Overview

As part of protecting customer data, Druva installs an application in the customer's tenant, which helps data flow between Druva and the customer. The customer needs to consent to certain permissions for this application. This article helps you understand the permissions that Druva requires to backup and restore your Microsoft 365 data.

See section Select the Microsoft 365 App for the types of Microsoft apps offered by Druva. Refer to the Microsoft 365 Permissions Matrix below for a summary of all Graph and REST permissions required for the various apps provided by Druva.

For more information about how and where to provide these permissions to authorize Druva, see Configure Druva inSync for Microsoft 365.

Select the Microsoft 365 Application

Organizations often need to restrict third-party application access to their internal environment. Druva simplifies this by offering multiple applications with varying permission levels, allowing for flexible control.

Druva provides four distinct applications to back up and restore Microsoft 365 data, enabling organizations to choose the option that best suits their requirements.

Microsoft 365 Advanced	Microsoft 365 Basic	Exchange Online & Public folder	OneDrive & SharePoint
Protect Exchange Online OneDrive Public folder SharePoint Teams Groups	Protect Exchange Online OneDrive Public folder SharePoint Teams	Protect Exchange Online Public folder	Protect OneDrive SharePoint

📝 NOTE:

Microsoft 365 Advanced app requires high-privilege permissions (Directory.ReadWrite.All) to backup Groups. If you do not wish to provide this permission, use the Basic app. Please note that the Basic app does not protect Groups data.
Each app should have a client ID and a secret key assigned to it, which will enable collaboration with the tenant.

Types of Permissions

Application: This will allow applications in Entra ID to perform actions using admin-driven consent.
Delegated: This will allow applications in Entra ID to perform actions on behalf of a configured user.

Microsoft 365 Permissions Matrix

See the matrix below for a summary of all GRAPH and REST permissions required for the various apps provided by Druva.

📝 NOTE

The Workload Specific section covers permissions for legacy apps beyond the Microsoft Graph API.

Permission Details

Application 1: Microsoft 365 Advanced

The following table explains the permissions required to use the Microsoft 365 Advanced app;

API / Permissions name	Type	Purpose	Workload
Microsoft Graph
`Application.ReadWrite.All`	Application	Get the list of aux apps deployed in the tenant and revoke app access from the tenant.	Druva Application
`AppRoleAssignment.ReadWrite.All`	Application	Backup and restore Microsoft Groups Role Assignment data and automated installation of aux apps in the tenant.	Microsoft Groups
`Calendars.ReadWrite`	Application	Backup and restore Exchange Online calendars.	Exchange Online
`Channel.Create`	Application	Restore Microsoft Teams channels.	Microsoft Teams
`Channel.ReadBasic.All`	Application	Backup Microsoft Teams channel metadata.	Microsoft Teams
`ChannelMember.ReadWrite.All`	Application	Backup and restore Microsoft Teams channel members.	Microsoft Teams
`ChannelMessage.Read.All`	Application	Backup Microsoft Teams channel conversations (messages).	Microsoft Teams
`ChannelSettings.ReadWrite.All`	Application	Backup and restore Microsoft Teams channel settings.	Microsoft Teams
`Contacts.ReadWrite`	Application	Backup and restore Exchange Online contacts.	Exchange Online
`Directory.ReadWrite.All`	Delegated	Restore of Microsoft Groups sensitivity labels data and AllowExternalSenders.	Microsoft Groups
`Directory.ReadWrite.All`	Application	Backup and restore groups specific settings and Teams	Microsoft Teams and Groups
`Files.Read.All`	Application	Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files.	Microsoft Teams, SharePoint, and OneDrive
`Group.ReadWrite.All`	Delegated	Backup and restore Microsoft Groups data and Teams data.	Microsoft Teams and Groups
`Group.ReadWrite.All`	Application	Backup and restore Microsoft Groups data and Teams data.	Microsoft Teams and Groups
`GroupMember.ReadAll`	Application	Backup Microsoft Groups and Teams members.	Microsoft Teams and Groups
`GroupMember.ReadWrite.All`	Application	Add a member to a Microsoft 365 group or a security group through the members’ navigation property.	Microsoft Groups
`Mail.ReadWrite`	Application	Backup and restore Exchange Online mailboxes.	Exchange Online
`MailboxSettings.Read`	Application	Determine the mailbox type: user or shared.	Exchange Online
`RoleManagement.ReadWrite.Directory`	Application	Backup only Microsoft Groups Sensitivity labels data.	Microsoft Groups
`RoleManagement.ReadWrite.Directory`	Delegated	Restore of Microsoft Groups Sensitivity labels data and AllowExternalSenders.	Microsoft Groups
`Sites.FullControl.All`	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.	SharePoint
`Sites.Read.All`	Application	Backup and restore Microsoft Teams site.	SharePoint
`Sites.ReadWrite.All`	Application	Backup and Restore the SharePoint Site using the latest Graph APIs.	SharePoint
`Tasks.ReadWrite.All`	Application	Backup and restore Exchange Online tasks.	Exchange Online
`TeamMember.ReadWrite.All`	Application	Backup and restore Microsoft Teams members.	Microsoft Teams
`TeamSettings.ReadWrite.All`	Application	Backup and restore Microsoft Teams settings.	Microsoft Teams
`TeamsTab.Read.All`	Application	Backup Microsoft Teams tab's metadata.	Microsoft Teams
`TermStore.ReadWrite.All`	Delegated	Backup or restore of Managed Metadata Term Store in SharePoint Online.	SharePoint
`TermStore ReadWrite.All`	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.	SharePoint
`User.Read.All`	Application	Import users from Entra ID during user sync.	OneDrive
Office 365 Exchange Online
`Calendars.ReadWrite.All`	Application	Backup and restore Exchange Online calendars.	Exchange Online
`Contacts.ReadWrite`	Application	Backup and restore Exchange Online contacts.	Exchange Online
`EWS.AccessAsUser.All`	Delegated	Backup and restore Exchange Online mailboxes in admin context.	Exchange Online
`full_access_as_app`	Application	Backup, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.	Exchange Online
`Mail.ReadWrite`	Application	Backup and restore Exchange Online mailboxes.	Exchange Online
`Tasks.ReadWrite`	Application	Backup and restore Exchange Online tasks.	Exchange Online
SharePoint
`Sites.FullControl.All`	Application	Backup and restore SharePoint Online site collections, including Microsoft 365 Group, Team and modern sites.	SharePoint
`Sites.Search.All`	Delegated	Discover sites in a tenant	SharePoint
`TermStore.Read.All`	Application	Backup or restore of Managed Metadata Terms in SharePoint Online.	SharePoint
`User.Read.All`	Delegated	Get admin email ID, required during creation of new site collection.	SharePoint
`User.Read.All`	Application	Backup SharePoint site users.	SharePoint

