How to: Set permissions for authenticating users and service account


Challenge

In order to use the service certain permissions needs to be set correctly. To make sure you have the correct settings, please follow this guide or if you are encountering the error KB #1011, you need to ensure the service account has the correct permissions. 

Global admin permission and Application Impersonation is usually enough, but in some cases/if you dont want to give GA rights, the below is required to be set.

Also do note: Below is also the rights that is needed for the Backup Service Account to be able to backup. 

Solution

ReVirt backup service account permissions

  • Teams

    • The account must have a Microsoft Office 365 license that permits access to Microsoft Teams API. The minimum sufficient license is Microsoft Teams Exploratory experience.

    • The account must have the Team Administrator role assigned.

  • Sharepoint and OneDrive

    • SharePoint Admin

    • View-only configuration

    • View-only Recipients

  • Exchange Online

    • Role Management

    • ApplicationImpersonation

    • Organization Configuration

    • View-Only Configuration

    • View-Only Recipients

    • Mailbox Search or Mail Recipients

    • Owner

ReVirt backup Application permissions

All listed permissions are of the Application type.

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Microsoft Graph

Directory.Read.All

Group.Read.All

Sites.Read.All

 

TeamSettings.ReadWrite.All

 

 

ChannelMessage.Read.All

 

 

Office 365 Exchange Online1

full_access_as_app

 

SharePoint

Sites.FullControl.All

 

User.Read.All

 

 


 

Permissions for Restore

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Microsoft Graph

Directory.Read.All

Group.ReadWrite.All

 

 

Sites.Read.All

 

Directory.ReadWrite.All

 

 

offline_access

Office 365 Exchange Online1

EWS.AccessAsUser.All

 

 

full_access_as_user

 

 

SharePoint

AllSites.FullControl

 

User.Read.All

 

 

 

Cause

To backup your Office 365 tenant, the Service account used for backup needs permission to access your tenant data. These permissions is usually set by the portal when in the setup wizard, but in some cases it’s not possible to set all permissions. 


Was this article helpful?