API Permissions Required by Custom Apps

Edit online

To use IBM® Storage Protect for Cloud, an app is required for authentication. If you do not want to use IBM's default apps, you can configure your tenant’s custom app and create a custom app profile. Refer to the sections below for the permissions required by custom apps.

For the custom app created in your Microsoft Entra ID, to ensure it is available for common features in IBM Storage Protect for Cloud, refer to the table below to assign the required permissions accordingly.

Microsoft Tenant Custom Apps

For the custom app created in your Microsoft Entra ID, to ensure it is available for common features in IBM Storage Protect for Cloud, refer to the table below to assign the required permissions accordingly.
Note: If the Sites.FullControl.All SharePoint API permission is not allowed by your organization’s security policy, you can add the Sites.Selected application permission as a replacement. For more information, see What Should I Do If the Sites.FullControl.All Permission Cannot be Added to My Custom App?
API Permission Type Purpose
Microsoft Graph

Organization.Read.All

(Read organization information)		 Application Check the status of app profiles.

Group.Read.All

(Read all groups)		 Application

Scan mailboxes, Microsoft 365 Groups, Teams, and Viva Engage communities. Invite users and groups in User management

User.Read.All

(Read all users)		 Application Scan mailboxes, Microsoft 365 Groups, Teams, and Viva Engage communities. Invite users and groups in User management.
SharePoint/Office 365 SharePoint Online Sites.FullControl.All

(Have full control of all site collections)

 Application Scan SharePoint Online site collections, Project Online site collections, OneDrive, and Microsoft 365 Group team sites.

User.Read.All

(Read user profiles)		 Application Scan OneDrive to retrieve the OneDrive URL of each user from SharePoint user profiles.
Office 365 Exchange Online full_access_as_app

(Use Exchange Web Services with full access to all mailboxes)

 Application Scan Exchange Online Public Folders and in-place archived mailboxes (if necessary).
Exchange.ManageAsApp

(Manage Exchange As Application)

 Application Only required by custom apps of the following services: IBM Storage Protect for Cloud Microsoft™ 365.
Note:

To add full_access_as_app or Exchange.ManageAsApp permission, refer to Add Permissions of Office 365 Exchange Online API.

The following services support using a custom Azure app for authentication. The permissions of the custom app vary with the different cloud services your tenant is using.

Click the links listed below to view the required permissions for your services.

Google Tenant Custom Apps

For Google tenants, using a default service app may encounter throttling issues caused by Google quota limits. If performance is a concern, consider configuring a custom Google app for your organization.

Click the links listed below to view the required permissions for your services.