📝 NOTE:

Auxiliary Apps help safeguard backup SLAs from M365 API throttling by automatically installing additional apps. Exclusive to Microsoft 365 Advanced app users, these apps share the same permission scope as the primary Microsoft 365 Advanced apps.

For more details, refer to the Auxiliary Apps for Smooth M365 Backup.

Application 2: Microsoft 365 Basic

The following table explains the permissions required to use the Microsoft 365 Basic app;

API / Permissions name	Type	Purpose	Workload
Microsoft Graph (25)
`Application.Read.All`	Application	Get list of Aux app deployed on the customer tenant	Druva Application
`Application.ReadWrite.All`	Application	Get list of aux apps deployed in the tenant and revoke app access from the tenant.	Druva Application
`Calendars.ReadWrite`	Application	Backup and restore Exchange Online calendars.	Exchange Online
`Channel.Create`	Application	Restore Microsoft Teams channels.	Microsoft Teams
`Channel.ReadBasic.All`	Application	Backup Microsoft Teams channel metadata.	Microsoft Teams
`Channel.Member.ReadWrite.All`	Application	Backup and restore channel members	Microsoft Teams
`Channel.Message.Read All`	Application	Backup channel conversation	Microsoft Teams
`ChannelSettings.ReadWrite.All`	Application	Backup and restore Microsoft Teams channel settings.	Microsoft Teams
`Contacts.ReadWrite`	Application	Backup and restore Exchange Online contacts.	Exchange Online
`Directory.Read.All`	Application	Read Groups settings while Teams backup.	Microsoft Teams
`Files.Read.All`	Application	Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files.	Microsoft Teams, SharePoint, and OneDrive
`Group.ReadWrite.All`	Delegated	Backup and restore Microsoft Teams data.	Microsoft Teams
`Group.ReadWrite.All`	Application	Backup and restore Microsoft Teams data.	Microsoft Teams
`GroupMember.ReadWrite.All`	Application	Add a member to a Microsoft 365 group having Teams through the members’ navigation property.	Microsoft Teams
`Mail.ReadWrite`	Application	Backup and restore Exchange Online mailboxes.	Exchange Online
`MailboxSettings.Read`	Application	Get the user's mailbox type	Exchange Online
`Sites.FullControl.All`	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.	SharePoint
`Sites.Read All`	Application	Read items in all site collections	SharePoint
`Sites.ReadWrite.All`	Application	Backup and Restore SharePoint Site using the latest Graph APIs.	Exchange Online
`Tasks.ReadWrite.All`	Application	Backup and restore Exchange Online tasks.	Exchange Online
`TeamMember.ReadWrite.All`	Application	Backup and restore Microsoft Teams members.	Microsoft Teams
`TeamSettings.ReadWrite.All`	Application	Backup and restore Microsoft Teams settings.	Microsoft Teams
`TeamsTab.Read.All`	Application	Backup Microsoft Teams tab's metadata.	Microsoft Teams
`TermStore.ReadWrite.All`	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.	SharePoint
`User.Read.All`	Application	Import users from Entra ID.	OneDrive
Office 365 Exchange Online
`Calendars.ReadWrite.All`	Application	Backup and restore Exchange Online calendars.	Exchange Online
`Contacts.ReadWrite`	Application	Backup and restore Exchange Online contacts.	Exchange Online
`EWS.AccessAsUser.All`	Delegated	Backup and restore Exchange Online mailboxes in admin context.	Exchange Online
`full_access_as_app`	Application	Backup, restore, and discover Exchange Online mailboxes.	Exchange Online
`Mail.ReadWrite`	Application	Backup and restore Exchange Online mailboxes.	Exchange Online
`Tasks.ReadWrite`	Application	Backup and restore Exchange Online tasks.	Exchange Online
SharePoint
`Sites.FullControl.All`	Application	Backup and restore SharePoint Online site collections, including Microsoft 365 Group, Team and modern sites.	SharePoint
`Sites.Search.All`	Delegated	Search sites in a tenant	SharePoint
`TermStore.Read.All`	Application	Backup or restore of Managed Metadata Terms in SharePoint Online.	SharePoint
`TermStore.ReadWrite.All`	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.	SharePoint
`User.Read.All`	Delegated	Get admins email id, required during creation of new site collection.	SharePoint

