Permissions for Entra ID Backup

Overview

This article details the APIs, actions, and permissions required to back up your Entra ID data.

Keepit leverages a wide range of available APIs to provide comprehensive backup coverage. To safeguard your confidential data, it is crucial to ensure that enterprise applications have only the permissions they need. When setting up your Entra ID backup account, you may need to create a custom Microsoft RBAC role specifically for backup and restoration purposes. The information provided here is intended to give you transparency into the actions we perform and the permissions required, allowing you to define more restrictive roles as necessary.

Important: This document is provided for informational purposes only and comes without warranty. Until restricted or custom roles have been fully tested, they are not officially supported. It is important to test any restricted or custom roles. If a backup or restore is attempted without the recommended Global Admin role and issues arise, you may need to temporarily reassign Global Admin permissions.

Entra ID App Permissions

Knowledge base Entra ID Connector

API	Permission	Permission Type	Used to protect	Description
v1.0	AdministrativeUnit.ReadWrite.All	Application	Administrative units	Required to list, back up, list members of, add members to, remove members from, create, update, and delete admin units
v1.0	Application.ReadWrite.All	Application	Applications Service principals	Required to list, back up, create, update, add owners to and remove owners from applications and service principals
v1.0	AuditLog.Read.All	Application	Activity logs	Required to list and back up audit logs and sign-in logs
Beta	BitlockerKey.Read.All	Delegated	BitLocker keys	Required to back up BitLocker recovery keys
v1.0	BitlockerKey.ReadBasic.All	Delegated	BitLocker keys	Required to list BitLocker recovery keys
Beta	DeviceLocalCredential.Read.All		Windows LAPS credentials	Required to list devices enrolled into LAPS, obtain their credentials (usernames and passwords) and credential metadata (timestamps)
Beta	DeviceManagementConfiguration.ReadWrite.All	Application	Device management configurations	Required to list, back up, create, update, and delete device management configuration policies
Beta	Directory.AccessAsUser.All	Delegated	Users Groups	Required to impersonate the service account to cover functions not available through application permissions
v1.0	Directory.ReadWrite.All	Application	Group policies Groups	Required to change password protection settings for groups. Required to add and remove group members and owners.
v1.0, Beta	Group.ReadWrite.All	Delegated	M365 groups	Required to list, back up, create, update, and delete Microsoft 365 groups
v1.0, Beta	Group.ReadWrite.All	Application	Security groups	Required to list, back up, create, update, and delete security groups
v1.0, Beta	Policy.Read.All	Application	Policies	Required to list and back up all policy types
Beta	Policy.ReadWrite.AuthenticationMethod	Application	Authentication methods	Required to create, update, and delete authentication methods
Beta	Policy.ReadWrite.ConditionalAccess	Application	Conditional access policies	Required to create, update, and delete conditional access policies
Beta	RoleManagement.ReadWrite.Directory	Application	Roles Role assignments	Required to list, back up, create, update, and delete roles and role assignments
v1.0, Beta	User.Read.All	Delegated	Users	Required to list and back up users
v1.0	User.ReadWrite.All	Delegated	Users	Required to change user properties
v1.0	User.ReadWrite.All	Application	Users	Required to create and delete users
Beta	UserAuthenticationMethod.ReadWrite.All	Delegated	User authentication methods	Required to list, back up, create, update, and delete user authentication methods
Beta	UserAuthenticationMethod.ReadWrite.All	Application	User authentication methods	Required to list, back up, create, update, and delete user authentication methods

Entra ID workload

Permissions for Entra ID Backup

Overview

Entra ID App Permissions