This article explains which capabilities to select when creating a custom Microsoft 365 application in Keepit, and how those capabilities map to Microsoft permissions. Use it as a reference when configuring an app registration for specific workloads.

Before you start

Keepit supports two ways of connecting Microsoft 365 to your backup account:

Default application
A Keepit-managed application that backs up all supported workloads except Teams Chats.

Custom applications
App registrations that you create in your own Microsoft Entra tenant. You can:

• Use a single custom application for multiple workloads, or
• Create dedicated applications per workload

Backing up Teams Chats always requires a custom application.

How capabilities work

Each custom application in Keepit is configured with a set of capabilities. A capability represents a specific data protection function (for example, "Exchange backup and restore").

Each capability maps to one or more Microsoft APIs and permissions, such as Microsoft Graph, SharePoint, Exchange Web Services (EWS).

When you select a capability in Keepit, the required Microsoft permissions are shown so you can grant them in your Entra ID app registration.

Important requirement

"Directory access" is required for every custom application.

This capability allows Keepit to read basic directory data (users, groups, and tenant metadata) so it can identify what needs to be backed up or restored.

Always select "Directory access" together with any workload-specific capabilities.

Microsoft Exchange Online (mailboxes)

Use these capabilities to back up user mailboxes, including email, calendars, contacts, and tasks.

Where to find Exchange Online permissions in Entra ID

Keepit currently uses Exchange Web Services (EWS) to protect Exchange Online data. This requires the full_access_as_app application permission from the Office 365 Exchange Online API.

Although Microsoft removed this API from the Microsoft APIs tab in November 2020, it is still available (currently expected until late 2026). It has simply been moved within the interface.

To grant the required permission:

1. In your Entra ID app registration, go to API permissions > Add a permission.

2. Select the APIs my organization uses tab (not Microsoft APIs).

3. Search for the full name Office 365 Exchange Online.

• Searching for just “Exchange” will not return results.

4. Open Office 365 Exchange Online > Application permissions, and select full_access_as_app.

5. Add the permission and grant admin consent.

Note: This additional step is only required while Keepit uses EWS for Exchange Online data protection. Once Keepit moves Exchange Online backup to Microsoft Graph (Q2 2026), the full_access_as_app permission and the APIs my organization uses workaround will no longer be needed. 

Required 

Optional 

Add the capability below only if your tenant is a Multi-Geo tenant. Multi-Geo allows mailbox data to be stored in specific geographical locations.

Exchange Public Folders 

Use these capabilities to back up Public Folders. Public Folders use the same Microsoft permission set as Exchange mailboxes, but additionally require a service account in the Keepit connection.

Note: Public Folders rely on the same Office 365 Exchange Online API as Exchange mailboxes. If you are adding the full_access_as_app permission on the Microsoft side, follow the steps in the Exchange Online info box above to locate the API under APIs my organization uses.

Required 

Microsoft 365 Groups and Teams 

Use these capabilities to back up Microsoft 365 Groups and Teams (including group calendars, conversations, members, metadata, owners, and plans).

Required

Notes

• Both "Groups & Teams backup and restore" and "Groups & Teams backup and restore extended" must be selected for a complete backup. The extended capability uses a delegated permission and is required for operations that cannot be performed with application-only permissions.
• Teams private chats are not included in this capability set. To back up Teams chats, use a separate custom application with the Teams private chats capabilities (see below).

SharePoint and OneDrive 

Use these capabilities to back up SharePoint sites and OneDrive for Business. The same capability set covers both workloads.

Required

Optional 

Add the capabilities below only if you need the corresponding feature. All optional capabilities are independent.

Notes

• Add "Term store backup" if you want to back up managed metadata (term store) data.
• Add "Term store restore" if you want the ability to restore term store data. This is separate from Term store backup because it requires write permissions.
• Add "Geolocations discovery" if you want to back up SharePoint content from specific geographical locations in a Multi-Geo tenant.
• A service account must be added to the Keepit connection if you want to restore a SharePoint site to a new URL, or restore a deleted site. A service account is not required for standard in-place restores.

Microsoft Teams Chats 

Teams private chats always require a dedicated custom application. They cannot be backed up by the default Keepit application, or combined in the same custom application as other workloads.

Required 

Notes

• All three capabilities must be selected to back up Teams private chats, including message attachments. The extended capability is required for attachment backup.
• If you have an existing (legacy) Teams Chats custom application, it will continue to work without changes. However, any new Teams Chats custom application or any update to the capabilities of an existing one must use the capability set described above.

Related topics

• Generate a self-signed certificate for an app registration.
• Create an app registration in Microsoft Entra ID
• Add and manage connection applications in Keepit.
• Troubleshooting: application with a lack of capabilities or permissions.