# Required permissions
**The required Microsoft 365 permissions define the access levels Xopero ONE needs to securely back up and restore your data.**
***
## General requirements
To integrate a **Microsoft 365** organization with **Xopero ONE**, ensure it uses a **Microsoft 365** business license.
To back up a single **Microsoft 365** account, the account must have a **Microsoft 365** license assigned. This also applies to shared mailboxes. License assignments can be managed in the **Microsoft 365** admin center.
Each **Microsoft 365** account and shared mailbox requires one **Xopero ONE** license to back up its data.
The backup process requires a backup agent (worker), which communicates with the **Microsoft 365** API, downloads the requested data, and performs the backup. You can use either a cloud or local worker. Any device with the **Xopero ONE Backup\&Recovery Agent** installed can act as a worker.
{% hint style="success" %}
You do not need to assign any licenses to cloud workers — the appropriate license is assigned automatically by the **Xopero ONE** system.
{% endhint %}
***
## Account permissions
To add your **Microsoft 365** organization to **Xopero ONE**, you must use a global administrator account. Only a global administrator has the necessary permissions to back up data from all user accounts in the organization.
{% hint style="info" %}
Learn more about **Microsoft 365** administrator roles in [the official Microsoft documentation](https://learn.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide).
{% endhint %}
***
## Application permissions
The following tables list **Xopero** apps and their permissions, which are automatically installed in the end user's **Entra ID** when integrating **Microsoft 365** with **Xopero ONE**.
### Xopero ONE Registrator
This application is used at the beginning of the integration to install and grant the necessary permissions for the **Xopero ONE MS365 PRO** app.
#### Microsoft Graph
| API name | Claim value | Permission | Type |
| --------------- | -------------------------- | --------------------------------------------------- | --------- |
| Microsoft Graph | Directory.AccessAsUser.All | Access directory as the signed-in user. | delegated |
| Microsoft Graph | offline\_access | Maintain access to data you have granted access to. | delegated |
| Microsoft Graph | profile | View user's basic profile. | delegated |
| Microsoft Graph | openid | Sign users in. | delegated |
### Xopero ONE MS365 PRO
This application is required to back up and recover data from **Microsoft 365** tenants and is installed automatically in **Entra ID** by **Xopero ONE Registrator**.
#### Microsoft Graph
| API name | Claim value | Permission | Type |
| --------------- | ------------------------- | ------------------------------------------------------------- | ----------- |
| Microsoft Graph | Mail.ReadWrite | Read and write mail in all mailboxes. | application |
| Microsoft Graph | User.ReadWrite.All | Read and write all users' full profile information. | application |
| Microsoft Graph | Application.ReadWrite.All | Read and write all applications. | application |
| Microsoft Graph | Group.Read.All | Read all groups. | application |
| Microsoft Graph | Contacts.ReadWrite | Read and write contacts in all mailboxes. | application |
| Microsoft Graph | Group.Create | Create groups. | application |
| Microsoft Graph | Files.ReadWrite.All | Read and write files in all site collections. | application |
| Microsoft Graph | Calendars.ReadWrite | Read and write calendars in all mailboxes. | application |
| Microsoft Graph | Tasks.ReadWrite | Create, read, update, and delete user's tasks and task lists. | delegated |
| Microsoft Graph | Directory.ReadWrite.All | Read and write directory data. | delegated |
| Microsoft Graph | Group.ReadWrite.All | Read and write all groups. | delegated |
| Microsoft Graph | offline\_access | Maintain access to data you have granted access to. | delegated |
#### Exchange Online
| API name | Claim value | Permission | Type |
| -------------------------- | ----------------------- | -------------------------------------------------------------------------- | ----------- |
| Office 365 Exchange Online | full\_access\_as\_app | Use **Exchange Web Services** (**EWS**) with full access to all mailboxes. | application |
| Office 365 Exchange Online | Mail.ReadWrite | Read and write mail in all mailboxes. | application |
| Office 365 Exchange Online | Calendars.ReadWrite.All | Read and write calendars in all mailboxes. | application |
| Office 365 Exchange Online | | | delegated |
#### Office 365 SharePoint Online
| API name | Claim value | Permission | Type |
| -------------------------- | ----------------------- | -------------------------------------------------------------------------- | ----------- |
| Office 365 Exchange Online | full\_access\_as\_app | Use **Exchange Web Services** (**EWS**) with full access to all mailboxes. | application |
| Office 365 Exchange Online | Mail.ReadWrite | Read and write mail in all mailboxes. | application |
| Office 365 Exchange Online | Calendars.ReadWrite.All | Read and write calendars in all mailboxes. | application |
| Office 365 Exchange Online | | | delegated |
***
## Useful links and items
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://helpcenter.xopero.com/xopero-one-en/backup-and-recovery/microsoft-365/integration/required-permissions.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.