuthenticationMethod.ReadWrite.All Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods.	Microsoft Graph
Application	User.ReadWrite.All Allows the app to read and write the full set of profile properties, group membership, reports and managers of other users in your organization, without a signed-in user. Also allows the app to create and delete non-administrative users. Does not allow reset of user passwords.	Microsoft Graph
Delegated	Directory.AccessAsUser.All Allows the app to have the same access to information in your work or school directory as you do.	Microsoft Graph
Delegated	Directory.ReadWrite.All Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups, or reset user passwords.	Microsoft Graph

Exchange Online PowerShell Consent

Required Permissions > Exchange Online PowerShell Consent

To perform Exchange tasks, you will need to grant consent to Exchange Online PowerShell, and assign the Exchange Admin Role. For details, please see the About admin consent status and the Granting and regranting admin consent sections in the On Demand Global Settings User Guide.

Service Credential Permissions

Required Permissions > Service Credential Permissions

For some advanced features, a service account must be specified and are required in addition to consent permissions. A separate service account is used for backup operations for the following advanced features:

Conditional Access policies
Service Principal Default policies

Table 1: Backup Service Credential Permissions

For backup of advanced features, a service account must be specified in the backup settings. This service account is used to backup and read the following advanced features.

On Demand Recovery feature	Required Directory role
Backup of Conditional Access policies	Global Reader
Backup of Service Principal Default policies	Global Reader

Office 365 Tenant Requirements (Mailbox Data Protection)

Office 365 and on-premises Exchange offer some native means of protection against losing valuable data. To prevent the permanent deletion of mailbox data and to be able to restore a mailbox when it is deleted from the Recycle Bin, it is strongly recommended that you use Office 365 retention policy or Litigation Hold.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

On Demand Recovery Current - User Guide

Restore Consent Permissions

Exchange Online PowerShell Consent

Service Credential Permissions

Office 365 Tenant Requirements (Mailbox Data Protection)