Application permissions for backup and restore
The following application permissions are required:
|
Category |
Permission |
Description |
|---|---|---|
|
AccessReview |
AccessReview.ReadWrite.All |
Manage all access reviews that user can access |
|
AdministrativeUnit |
AdministrativeUnit.ReadWrite.All |
Read and write all administrative units |
|
Application |
Application.ReadWrite.All |
Read and write all applications |
|
AppRoleAssignment |
AppRoleAssignment.ReadWrite.All |
Manage app permission grants and app role assignments |
|
AuditLog |
AuditLog.Read.All |
Read all audit log data |
|
DelegatedPermissionGrant |
DelegatedPermissionGrant.ReadWrite.All |
Manage all delegated permission grants |
|
DeviceManagementConfiguration |
DeviceManagementConfiguration.ReadWrite.All |
Read and write Microsoft Intune Device Configuration and Policies |
|
DeviceManagementScripts |
DeviceManagementScripts.ReadWrite.All |
Read and write Microsoft Intune Scripts |
|
Directory |
Directory.ReadWrite.All |
Read and write directory data |
|
Domain |
Domain.ReadWrite.All |
Read and write domains |
|
Group |
Group.ReadWrite.All |
Read and write all groups |
|
Policy |
Policy.Read.All |
Read your organization's policies |
|
Policy |
Policy.ReadWrite.ConditionalAccess |
Read and write your organization's conditional access policies |
|
PrivilegedAssignmentSchedule |
PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup |
Read, create, and delete assignment schedules for access to Azure AD groups |
|
PrivilegedEligibilitySchedule |
PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup |
Read, create, and delete eligibility schedules for access to Azure AD groups |
|
Reports |
Reports.Read.All |
Read all usage reports |
|
RoleAssignmentSchedule |
RoleAssignmentSchedule.ReadWrite.Directory |
Read, update, and delete all policies for privileged role assignments of your company's directory |
|
RoleManagement |
RoleManagement.ReadWrite.Directory |
Read and write all directory RBAC settings |
|
User |
User.DeleteRestore.All |
Delete and restore all users |
|
User |
User.ReadWrite.All |
Read and write all users' full profiles |
|
UserAuthenticationMethod |
UserAuthenticationMethod.ReadWrite.All |
Read and write all users' authentication methods |
Delegated permissions for backup and restore
The following Delegated permissions are required:
|
Category |
Permission |
Description |
|---|---|---|
|
Directory |
Directory.AccessAsUser.All |
Access directory as the signed in user |
|
RoleEligibilitySchedule |
RoleEligibilitySchedule.ReadWrite.Directory |
Read, update, and delete all eligible role assignments and schedules in your company's directory |
Least application permissions for backups only
|
Category |
Permission |
Description |
|---|---|---|
|
AccessReview |
AccessReview.Read.All |
Read all access reviews that user can access |
|
AdministrativeUnit |
AdministrativeUnit.Read.All |
Read all administrative units |
|
Application |
Application.Read.All |
Read all applications |
|
AppRoleAssignment |
AppRoleAssignment.ReadWrite.All |
Read app permission grants and app role assignments Note There is no read only permission available. |
|
AuditLog |
AuditLog.Read.All |
Read all audit log data |
|
DelegatedPermissionGrant |
DelegatedPermissionGrant.Read.All |
Read all delegated permission grants |
|
DeviceManagementConfiguration |
DeviceManagementConfiguration.Read.All |
Read Microsoft Intune Device Configuration and Policies |
|
DeviceManagementScripts |
DeviceManagementScripts.Read.All |
Read Microsoft Intune Scripts |
|
Directory |
Directory.Read.All |
Read directory data |
|
Domain |
Domain.Read.All |
Read domains |
|
Group |
Group.Read.All |
Read all groups |
|
Policy |
Policy.Read.All |
Read your organization's policies |
|
Policy |
Policy.Read.ConditionalAccess |
Read your organization's conditional access policies |
|
PrivilegedAssignmentSchedule |
PrivilegedAssignmentSchedule.Read.AzureADGroup |
Read assignment schedules for access to Azure AD groups |
|
PrivilegedEligibilitySchedule |
PrivilegedEligibilitySchedule.Read.AzureADGroup |
Read eligibility schedules for access to Azure AD groups |
|
RoleAssignmentSchedule |
RoleAssignmentSchedule.Read.Directory |
Read all policies for privileged role assignments of your company's directory |
|
RoleManagement |
RoleManagement.Read.Directory |
Read all directory RBAC settings |
|
User |
User.Read.All |
Read all users' full profiles |
|
UserAuthenticationMethod |
UserAuthenticationMethod.Read.All |
Read all users' authentication methods |
Least delegated permissions for backup only
No delegated permissions are required for backup only.