ManageEngine RecoveryManager Plus provides administrators the ability to back up and restore their Active Directory, Azure Active Directory, Microsoft 365, Exchange, and Google Workspace environments.
This following table will explain the level of privileges required to backup and restore using RecoveryManager Plus.
| Component | Privileges Required | Additional Remarks |
| Active Directory |
| If you wish to store the password of user accounts when the user account gets deleted, make sure that the account used is a member of the Schema Administrators group. If you choose to save passwords of user accounts, RecoveryManager Plus will modify the AD schema to instruct AD to retain the Unicode-pwd attribute when a user is deleted. The Schema Administrator privilege is required to modify the schema accordingly. |
| Azure Active Directory and Microsoft 365 | A service account with Exchange administrator role. | The user whose account is used to configure the product will be provided Site Admin Permission to all SharePoint Online and OneDrive for Business sites by the product during the initial full backup. To remove the user account’s access to particular SharePoint Online and OneDrive for Business sites, follow the steps listed here. |
| Exchange on-premises | A member of the Organization Management role group | |
| Google Workspace | Google Workspace domain administrator |
In addition to the above privileges, the following roles and permissions are required by the Azure AD application to backup and restore Azure Active Directory and Microsoft 365 services.
| Module | Role Name | Permission | Scope |
| Exchange Online | Office 365 Exchange Online | EWS.AccesAsUser.All | EWS.AccesAsUser.All |
| full_access_as_app | Use Exchange Web Services to backup and restore mailboxes | ||
| SharePoint & OneDrive | SharePoint | Sites.FullControl.All | Backup and restore sites |
| User.ReadWrite.All | Read and write the full set of profile properties, reports, and managers of users | ||
| Azure AD | Azure Active Directory Graph | Domain.ReadWrite.All | Read and write all domain properties |
| Microsoft Graph | AppRoleAssignment.ReadWrite.All | Manage app permission grants and app role assignments |
You're one step away from insuring your AD environment against disasters.
Couldn't find the feature you wanted? Raise a feature request