Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Alta SaaS Protection Administrator's Guide
  3. API permissions
  4. API permissions for Entra ID
Cohesity Alta SaaS Protection Administrator's Guide

API permissions for Entra ID

The following API permissions are required for Entra ID backup operation.

Table:

API name

Claim name

permissions

Description my Microsoft

Used by Cohesity Alta SaaS Protection

Microsoft Graph

Group.Read.All

Read all groups

Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user.

Used to read group information

User.Read.All

Read all users' full profiles

Allows the app to read user profiles without a signed-in user.

Used to read user profile details during backup.

Application.ReadWrite.All

Read and write all applications

Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants.

Used to read application settings and to get Token issuance policies and token lifetime policies during backup.

Directory.ReadAll

Read directory data

Allows the app to read all directory data.

Used to read directory data, including user, group, and app information.

Policy.Read.All

Read your organization's policies

Allows the app to read your organization's policies.

Used to read organizational policies during backup.

The following API permissions are required for Entra ID restore operation.

Table:

API name

Claim name

Permissions

Description my Microsoft

Used by Cohesity Alta SaaS Protection

Microsoft Graph

Directory.ReadWrite.All

Read and write directory data.

Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.

To restore directory data, including user and group.

User.ReadWrite.All

Read and write all users' full profiles.

Allows the app to read and write user profiles without a signed-in user.

To restore user profile details during recovery workflows.

Group.ReadWrite.All

Read and write all groups.

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user.

To restore groups, group properties and memberships for groups.

Application.ReadWrite.All

Read and write all applications.

Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants.

To create & restore the application registration during recovery processes.

GroupMember.ReadWrite.All

Read and write all group memberships.

Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted.

To update & restore the group membership.

Device.ReadWrite.All

Read and write devices

Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers.

To add group members of Device type during recovery processes.

OrgContact.Read.All

Read organizational contacts.

Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user's personal contacts.

To read the organizational contacts during recovery workflows.

AppRoleAssignment.ReadWrite.All

Manage app permission grants and app role assignments.

Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user.

To manage app roles and permission grants during recovery operations.

RoleManagement.ReadWrite.Directory

Read and write all directory RBAC settings.

Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships.

To restore RBAC settings during recovery workflows.

Policy.ReadWrite.ApplicationConfiguration

Read and write your organization's application configuration policies.

Allows the app to read and write your organization's application configuration policies, without a signed-in user.

To restore application configuration policies during recovery processes.

Feedback

Was this page helpful?
Previous

System and API permissions for Salesforce

Next

App permissions of Web App

Feedback

Was this page helpful?