Ctrlk
🏠︎ HOME@ WEBSITE↘ FREE TRIAL✉︎ CONTACT SUPPORT
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Required permissions

Permissions required for integrating Microsoft 365 with GitProtect.

The required Microsoft 365 permissions define the access levels GitProtect needs to securely back up and restore your data.

General requirements

To integrate a Microsoft 365 organization with GitProtect, ensure it uses a Microsoft 365 business license.

To back up a single Microsoft 365 account, the account must have a Microsoft 365 license assigned. This also applies to shared mailboxes. License assignments can be managed in the Microsoft 365 admin center.

Each Microsoft 365 account and shared mailbox requires one GitProtect license to back up its data.

The backup process requires a backup agent (worker), which communicates with the Microsoft 365 API, downloads the requested data, and performs the backup. You can use either a cloud or local worker. Any device with the Xopero ONE Backup&Recovery Agent installed can act as a worker.

You do not need to assign any licenses to cloud workers — the appropriate license is assigned automatically by the GitProtect system.

Account permissions

To add your Microsoft 365 organization to GitProtect, you must use a global administrator account. Only a global administrator has the necessary permissions to back up data from all user accounts in the organization.

Learn more about Microsoft 365 administrator roles in the official Microsoft documentation.

Application permissions

The following tables list Xopero apps and their permissions, which are automatically installed in the end user's Entra ID when integrating Microsoft 365 with GitProtect.

Xopero ONE Registrator

This application is used at the beginning of the integration to install and grant the necessary permissions for the Xopero ONE MS365 PRO app.

Microsoft Graph

API name
Claim value
Permission
Type

Microsoft Graph

Directory.AccessAsUser.All

Access directory as the signed-in user.

delegated

Microsoft Graph

offline_access

Maintain access to data you have granted access to.

delegated

Microsoft Graph

profile

View user's basic profile.

delegated

Microsoft Graph

openid

Sign users in.

delegated

Xopero ONE MS365 PRO

This application is required to back up and recover data from Microsoft 365 tenants and is installed automatically in Entra ID by Xopero ONE Registrator.

Microsoft Graph

API name
Claim value
Permission
Type

Microsoft Graph

Mail.ReadWrite

Read and write mail in all mailboxes.

application

Microsoft Graph

User.ReadWrite.All

Read and write all users' full profile information.

application

Microsoft Graph

Application.ReadWrite.All

Read and write all applications.

application

Microsoft Graph

Group.Read.All

Read all groups.

application

Microsoft Graph

Contacts.ReadWrite

Read and write contacts in all mailboxes.

application

Microsoft Graph

Group.Create

Create groups.

application

Microsoft Graph

Files.ReadWrite.All

Read and write files in all site collections.

application

Microsoft Graph

Calendars.ReadWrite

Read and write calendars in all mailboxes.

application

Microsoft Graph

Tasks.ReadWrite

Create, read, update, and delete user's tasks and task lists.

delegated

Microsoft Graph

Directory.ReadWrite.All

Read and write directory data.

delegated

Microsoft Graph

Group.ReadWrite.All

Read and write all groups.

delegated

Microsoft Graph

offline_access

Maintain access to data you have granted access to.

delegated

Exchange Online

API name
Claim value
Permission
Type

Office 365 Exchange Online

full_access_as_app

Use Exchange Web Services (EWS) with full access to all mailboxes.

application

Office 365 Exchange Online

Mail.ReadWrite

Read and write mail in all mailboxes.

application

Office 365 Exchange Online

Calendars.ReadWrite.All

Read and write calendars in all mailboxes.

application

Office 365 Exchange Online

delegated

Office 365 SharePoint Online

API name
Claim value
Permission
Type

Office 365 Exchange Online

full_access_as_app

Use Exchange Web Services (EWS) with full access to all mailboxes.

application

Office 365 Exchange Online

Mail.ReadWrite

Read and write mail in all mailboxes.

application

Office 365 Exchange Online

Calendars.ReadWrite.All

Read and write calendars in all mailboxes.

application

Office 365 Exchange Online

delegated

Useful links and items

LogoAbout administrator roles in the Microsoft 365 admin center - Microsoft 365 adminMicrosoftLearn

Last updated

Was this helpful?