Solved

Azure Application API Permissions for M365 Services

  • 5 April 2023
  • 1 reply
  • 295 views

Userlevel 1
Badge +5

Hi CommVault Community,

I deployed the Azure Applications for M365 Services with the Express Setup.
The Azure Applications have some permissions that are somewhat concerning from a security perspective.

Therefore the question, are the following permissions really necessary?

Why do the Azure Apps need "Application.ReadWrite.All" permissions?

Why does the Azure Application for SharePoint Online need "RoleManagement.ReadWrite.Directory" permissions?

They are not listed in the official documentation!

https://documentation.commvault.com/2023/essential/142507_request_and_grant_permissions_to_azure_apis_for_azure_app_for_sharepoint_online.html

CVSPBackupApp

CVTeamsBackupApp

CVODBackupApp

CVExBackupApp

 

best regards,

Andreas

icon

Best answer by Chris Hollis 6 April 2023, 06:38

View original

1 reply

Userlevel 6
Badge +15

@ak2 
 

Q1: Why do the Azure Apps need "Application.ReadWrite.All" permissions?

A1: This permission is need to maintain reply URL. Additionally, needed to run verify connection.
 

Here are list of other permissions and why we need them:

Directory.Read.All - This permission is needed to get user list and for licensing.
Group.ReadWrite.All - This permission is used to scan Microsoft 365 Groups.
Reports.Read.All - This permission is not mandatory. It is required for a future feature support in a later SP.
RoleManagement.ReadWrite.Directory - This permission is used to assign Sharepoint admin role to service account. This is not a mandatory permission.
Sites.FullControl.All - This permission is used for backup and restore (read site content and site stats). Sites.Read.All - This permission is needed for backups and restore (read documents and list items). User.ReadWrite.All - This permission is used to discover users.

 

Q2: Why does the Azure Application for SharePoint Online need "RoleManagement.ReadWrite.Directory" permissions?

A2: It was required in earlier releases, FR28+ no longer requires it (hence not listed). Can be removed.

I hope this helps.

Regards, 
Chris 

Reply