How to: Set permissions for authenticating users and service account

Challenge

In order to use the service certain permissions needs to be set correctly. To make sure you have the correct settings, please follow this guide or if you are encountering the error KB #1011, you need to ensure the service account has the correct permissions.

Global administrator role must be assigned when setting up the tenant for the first time.

Global admin permission and Application Impersonation is usually enough, but in some cases/if you dont want to give GA rights, the below is required to be set if you do not wish to use Global administrator.

Solution

ACB backup service account permissions

Teams
- The account must have a Microsoft Office 365 license that permits access to Microsoft Teams API. The minimum sufficient license is Microsoft Teams Exploratory experience.
- The account must have the Team Administrator role assigned.
Sharepoint and OneDrive
- SharePoint Admin
- View-only configuration
- View-only Recipients
Exchange Online
- Role Management
- ApplicationImpersonation
- Organization Configuration
- View-Only Configuration
- View-Only Recipients
- Mailbox Search or Mail Recipients
- Owner

ACB backup Application permissions

All listed permissions are of the Application type.

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Microsoft Graph

Directory.Read.All

✔

Group.Read.All

✔

Sites.Read.All

✔

TeamSettings.ReadWrite.All

✔

ChannelMessage.Read.All

✔

Office 365 Exchange Online1

full_access_as_app

✔

SharePoint

Sites.FullControl.All

✔

User.Read.All

✔

Permissions for Restore

API

Permission name

Exchange Online

SharePoint Online and OneDrive for Business

Microsoft Teams

Microsoft Graph

Directory.Read.All

✔

Group.ReadWrite.All

✔

Sites.Read.All

✔

Directory.ReadWrite.All

✔

offline_access

✔

Office 365 Exchange Online1

EWS.AccessAsUser.All

✔

full_access_as_user

✔

SharePoint

AllSites.FullControl

✔

User.Read.All

✔

Cause

To backup your Office 365 tenant, the Service account used for backup needs permission to access your tenant data. These permissions is usually set by the portal when in the setup wizard, but in some cases it’s not possible to set all permissions.