Required permissions
When creating your Alcion account, you will need to authorize access to your Microsoft 365 tenant. This requires that a Microsoft 365 Global Admin provides admin consent and grants the Alcion application the permissions required to access data in your tenant. Below is a brief summary of the permissions:
| Permissions Name | Short Description | Notes |
|---|---|---|
| User.Read | Sign in and read user profile | Required for Microsoft account login |
| Directory.Read.All | Read directory data | Required for users, teams, and groups* discovery |
| Mail.ReadWrite | Read and write mail in all mailboxes | Required for Exchange mail backup and restore |
| MailboxSettings.Read | Read all user mailbox settings | Required to identify shared mailboxes |
| Calendars.ReadWrite | Read and write calendars in all mailboxes | Required for Exchange calendar backup and restore |
| Contacts.ReadWrite | Read and write contacts in all mailboxes | Required for Exchange contacts backup and restore |
| Sites.FullControl.All | Have full control of all site collections | Required for sharepoint backup and restore |
| SecurityIncident.Read.All | Read all security incidents | Required for ransomware detection |
| SecurityAlert.Read.All | Read all security alerts | Required for ransomware detection |
| Reports.Read.All | Read all usage reports | Required for ransomware detection |
| TeamMember.Read.All | Read the members of teams | Required for team and groups backup |
| TeamSettings.Read.All | Read teams' settings | Required for team and groups backup |
| ChannelSettings.Read.All | Read the names, descriptions, and settings of all channels | Required for teams backup |
| Member.Read.Hidden | Read hidden memberships | Required for teams backup |
| ChannelMessage.Read.All | Read user channel messages | Required for team messages backup |
| Chat.Read.All | Read all chat messages | Required for team messages backup |
For a complete description of each requested permission, you can refer to the Microsoft Graph Permissions Reference.
Permissions re-consent requests
Alcion constantly improves and expands the set of backup, restore, and security features available to its customers. In some cases, the new functionality may require extra permissions compared the set that was granted previously. If this happens or if some permissions are revoked, Alcion will automatically prompt you to re-consent to the updated permissions the next time you log into the Alcion UI.
Granting permissions
To grant Alcion the above permissions, you will need to use an account with a Global Admin role. The privileged account is only for the initial permissions grant, and the account you used to login into Alcion doesn't need this role.