App Profile Authentication

App profile authentication (IBM® Storage Protect for Cloud Microsoft 365, default Microsoft 365 apps, or use a custom Azure app) ensures that all Auto Discovery and IBM Storage Protect for Cloud Microsoft 365 jobs are tagged as the activities of that app, and also ensures that we do not need to store any service accounts and passwords, with only the consent being recorded. The consent can be monitored in your Microsoft Entra ID and can be revoked at any time.

You can consent to apps separately for the services you want to protect. If you do not have service apps, IBM Storage Protect for Cloud will use the default Microsoft 365 app or custom Azure app to scan or protect the data.

  • If you want to use IBM Storage Protect for Cloud for SharePoint Online, OneDrive, Exchange Online, Public Folders, Microsoft 365 Groups, and Teams service in app context, you need a IBM Storage Protect for Cloud Microsoft 365 app or Microsoft 365 app connected to your tenant. If you use the Teams Chat service, you need to configure a custom app for Teams Chat.

  • If you use the Viva Engage service, you need to configure the Microsoft 365 app (All permissions) or IBM Storage Protect for Cloud app (All permissions), and the Viva Engage app. Alternatively, you can have a custom Azure app with delegated permissions.
    • For the permissions required by the Microsoft 365 app, refer to Required Permissions of Microsoft 365 App Profile.
    • For the permissions required by the Viva Engage app, as well as the minimum API permissions that you must grant to the custom app, refer to Required Permissions of Viva Engage App.
    • The authentication user for the Viva Engage app must be a Microsoft 365 Global Administrator with the Viva Engage product license. To re-authorize the Viva Engage app, the authentication user must have the Verified Admin role and the Yammer administrator role with the Viva Engage product license.
  • If you want to use IBM Storage Protect for Cloud for Project Online, you can use an app profile to scan the Project Online site collections. In this way, the service account does not require the Site Collection Administrator role. However, the Project Online data cannot be protected in the app context (using app profile authentication). Therefore, a service account with enough permissions is still required for the backup and restore for Project Online. For the required permissions of a service account, refer to Service Account Authentication.
  • If you want to use IBM Storage Protect for Cloud for Power BI, Power Automate, or Power Apps in app context or restore the Teams channel conversations as new posts to the channel, or restore Planner task comments, you must configure an app profile for Microsoft Delegated app or a custom Azure app with delegated permissions. If you want to restore the Teams channel conversations as new posts, the authentication user must have the Teams license.

    For the permissions required by the Microsoft Delegated app, refer to Required Permissions of Microsoft Delegated App.

Note: If you are using a multi-geo tenant, ensure the app profile has the Exchange Administrator role. This role is required to restore the region information for Microsoft 365 Groups and Teams. Otherwise, your group or team backed up from a specific region will be restored to the default region. This known issue also exists in the service account authentication. For details on how to assign the role to an app, refer to How to Assign the Exchange Administrator Role to an App.

For the permission requirements of an app profile for a specific service type, refer to the section below.