Required Permissions of Microsoft Delegated App
If you want to perform the following, you must configure a default Microsoft Delegated app. Note that the Custom Azure app with delegated permissions has not yet been supported by IBM® Storage Protect for Cloud Microsoft 365.
- Restore Teams Channel conversations as new posts to the channel.Note: In this case, the authentication user of the delegated app must have the Teams license. The Restore conversations as posts features are not available in the data center that is operated by 21Vianet in China. Only the backup data generated in a new backup cycle that is after June 1, 2021 can be used to restore the conversations as posts.
- Protect Power® BI workspaces.
- Protect Power Automate cloud flows.
- Protect Power Apps data (standard Canvas apps and component libraries).
- Restore Planner task comments
Consent from a Microsoft 365 Global Administrator is required when creating a delegated app profile and must be retained. The consent user of the delegated app for Power Automate must also have the Environment Admin/System Administrator role. However, the consent can be revoked in the following cases:
- If you only use this delegated app to restore Teams channel conversations as posts or restore Planner task comments, the consent can be revoked and the Global admin role can be removed.
- If you only use this delegated app to protect the Power BI content, the consent can be revoked, but the authentication user must have a Power BIPro license or a Premium Per User (PPU) license, and have at least the Fabric Administrator role (the former Power BI admin role) for Auto Discovery scan and the backup.
- If you only use this delegated app to protect Power Automate, the consent can be revoked as well, but the authentication user must have at least the Environment Admin/System Administrator role and the Power Platform admin role for Auto Discovery scan and the backup.
- If you use this delegated app to protect the Power Apps data, the consent can be revoked, but
the authentication user must have at least the Power Platformadmin role and
Environment Admin/System Administratorrole for Auto Discovery scan and the backup, and the
Power Apps for Microsoft 365 license to proceed.
Refer to the following table for the permissions that are granted to the Microsoft Delegated app:
| API | Permissions | Why do we need it? | Feature Category |
|---|---|---|---|
| openid (Sign users in) |
Allows to authenticate users by retrieving their consent. | All | |
profile (View users’ basic profile) |
Retrieves users’ profile information. | All | |
offline_access (Maintain access to data you have given it access to) |
Maintains access over an extended period without requiring the user to re-authorize frequently | All | |
| Microsoft Graph | ChannelMessage.Send (Send channel messages) |
Sends messages to channels in Microsoft Teams. | Restore channel conversations as posts |
TeamMember.ReadWrite.All (Add and remove members from teams) |
Adds members to Microsoft Teams. | Restore channel conversations as posts | |
ChannelMember.ReadWrite.All (Add and remove members from channels) |
Adds members to channels in Microsoft Teams. | Restore channel conversations as posts | |
Directory.Read.All (Read directory data) |
Retrieves all user’s full profiles and user domain information. | Power BI & Power Automate & Power Apps | |
|
Group.ReadWrite.All (Read and write all groups) |
Retrieves the conversation thread. | Restore Planner task comments | |
| Power BI Services | Tenant.ReadWrite.All (Read and write all content in tenant) |
Retrieves the workspaces and backs up, or adds users to the workspace. | Power BI |
Workspace.ReadWrite.All (Read and write all workspaces) |
Gets and restores workspaces. | Power BI | |
Capacity.Read.All (View all capacities) |
Retrieves capacities (including multi-geo). | Power BI | |
Report.ReadWrite.All (Read and write all reports) |
Performs backup for reports. | Power BI | |
Dataset.ReadWrite.All (Read and write all datasets) |
Performs backup and restore for reports. | Power BI | |
| PowerApps Service | User (Access PowerApps Service API) |
Retrieves Power Automate Cloud Flows for Auto Discovery scan and for IBM Storage Protect for Cloud. | Power Automate |
| Retrieves standard Canvas apps and component libraries in Power Apps for Auto Discovery scan and for IBM Storage Protect for Cloud. | Power Apps | ||
| Dynamics CRM | User_impersonation (Access Common Data Service as organization users) |
Retrieves Power Automate desktop flows and Business process flows for Auto Discovery scan. | Power Automate |
| Retrieves standard Canvas apps and component libraries in Power Apps for Auto Discovery scan. | Power Apps |