✖

Minimum scope

The roles and permissions or minimum scope required by a service account configured for RecoveryManager Plus are listed below.

The minimum scope required by a service account configured for RecoveryManager Plus should be a member of Exchange administrator role.

The minimum scope required by an application registration configured for RecoveryManager Plus should be a member of Exchange administrator role.

Module	Role Name	Permission	Scope
Exchange Online	Office 365 Exchange Online	EWS.AccesAsUser.All	Backup and restore mailboxes
		full_access_as_app	Use Exchange Web Services to back up and restore mailboxes
		Exchange.ManageAsApp	Manage Exchange as Application
SharePoint & OneDrive	SharePoint	Sites.FullControl.All	Backup and restore sites
SharePoint & OneDrive	SharePoint	User.ReadWrite.All	Read and write the full set of profile properties, reports, and managers of users
Azure AD	Azure Active Directory Graph	Domain.ReadWrite.All	Read and write all domain properties
	Microsoft Graph → Application Permissions	AppRoleAssignment.ReadWrite.All	Manage app permission grants and app role assignments
		AdministrativeUnit.ReadWrite.All	Read and write all administrative units
		Application.ReadWrite.All	Read and write all applications
		AppRoleAssignment.ReadWrite.All	Manage app permission grants and app role assignments
		Directory.ReadWrite.All	Read and write directory data
		Domain.ReadWrite.All	Read and write domains
		Group.Create	Create groups
		Group.ReadWrite.All	Read and write all groups
		Policy.Read.All	Read your organization's policies
		Policy.ReadWrite.ApplicationConfiguration	Read and write your organization's application configuration policies
		Policy.ReadWrite.Authorization	Read and write your organization's authorization policy
		Policy.ReadWrite.ConditionalAccess	Read and write your organization's conditional access policies
		RoleManagement.ReadWrite.Directory	Read and write all directory RBAC settings