Skip to main content

Required permissions

When creating your Alcion account, you will need to authorize access to your Microsoft 365 tenant. This requires that a Microsoft 365 Global Admin provides admin consent and grants the Alcion application the permissions required to access data in your tenant. Below is a brief summary of the permissions:

Permissions NameShort DescriptionNotes
User.ReadSign in and read user profileRequired for Microsoft account login
Directory.Read.AllRead directory dataRequired for users, teams, and groups* discovery
Mail.ReadWriteRead and write mail in all mailboxesRequired for Exchange mail backup and restore
MailboxSettings.ReadRead all user mailbox settingsRequired to identify shared mailboxes
Calendars.ReadWriteRead and write calendars in all mailboxesRequired for Exchange calendar backup and restore
Contacts.ReadWriteRead and write contacts in all mailboxesRequired for Exchange contacts backup and restore
Sites.FullControl.AllHave full control of all site collectionsRequired for sharepoint backup and restore
SecurityIncident.Read.AllRead all security incidentsRequired for ransomware detection
SecurityAlert.Read.AllRead all security alertsRequired for ransomware detection
Reports.Read.AllRead all usage reportsRequired for ransomware detection
TeamMember.Read.AllRead the members of teamsRequired for team and groups backup
TeamSettings.Read.AllRead teams' settingsRequired for team and groups backup
ChannelSettings.Read.AllRead the names, descriptions, and settings of all channelsRequired for teams backup
Member.Read.HiddenRead hidden membershipsRequired for teams backup
ChannelMessage.Read.AllRead user channel messagesRequired for team messages backup
Chat.Read.AllRead all chat messagesRequired for team messages backup

For a complete description of each requested permission, you can refer to the Microsoft Graph Permissions Reference.

Alcion constantly improves and expands the set of backup, restore, and security features available to its customers. In some cases, the new functionality may require extra permissions compared the set that was granted previously. If this happens or if some permissions are revoked, Alcion will automatically prompt you to re-consent to the updated permissions the next time you log into the Alcion UI.

Granting permissions

To grant Alcion the above permissions, you will need to use an account with a Global Admin role. The privileged account is only for the initial permissions grant, and the account you used to login into Alcion doesn't need this role.