Home > Manage Apps > Manage App Profiles for Microsoft Tenants > API Permissions Required by Default AvePoint Apps for Microsoft Tenants > Cloud Backup for IaaS + PaaS
Export to PDFCloud Backup for IaaS + PaaS
Refer to the following sections to see the permissions that should be accepted when you consent to the corresponding apps.
Cloud Backup for Azure
When you create a Cloud Backup for Azure app profile in AvePoint Online Services, the AvePoint Cloud Backup for Azure app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Backup for Azure app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | AdministrativeUnit.ReadWrite.All(Read and write administrative units) | Application | Allows the app to create, read, update, and delete administrative units and manage administrative unit membership on behalf of the signed-in user. | No |
| Microsoft Graph | Application.ReadWrite.All(Read and write all apps) | Application | Allows the app to create, read, update and delete applications and service principals on behalf of the signed-in user. | No |
| Microsoft Graph | AppRoleAssignment.ReadWrite.All(Manage app permission grants and app role assignments) | Application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, on behalf of the signed-in user. | No |
| Microsoft Graph | AuditLog.Read.All(Read all audit log data) | Application | Allows the app to read and query your audit log activities, without a signed-in user. | No |
| Microsoft Graph | DeviceManagementScripts.ReadWrite.All(Read and write Microsoft Intune Scripts) | Application | Allows the app to read and write Microsoft Intune device compliance scripts, device management scripts, device shell scripts, device custom attribute shell scripts and device health scripts, without a signed-in user. | No |
| Microsoft Graph | Directory.ReadWrite.All(Read and write directory data) | Application | Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords. | No |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Also allows the app to read and write calendars, conversations, files, and other group content for all groups the signed-in user can access. Additionally allows group owners to manage their groups and allows group members to update group content. | No |
| Microsoft Graph | RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings) | Application | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, on behalf of the signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles, and memberships. | No |
| Microsoft Graph | User.ReadWrite.All(Read and write all users’ full profiles) | Application | Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user. | No |
| Microsoft Graph | User.Read(Sign in and read user profile) | Delegated | Allows users to sign in to AvePoint Online Services with Microsoft 365 accounts. | No |
| Microsoft Graph | BitlockerKey.Read.All(Read BitLocker keys) | Delegated | Enables the app to access BitLocker keys for the signed-in user's devices, allowing it to read the recovery key. | No |
| Microsoft Graph | BitlockerKey.Read.All(Read all BitLocker keys) | Application | Enables the app to access BitLocker keys for the signed-in user's devices, allowing it to read the recovery key. | No |
| Microsoft Graph | Policy.Read.All(Read your organization's policies) | Application | Allows the app to read all your organization's policies without a signed in user. | No |
| Microsoft Graph | Organization.Read.All(Read organization information) | Application | Retrieves all organizational branding. | No |
| Microsoft Graph | Policy.ReadWrite.AuthenticationMethod(Read and write all authentication method policies) | Application | Retrieves all authentication method policies and configurations. | No |
| Microsoft Graph | Policy.ReadWrite.ConditionalAccess(Read and write your organization's conditional access policies.) | Application | Allows the app to read and write your organization's conditional access policies, without a signed-in user. | No |
| Microsoft Graph | Policy.ReadWrite.Authorization(Read and write your organization’s authorization policy) | Application | Allows the app to update the group general settings to enable or disable the capability for the users to create security groups. | No |
| Microsoft Graph | UserAuthenticationMethod.ReadWrite.All (preview)(Read and write all users' authentication methods) | Application | Allows the application to read and write authentication methods of all users in your organization without a signed-in user. Authentication methods include information like a user’s phone number and Authenticator app settings. This does not allow the app to see sensitive information, such as the password, or to sign in or use the authentication methods. | No |
| Microsoft Graph | DeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune device configuration and policies) | Application | Allows the app to read and write properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user. | No |
| Microsoft Graph | DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps) | Application | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | No |
| Microsoft Graph | DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps) | Delegated | Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user. | No |
| Microsoft Graph | DeviceManagementRBAC.Read.All(Read Microsoft Intune RBAC settings) | Application | Allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user. | No |
| Microsoft Graph | Domain.Read.All(Read domains) | Application | Allows the app to read all domain properties without a signed-in user. | No |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Allows the backup and restore of the distribution lists in MFA-enabled tenants. | No |
Cloud Backup for Azure DevOps
When you create a Cloud Backup for Azure DevOps app profile in AvePoint Online Services, the AvePoint Cloud Backup for Azure DevOps app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Backup for Azure DevOps app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Azure DevOps | user_impersonation(Have full access to Visual Studio Team Services REST APIs) | Delegated | Have full access to Visual Studio Team Services REST APIs. | No |
| Microsoft Graph | User.Read.All(Read all user’s full profile) | Delegated | Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. | No |
Cloud Backup for Azure AD B2C
When you create a Cloud Backup for Azure AD B2C app profile in AvePoint Online Services, the AvePoint Cloud Backup for Azure AD B2C app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize the AvePoint Cloud Backup for Azure AD B2C app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| MSFT Graph | IdentityUserFlow.ReadWrite.All(Read and write all identity user flows) | Application | Allows the app to read or write your organization's user flows, without a signed-in user. | No |
| MSFT Graph | IdentityProvider.ReadWrite.All(Read and write identity providers) | Application | Allows the app to read and write your organization's identity (authentication) providers' properties without a signed-in user. | No |
| MSFT Graph | Application.ReadWrite.All(Read and write all applications) | Application | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. | No |
| MSFT Graph | AuditLog.Read.All(Read all audit log data) | Application | Allows the app to read and query your audit log activities, without a signed-in user. | No |
| MSFT Graph | Directory.Read.All(Read directory data) | Application | Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user. | No |
| MSFT Graph | AppRoleAssignment.ReadWrite.All(Manage app permission grants and app role assignments) | Application | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. | No |
| MSFT Graph | RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings) | Application | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | No |
| MSFT Graph | User.ReadWrite.All(Read and write all users' full profiles) | Application | Allows the app to read and update user profiles without a signed in user. | No |
| MSFT Graph | UserAuthenticationMethod.ReadWrite.All(Read and write all users' authentication methods) | Application | Allows the application to read and write authentication methods of all users in your organization, without a signed-in user. Authentication methods include things like a user's phone numbers and Authenticator app settings. This does not allow the app to see secret information like passwords, or to sign-in or otherwise use the authentication methods. | No |
| MSFT Graph | GroupMember.ReadWrite.All(Read and write all group memberships) | Application | Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. | No |
| MSFT Graph | User.ManageIdentities.All(Manage all users' identities) | Application | Allows the app to read, update and delete identities that are associated with a user's account, without a signed in user. This controls the identities users can sign-in with. | No |
| MSFT Graph | User-Mail.ReadWrite.All(Read and write all secondary mail addresses for users) | Application | Allows the app to read and write secondary mail addresses for all users, without a signed-in user. | No |
| MSFT Graph | User-Phone.ReadWrite.All(Read and write all user mobile phone and business phones) | Application | Allows the app to read and write the mobile phone and business phones for all users, without a signed-in user. | No |
| MSFT Graph | User.EnableDisableAccount.All(Enable and disable user accounts) | Application | Allows the app to enable and disable users' accounts, without a signed-in user. | No |
On this page