Skip to main content
commvault.com commvault.com
Solved

Azure Application API Permissions for M365 Services

  • April 5, 2023
  • 1 reply
  • 489 views
A
Byte
Forum|alt.badge.img+6
  • ak2
  • Byte
  • 12 replies

Hi CommVault Community,

I deployed the Azure Applications for M365 Services with the Express Setup.
The Azure Applications have some permissions that are somewhat concerning from a security perspective.

Therefore the question, are the following permissions really necessary?

Why do the Azure Apps need "Application.ReadWrite.All" permissions?

Why does the Azure Application for SharePoint Online need "RoleManagement.ReadWrite.Directory" permissions?

They are not listed in the official documentation!

https://documentation.commvault.com/2023/essential/142507_request_and_grant_permissions_to_azure_apis_for_azure_app_for_sharepoint_online.html

CVSPBackupApp

CVTeamsBackupApp

CVODBackupApp

CVExBackupApp

 

best regards,

Andreas

Best answer by Chris Hollis

@ak2 
 

Q1: Why do the Azure Apps need "Application.ReadWrite.All" permissions?

A1: This permission is need to maintain reply URL. Additionally, needed to run verify connection.
 

Here are list of other permissions and why we need them:

Directory.Read.All - This permission is needed to get user list and for licensing.
Group.ReadWrite.All - This permission is used to scan Microsoft 365 Groups.
Reports.Read.All - This permission is not mandatory. It is required for a future feature support in a later SP.
RoleManagement.ReadWrite.Directory - This permission is used to assign Sharepoint admin role to service account. This is not a mandatory permission.
Sites.FullControl.All - This permission is used for backup and restore (read site content and site stats). Sites.Read.All - This permission is needed for backups and restore (read documents and list items). User.ReadWrite.All - This permission is used to discover users.

 

Q2: Why does the Azure Application for SharePoint Online need "RoleManagement.ReadWrite.Directory" permissions?

A2: It was required in earlier releases, FR28+ no longer requires it (hence not listed). Can be removed.

I hope this helps.

Regards, 
Chris 

View original
Did this answer your question?

1 reply

Chris Hollis
Vaulter
Forum|alt.badge.img+15
  • Chris HollisVaulter
  • Vaulter
  • 333 replies
  • Answer
  • April 6, 2023

@ak2 
 

Q1: Why do the Azure Apps need "Application.ReadWrite.All" permissions?

A1: This permission is need to maintain reply URL. Additionally, needed to run verify connection.
 

Here are list of other permissions and why we need them:

Directory.Read.All - This permission is needed to get user list and for licensing.
Group.ReadWrite.All - This permission is used to scan Microsoft 365 Groups.
Reports.Read.All - This permission is not mandatory. It is required for a future feature support in a later SP.
RoleManagement.ReadWrite.Directory - This permission is used to assign Sharepoint admin role to service account. This is not a mandatory permission.
Sites.FullControl.All - This permission is used for backup and restore (read site content and site stats). Sites.Read.All - This permission is needed for backups and restore (read documents and list items). User.ReadWrite.All - This permission is used to discover users.

 

Q2: Why does the Azure Application for SharePoint Online need "RoleManagement.ReadWrite.Directory" permissions?

A2: It was required in earlier releases, FR28+ no longer requires it (hence not listed). Can be removed.

I hope this helps.

Regards, 
Chris 

Damian Andre
1 person likes this
  • Damian Andre
    Damian Andre

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings