Overview
This article details the APIs, actions, and permissions required to back up and restore your Microsoft 365 data.
Keepit leverages a wide range of available APIs to provide comprehensive backup coverage. To safeguard your confidential data, it is crucial to ensure that enterprise applications have only the permissions they need. When setting up your Microsoft 365 backup account, you may need to create a custom Microsoft RBAC role specifically for backup and restoration purposes. The information provided here is intended to give you transparency into the actions we perform and the permissions required, allowing you to define more restrictive roles as necessary.
Important: This document is provided for informational purposes only and comes without warranty. Until restricted or custom roles have been fully tested, they are not officially supported. It is important to test any restricted or custom roles. If a backup or restore is attempted without the recommended Global Admin role and issues arise, you may need to temporarily reassign Global Admin permissions.
Microsoft 365 Enterprise App Permissions
To back up and restore Microsoft 365 data, Keepit uses the following permissions.
API | Permission | Permission Type | Used to protect | Description |
EWS | Full_access_as_app | Application |
| Required to access user mailbox content for backup and restore. Used during restore to reconstruct mailbox, folder structure, messages, contacts, calendar items, and tasks. |
MS Graph | Directory.Read.All | Application |
| Required to discover user-related information, group memberships, and licensing information. |
MS Graph | User.Read | Delegated |
| Required to get information about the user who performs the backup / restore. |
MS Graph | ChannelMessage.Read.All | Application |
| Required to back up and restore Teams channel chat messages, replies, hosted content, and delta token for sync functionality. |
MS Graph | Group.ReadWrite.All | Delegated |
| Required to backup and restore Teams channels, Team chat messages, replies, attachments, calendar events, posts, conversation threads, group photos, plans, and tasks. |
MS Graph | User.ReadWrite.All | Application |
| Used in conjunction with Group.ReadWrite.All to back up and restore the full set of profile properties, reports, and managers. |
MS Graph | TeamsTab.ReadWrite.All | Application |
| Required to back up and restore tabs within Teams channels and chats. |
MS Graph | Group.ReadWrite.All | Application |
| Required to back up and restore channel tabs, channel files & folders, conversation threads, posts, group conversations, posts, Teams, Groups, group members, and group owners. |
MS Graph | Sites.FullControl.All | Application |
| Required to back up and restore site collections, sites, doclibs, files & folders, content types, columns, permissions, check in/out properties, versions, and metadata not covered under the SharePoint REST API. |
MS Graph | Chat.Read.All | Application |
| Required to back up Teams private chat messages, members, and hosted content. |
MS Graph | RoleManagement.ReadWrite.Directory | Application |
| Required to allow recovery of RBAC settings. For example restoring group memberships for role assignable groups. Learn More |
MS Graph | GroupMember.ReadWrite.All | Application |
| Required to back up and restore groups, group properties, M365 group membership |
SharePoint REST API | User.ReadWrite.All | Application |
| Required to back up and restore site members, their group membership, and permissions. |
SharePoint REST API | Sites.FullControl.All | Application |
| Required to back up and restore metadata for site collections & sites and all metadata for each site. Including but not limited to permissions, settings, layouts, pages, list views, columns, fields. |
SharePoint REST API | AllSites.FullControl | Delegated |
| Required to list top-level site collections via REST API. (planned for deprecation) |
Actions requiring Global Admin role
Initial enterprise application installation and consent
When first creating a Keepit connector, an administrator with the Global Admin role is required to install the enterprise application and grant consent for the requested permissions. This requirement is imposed by Microsoft in tenants where admin consent for applications is necessary.
If the requested application permissions change, you may also need to reauthenticate Keepit connectors using an account with the Global Admin role.
After the application is installed and consent is granted, it is important to remove the Global Admin role from the backup account to maintain security.
Important: Permissions required to fully protect a specified set of data may occasionally change. This can happen due to updates in Microsoft's permission requirements or changes in Keepit's functionality. When such changes occur, you will need to temporarily reassign Global Admin rights to the backup account to reauthorize the enterprise application.
Actions requiring a supported role
When delegated permissions are required, the service account must also be assigned a supported role in Entra ID. The guidelines provided below will help you ensure that your role assignments follow the principle of least privilege.
