Privileges and Permissions

Privileges required to backup using RecoveryManager Plus

ManageEngine RecoveryManager Plus provides administrators the ability to back up and restore their Active Directory, Azure Active Directory, Microsoft 365, Exchange, and Google Workspace environments.

This following table will explain the level of privileges required to backup and restore using RecoveryManager Plus.

Component Privileges Required Additional Remarks
Active Directory
  • A member of the Domain Administrators group.

If you wish to store the password of user accounts when the user account gets deleted, make sure that the account used is a member of the Schema Administrators group.

If you choose to save passwords of user accounts, RecoveryManager Plus will modify the AD schema to instruct AD to retain the Unicode-pwd attribute when a user is deleted. The Schema Administrator privilege is required to modify the schema accordingly.

Azure Active Directory and Microsoft 365 A service account with Exchange administrator role. The user whose account is used to configure the product will be provided Site Admin Permission to all SharePoint Online and OneDrive for Business sites by the product during the initial full backup. To remove the user account’s access to particular SharePoint Online and OneDrive for Business sites, follow the steps listed here.
Exchange on-premises A member of the Organization Management role group  
Google Workspace Google Workspace domain administrator  

In addition to the above privileges, the following roles and permissions are required by the Azure AD application to backup and restore Azure Active Directory and Microsoft 365 services.

Module Role Name Permission Scope
Exchange Online Office 365 Exchange Online EWS.AccesAsUser.All EWS.AccesAsUser.All
full_access_as_app Use Exchange Web Services to backup and restore mailboxes
SharePoint & OneDrive SharePoint Sites.FullControl.All Backup and restore sites
User.ReadWrite.All Read and write the full set of profile properties, reports, and managers of users
Azure AD Azure Active Directory Graph Domain.ReadWrite.All Read and write all domain properties
Microsoft Graph AppRoleAssignment.ReadWrite.All Manage app permission grants and app role assignments

You're one step away from insuring your AD environment against disasters.

  Download a free trial now!  Request demo

Couldn't find the feature you wanted? Raise a feature request

A single pane of glass for AD, Azure AD, Microsoft 365,
Google Workspace, Exchange, and Zoho WorkDrive backup.
  • » Personal WorkDrive backup
  • » Backup retention
  • » Incremental backup