Permissions for Entra ID Backup

Overview

This article details the APIs, actions, and permissions required to back up your Entra ID data.

Keepit leverages a wide range of available APIs to provide comprehensive backup coverage. To safeguard your confidential data, it is crucial to ensure that enterprise applications have only the permissions they need. When setting up your Entra ID backup account, you may need to create a custom Microsoft RBAC role specifically for backup and restoration purposes. The information provided here is intended to give you transparency into the actions we perform and the permissions required, allowing you to define more restrictive roles as necessary.

Important: This document is provided for informational purposes only and comes without warranty. Until restricted or custom roles have been fully tested, they are not officially supported. It is important to test any restricted or custom roles. If a backup or restore is attempted without the recommended Global Admin role and issues arise, you may need to temporarily reassign Global Admin permissions.

Entra ID App Permissions

API 

Permission 

Permission Type 

Used to protect 

Description 

v1.0

AdministrativeUnit.ReadWrite.All 

Application 

  • Administrative units

Required to list, back up, list members of, add members to, remove members from, create, update, and delete admin units

v1.0

Application.ReadWrite.All  Application 
  • Applications
  • Service principals

Required to list, back up, create, update, add owners to and remove owners from applications and service principals

v1.0

AuditLog.Read.All  Application 
  • Activity logs

Required to list and back up audit logs and sign-in logs

Beta

BitlockerKey.Read.All  Delegated
  • BitLocker keys

Required to back up BitLocker recovery keys

v1.0

BitlockerKey.ReadBasic.All  Delegated
  • BitLocker keys

Required to list BitLocker recovery keys 

Beta

DeviceLocalCredential.Read.All  
  • Windows LAPS credentials

Required to list devices enrolled into LAPS, obtain their credentials (usernames and passwords) and credential metadata (timestamps)

Beta

DeviceManagementConfiguration.ReadWrite.All  Application 
  • Device management configurations

Required to list, back up, create, update, and delete device management configuration policies

Beta

Directory.AccessAsUser.All  Delegated
  • Users
  • Groups

Required to impersonate the service account to cover functions not available through application permissions

v1.0

Directory.ReadWrite.All  Application
  • Group policies
  • Groups

Required to change password protection settings for groups. Required to add and remove group members and owners.

v1.0, Beta

Group.ReadWrite.All  Delegated
  • M365 groups

Required to list, back up, create, update, and delete Microsoft 365 groups

v1.0, Beta

Group.ReadWrite.All  Application
  • Security groups

Required to list, back up, create, update, and delete security groups

v1.0, Beta

Policy.Read.All  Application
  • Policies

Required to list and back up all policy types

Beta

Policy.ReadWrite.AuthenticationMethod  Application
  • Authentication methods

Required to create, update, and delete authentication methods

Beta

Policy.ReadWrite.ConditionalAccess  Application
  • Conditional access policies

Required to create, update, and delete conditional access policies

Beta

RoleManagement.ReadWrite.Directory  Application
  • Roles
  • Role assignments

Required to list, back up, create, update, and delete roles and role assignments

v1.0, Beta

User.Read.All  Delegated
  • Users

Required to list and back up users

v1.0

User.ReadWrite.All  Delegated
  • Users

Required to change user properties

v1.0

User.ReadWrite.All  Application
  • Users

Required to create and delete users

Beta

UserAuthenticationMethod.ReadWrite.All  Delegated
  • User authentication methods

Required to list, back up, create, update, and delete user authentication methods

Beta

UserAuthenticationMethod.ReadWrite.All  Application
  • User authentication methods

Required to list, back up, create, update, and delete user authentication methods