Groups & Teams
API | Request | Request type | Description |
MSGraph v1.0 | Add Attachment | Delegated | Restore group conversation thread post and event attachments. |
MSGraph v1.0 | Delete Attachment | Delegated | Restore (overwrite) group calendar event, conversation, thread attachments. |
MSGraph beta | Get Post Attachments | Delegated | Back up / restore post attachments |
MSGraph beta | List Calendar Event Attachments | Delegated | Back up / restore attachments of a post |
MSGraph v1.0 | Create group calendar event | Delegated | Restore group calendar events |
MSGraph v1.0 | Delete group calendar event | Delegated | Restore (overwrite) group calendar events |
MSGraph v1.0 | Get group calendar event | Delegated | Back up / restore group calendar event with attachments. |
MSGraph beta | Get group calendar changes | Delegated | Back up group calendar changes |
MSGraph v1.0 | Get group calendar events | Delegated | Get group calendar events with attachments |
MSGraph v1.0 | Add Team Chat Message Reply | Delegated | Restore Team channel message reply |
MSGraph v1.0 | Add Team Chat Message | Delegated | Restore Team channel message |
MSGraph v1.0 | Create Team Channel | Delegated | Restore Team channel |
MSGraph v1.0 | Add Post | Delegated | Restore group thread and conversation thread replies. |
MSGraph v1.0 | Create Group Conversation | Delegated | Restore group conversation |
MSGraph v1.0 | Delete Group Conversation | Delegated | Restore (overwrite) group conversation thread |
MSGraph v1.0 | Delete Group Conversation Thread | Delegated | Restore (overwrite) group conversation thread |
MSGraph v1.0 | Add group | Delegated | Restore group |
MSGraph v1.0 | Update group photo | Delegated | Restore group photo |
MSGraph v1.0 | Create group Plan | Delegated | Restore group plan |
MSGraph v1.0 | Create Group Plan Bucket | Delegated | Restore group plan bucket |
MSGraph v1.0 | Create Plan Task | Delegated | Restore plan task |
MSGraph v1.0 | Delete plan Bucket | Delegated | Restore (overwrite) plan bucket |
MSGraph v1.0 | Delete Plan task | Delegated | Restore (overwrite) plan task |
MSGraph v1.0 | Get Plan Bucket | Delegated | Back up / restore plan bucket |
MSGraph v1.0 | Get Plan Details | Delegated | Back up / restore plan details |
MSGraph v1.0 | Get plan task details | Delegated | Back up / restore plan task details |
MSGraph v1.0 | Get Plan Task | Delegated | Back up / restore plan task |
MSGraph v1.0 | List Group Plans | Delegated | Back up / restore Group Plans |
MSGraph v1.0 | List Group Plan Buckets | Delegated | Back up / restore plan buckets |
MSGraph beta | Get Group Plan Tasks | Delegated | Back up / restore group plan tasks |
MSGraph v1.0 | Update Plan Bucket | Delegated | Restore plan buckets |
MSGraph v1.0 | Update plan details | Delegated | Restore plan details |
MSGraph v1.0 | Update plan task details | Delegated | Restore plan task details. |
MSGraph v1.0 | Update plan task | Delegated | Restore plan task |
MSGraph v1.0 | Get User Info | Delegated | Back up / restore user detail |
SharePoint REST API | Create Communication Site | Delegated | Restore Communication site |
SharePoint REST API | Get Tenant Admin Settings | Delegated | Restore tenant admin settings |
SharePoint REST API | Set site properties | Delegated | Restore site properties |
Variable request type based on API availability
Note: The requests listed here will use application permissions if the Teams protected API is available. If the API is not available, delegated permissions will be used, which requires the appropriate role.
API | Request | Request type | Description |
MSGraph v1.0 | Get Team Chat Message Hosted Content | Variable (See note) | Back up Team channel message hosted content |
MSGraph v1.0 | Get Team Chat Message | Variable | Backup Team channel message |
MSGraph v1.0 | Get Team Chat Delta Link | Variable | Back up / restore team channel delta |
MSGraph v1.0 | Get Team Chat Message Change set | Variable | Back up Team channel changes |
MSGraph v1.0 | Get Team Chat Message Replies | Variable | Back up / restore team channel message replies |
MSGraph v1.0 | Get Team Chat Messages | Variable | Back up / restore team channel messages |
MSGraph beta | List Channel Members | Variable | Back up / restore team channel members |
MSGraph v1.0 | List Team Channels | Variable | Back up / restore Team channels |
MSGraph v1.0 | List Team Channel Tabs | Variable | Back up / restore Team channel tabs |
MSGraph v1.0 | List Team Chat Message hosted content | Variable | Back up / restore team channel message hosted content |