Application 3: OneDrive & SharePoint

The following table explains the permissions required to use the OneDrive & SharePoint app;

API / Permissions name	Type	Purpose	Workload
Microsoft Graph
`Application.Read.All`	Application	Get list of Aux app deployed on the customer tenant	Druva Application
`Files.Read.All`	Application	Read Microsoft Teams channel files and folders to facilitate backups. Read users' OneDrive files.	Microsoft Teams, SharePoint, and OneDrive
`Files.ReadWrite.All`	Application	Read and write files in all site collections	SharePoint
`Group.Read.All`	Application	Read all groups For Teams Meeting Recordings (TMR) exclusion	SharePoint
`Sites.FullControl.All`	Application	Backup and restore of all SharePoint sites, including system document libraries, using Microsoft Graph API.	SharePoint
`Sites.Read.All`	Application	Backup SharePoint Site, including site content types, using Microsoft Graph API.	SharePoint
`Sites.ReadWrite.All`	Application	Backup and Restore SharePoint Site using latest Graph APIs.	SharePoint
`TermStore.ReadWrite.All`	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.	SharePoint
`User.Read.All`	Application	Import users from Entra ID.	SharePoint & OneDrive
SharePoint
`Sites.FullControl.All`	Application	Backup and restore SharePoint Online site collections, including Microsoft 365 Group, Team and modern sites.	SharePoint
`Sites.Search.All`	Delegated	Search sites in a tenant.	SharePoint
`TermStore.Read.All`	Application	Backup or restore of Managed Metadata Terms in SharePoint Online.	SharePoint
`TermStore.ReadWrite.All`	Application	Backup or restore of Managed Metadata Term Store in SharePoint Online.	SharePoint
`User.Read.All`	Delegated	Get admin email ID, required during creation of new site collection.	SharePoint
`User.Read.All`	Application	Import users from Entra ID.	SharePoint

Application 4: Exchange Online & Public folder

The following table explains the permissions required to use the OneDrive & SharePoint app;

API / Permissions name	Type	Purpose	Workload
Microsoft Graph
`Application.Read.All`	Application	Get list of Aux app deployed on the customer tenant	Druva Application
`Calendars.ReadWrite`	Application	Backup and restore Exchange Online calendars.	Exchange Online
`Contacts.ReadWrite`	Application	Backup and restore Exchange Online contacts.	Exchange Online
`Directory.Read.All`	Application	Import users from Entra ID.	Druva Application
`Mail.ReadWrite`	Application	Backup and restore Exchange Online mailboxes.	Exchange Online
`MailboxSettings.Read`	Application	Get the user's mailbox type	Exchange Online
`Tasks.ReadWrite.All`	Application	Backup and restore Exchange Online tasks.	Exchange Online
`User.Read.All`	Delegated	Import users from Entra ID.	Druva Application

Office 365 Exchange Online
`Calendars.ReadWrite.All`	Application	Backup and restore Exchange Online calendars.
`Contacts.ReadWrite`	Application	Backup and restore Exchange Online contacts.
`EWS.AccessAsUser.All`	Delegated	Backup and restore Exchange Online mailboxes in the admin context.
`full_access_as_app`	Application	Backup, restore, and discover Exchange Online mailboxes, Microsoft 365 Group mailboxes, and shared mailboxes.
`Mail.ReadWrite`	Application	Backup and restore Exchange Online mailboxes.
`Tasks.ReadWrite`	Application	Backup and restore all configured user’s (and public folders, if any) exchange online tasks.

Microsoft 365 Overview page

Configure Druva inSync for Microsoft 365

Release Notes - Druva for Microsoft 365

Protect Microsoft 365 Data using Microsoft 365 Backup Storage

Preparing the environment to configure backup and restore for Microsoft Teams