Happy Friday, everyone. I want to share something that I recently ran into. We had Veeam Backup for Entra ID set up for an organization when it was first released and recently turned on the new(ish) feature to back up Intune and Conditional Access Policies. The jobs started failing. It looks like there are a few application and delegated permissions that need to be added to the application that was created when the tenant was first set up. My guess is that when the application was initially created, it didn’t need these permissions so they were never set. Going forward, having Veeam create new applications would add all of these permissions automatically.
In the Veeam documentation found here:
Permissions - Veeam Backup & Replication User Guide
It states:
To perform backup, the application must have the following permissions:
Microsoft Graph application permissions: AuditLog.Read.All, Directory.Read.All, Group.Read.All, MailboxSettings.Read, RoleManagement.Read.Directory, User.Read.All, Policy.Read.All, Policy.ReadWrite.ConditionalAccess, Agreement.Read.All, DeviceManagementConfiguration.Read.All.
To be able to further perform restore, the application must have the following permissions:
Microsoft Graph delegated permissions: Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, AdministrativeUnit.ReadWrite.All, Directory.AccessAsUser.All, Application.ReadWrite.All, Group.ReadWrite.All, Policy.ReadWrite.ConditionalAccess, Agreement.Read.All, DeviceManagementConfiguration.ReadWrite.All
The permissions in bold are the ones needed for Conditional Access Policy backup and restore and the ones in italics are the ones needed for Intune Policy backup and restore.
I hope that this helps anyone who was in my situation with the older application permissions not working to back up these policies.
Hin
P.S.
Don’t forget:
✔️ Grant admin consent after adding the permissions.
