Partner-managed, organization-managed accounts
IMPORTANT This article does not apply to Backupify customers.
Before becoming a Datto SaaS Protection partner, you need to be aware of the requirements for adding and managing Datto SaaS Protection accounts. The requirements depend on whether you or your organization will manage the SaaS Protection organization.
MSP-managed account
When setting up a new Datto SaaS Protection account for a organization, you indicate whether the account will be managed by you (the partner) or by your organization. If you will be managing the account, you should have global administrator account credentials for the organization's M365 suite. The global administrator account should provide you with privileges for all the organization's users, services, and sites that the organization would like backed up.
The global administrator account credentials allow you to authorize the API scopes SaaS Protection requires to access the organization's M365 services. These API scopes provide SaaS Protection with the permissions to backup and restore M365 data for the organization's Exchange, OneDrive, SharePoint, and Teams applications.
If you don't have the global administrator account credentials when adding a new organization, you can provide the email address of the appropriate organization staff member who will authorize and create the account.
Organization-managed account
When setting up a new Datto SaaS Protection account for a organization that will be managed by the organization, the organization will authorize and create the account. Because the organization will be managing the account, you won't have access to the organization's M365 data.
M365 permissions
While performing the procedure to add a new organization, the specific permissions you are approving are listed for your review. The following summarizes the permissions provided to Datto SaaS Protection.
| Permission | Description |
|---|---|
| Read and write items in all site collections (preview) | Allows backup and restore of SharePoint site content. |
| Read items in all site collections (preview) | Allows backup and restore of SharePoint site content. |
| Read All Users' relevant people lists | Allows Datto SaaS Protection to read the entire organization of the user. |
| Read all OneNote notebooks | Allows backup and restore of OneNote files as part of SharePoint site content. |
| Read and write all OneNote notebooks | Allows backup and restore of OneNote files as part of SharePoint site content. |
| Read and write all user mailbox settings | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Read the organization’s roster | Allows Datto SaaS Protection to view the organization's roster. |
| Read a limited subset of the organization's roster | Allows Datto SaaS Protection to view the organization's roster. |
| Read and write the organization’s roster | Allows Datto SaaS Protection to read and write the organization's roster. |
| Read all usage reports | Allows Datto SaaS Protection to read customer service usage so we can better estimate the resources required to back up customer data. |
| Read all user mailbox settings | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Read all hidden memberships | Allows backup and restore of the groups the user is part of. |
| Read mail in all mailboxes | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Read and write mail in all mailboxes | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Read contacts in all mailboxes | Allows backup and restore of user contacts in mailboxes. |
| Read and write contacts in all mailboxes | Allows backup and restore of contacts in mailboxes. |
| Read all groups | Allows Datto SaaS Protection to enable group management features for protection. |
| Read and write all groups | Allows Datto SaaS Protection to enable group management features for protection. |
| Read directory data | Allows Datto SaaS Protection to read data in your organization’s directory, including users, groups, and applications for Datto SaaS Protection’s seat management system. |
| Read and write directory data | Allows backup and restore of the directory structure of protected accounts. |
| Read all users’ full profiles | Allows Datto SaaS Protection to read information about the users within your Office 365 organization. |
| Create, edit, and delete items and lists in all site collections | Allows backup and restore of SharePoint site content. |
| Have full control of all site collections | Allows backup and restore of SharePoint site content. |
| Read all user contacts | Allows backup and restore of user contacts. |
| Have full access to user contacts | Allows backup and restore of user contacts. |
| Read user files | This allows Datto SaaS Protection to identify the users that are available for backup and to be able to backup those files. |
| Have full access to user files | Allows backup and restore of user files. |
| Read all files that user can access | Allows backup and restore of user files. |
| Have full access to all files user can access | Allows backup and restore of user files. |
| Read items in all site collections | Allows backup and restore of SharePoint site content. |
| Read user tasks | Allows backup and restore of user tasks. |
| Have full access to user calendars | Allows backup and restore of calendars. |
| Read user calendars | Allows backup and restore of calendars. |
| Read and write access to user mail | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Read user mail | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Access directory as the signed in user | This allows Datto SaaS Protection to read data in your organization’s directory, including users, groups, and applications for Datto SaaS Protection’s seat management system. |
| Read and write directory data (duplicate) | Allows backup and restore of the directory structure of protected accounts. |
| Read directory data | This allows Datto SaaS Protection to read data in your organization’s directory, including users, groups, and applications for Datto SaaS Protection’s seat management system. |
| Read all groups | Allows backup and restore of the groups the user is part of. |
| Read all users’ full profiles | This allows Datto SaaS Protection to read information about the users within your Office 365 organization. |
| Read all users’ basic profiles | This allows Datto SaaS Protection to read information about the users within your Office 365 organization. |
| Read user and shared tasks | Allows backup and restore of user tasks. |
| Read and write user and shared contacts | Allows backup and restore of user contacts. |
| Read and write user and shared tasks | Allows backup and restore of user tasks. |
| Read user and shared contacts | Allows backup and restore of user contacts. |
| Read and write user and shared calendars | Allows backup and restore of calendars. |
| Read and write user and shared mail | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Read user and shared mail | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Edit or delete items in all site collections | Allows backup and restore of SharePoint site content. |
| Read all usage reports | This allows Datto SaaS Protection to read customer service usage so we can better estimate the resources required to back up customer data. |
| Read user mailbox settings | Allows backup and restore of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Create OneNote notebooks | Allows backup and restore of OneNote files as part of SharePoint site content. |
| Read user OneNote notebooks | Allows backup and restore of OneNote files as part of SharePoint site content. |
| Read all OneNote notebooks that user can access | Allows backup and restore of OneNote files as part of SharePoint site content. |
| Read and write all OneNote notebooks that user can access | Allows backup and restore of OneNote files as part of SharePoint site content. |
| Read directory data | This allows Datto SaaS Protection to read data in your organization’s directory, including users, groups, and applications for Datto SaaS Protection’s seat management system. |
| Read and write devices | Datto SaaS Protection does not currently make use of this permission but may require it for future features. |
| Access the directory as the signed-in user | This allows Datto SaaS Protection to read data in your organization’s directory, including users, groups, and applications for Datto SaaS Protection’s seat management system. |
| Read and write all groups | This allows Datto SaaS Protection to enable group management features for protection. |
| Sign in and read user profile | This allows Datto SaaS Protection to read information about the users within your Office 365 organization. |
| Read and write items in all site collections | Allows backup and restore of SharePoint site content. |
| Read and write items and lists in all site collections | Allows backup and restore of SharePoint site content. |
| Read and write managed metadata | Datto SaaS Protection does not currently make use of this permission but may require it for future features. |
| Read and write user profiles | Datto SaaS Protection does not currently make use of this permission but may require it for future features. |
| User Exchange Web Services with full access to all mailboxes | Allows backup and restore of Microsoft Exchange services. |
| Read and write calendars in all mailboxes | Allows backup and restore of exchange calendars and email invites. |
| Access mailboxes as the signed-in user via Exchange Web Services | This allows Datto SaaS Protection to have the appropriate levels of access to mailboxes for backups and restores. |
| Read and write user mail | Allows backups and restores of email in mailboxes. This does not allow Datto SaaS Protection to send mail from these mailboxes. |
| Read and write user calendars | Allows backup and restore of calendars. |
| Read and write user contacts | Allows backup and restore of user contacts. |
