AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Required Permissions > App Profile Authentication > Overview

    Export to PDF

    App Profile Authentication

    If you want to protect team sites and group sites by AvePoint Cloud Backup Express*, you must at first have a* Cloud Backup Express service app with enough permissions, and then perform the Auto Discovery scan job to register the**apps **to your AvePoint Online Services instance. You can re-authorize your existing Cloud Backup Express service app with the permissions consented.For the required permissions, refer to Required Permissions of AvePoint Cloud Backup Express App.

    App profile authentication (Cloud Backup for Microsoft 365 service apps, default Microsoft 365 apps, or use a custom Azure app) ensures that all Auto Discovery and Cloud Backup for Microsoft 365 jobs are tagged as the activities of that app, and ensures that we do not need to store any service accounts and passwords, with only the consent being recorded. The consent can be monitored in your Microsoft Entra ID and can be revoked at any time.

    You can consent to apps separately for the services you want to protect. If you do not have service apps, AvePoint Cloud Backup will use the default Microsoft 365 app or custom Azure app to scan or protect the data. To protect Exchange Online mailboxes and SharePoint Online site collections with AvePoint Cloud Backup Express, you must configure a Cloud Backup Express service app for the Auto discovery and data protection.

    - If you want to use Cloud Backup for SharePoint Online, OneDrive, Exchange Online, Public Folders, Microsoft 365 Groups, and Teams service in app context, you need a **Cloud Backup for Microsoft 365 service app** or **Microsoft 365** **app** connected to your tenant. If you use the Teams Chat service, you need to configure a custom app for **Teams Chat**. - If you use the Viva Engage service, you need to configure the Microsoft 365 app (All permissions) or Cloud Backup for Microsoft 365 app (All permissions), and the Viva Engage app. Alternatively, you can have a custom Azure app with delegated permissions. - For the permissions required by the Microsoft 365 app, refer to [Required Permissions of Microsoft 365 App Profile](#missing-link). - For the permissions required by the Viva Engage app, refer to [Required Permissions of Viva Engage App](#missing-link). - The authentication user for the Viva Engage app must be a **Microsoft 365 Global Administrator** with the Viva Engage product license. To re-authorize the Viva Engage app, the authentication user must have the **Verified Admin** role and the **Yammer administrator** role with the Viva Engage product license. - To use custom Azure app with delegated permissions, you must grant at least all permissions listed in [Required Permissions of Microsoft 365 App Profile](#missing-link) and [Required Permissions of Viva Engage App](#missing-link) to the app. - If you want to use Cloud Backup for Project Online, you can use an app profile to scan the Project Online site collections. In this way, the service account does not require the Site Collection Administrator role. However, the Project Online data cannot be protected in the app context (using app profile authentication). Therefore, a service account with enough permissions is still required for the backup and restore for Project Online. For the required permissions of a service account, refer to [Service Account Authentication](#missing-link). - If you want to use Cloud Backup for Power BI, Power Automate, or Power Apps in app context, restore the Teams channel conversations as new posts to the channel, or restore Planner task comments, you must configure an app profile for the **Microsoft Delegated** app or a custom Azure app with delegated permissions. If you want to restore the Teams channel conversations as new posts, the authentication user must have the **Teams** license. For the permissions required by the Microsoft Delegated app, refer to [Required Permissions of Microsoft Delegated App](#missing-link).

    *Note: If you are using a multi-geo tenant, ensure the app profile has the Exchange Administrator role. This role is required to restore the region information for Microsoft 365 Groups and Teams. Otherwise, your group or team backed up from a specific region will be restored to the default region. This known issue also exists in the service account authentication. For details on how to assign the role to an app, refer to .

    To view the lists of data types that are supported or unsupported for each service type, refer to . For the permission requirements of an app profile for a specific service type, refer to the section below.