Microsoft 365 SharePoint Permissions

From version 19.12, SharePoint Online permissions are now protected during the backup process. This allows you to restore SharePoint items from the backup session with their original permissions.

This is not retroactive, so any backups made before 19.12 was released will not contain permissions.

These permissions are only relevant for backups done via Microsoft 365 protection, not when backing up the MS SharePoint data source via Backup Manager

Restore Permissions Processes

Below are examples of how the restore permissions process works and how you should work around the permissions for a successful restore.

• See the Microsoft page for information on What is permissions inheritance?
• See the Microsoft Customize SharePoint site Permissions page for information on how to configure permissions.

Permissions restore is turned off

When permissions restore is disabled, all items created during a restore will inherit permissions from their parent.

Permissions restore is turned on

When permissions restore is enabled, the permissions inheritance is determined as below:

Restore to the original location

Permissions Inheritance settings on SharePoint Item	Permissions Inheritance of data to restore	Expected response by system
Enabled	Disabled	Inheritance disabled All permissions cleared Only backed up permissions restored
Enabled	Enabled	Permissions restore for such items skipped
Disabled	Disabled	Permissions merged
Disabled	Enabled	Inheritance Enabled

Restore to new location

Permissions Inheritance settings on SharePoint Item	Permissions Inheritance of data to restore	Expected response by system
Enabled	Disabled	Inheritance Enabled
Enabled	Enabled	Inheritance Enabled
Disabled	Disabled	Inheritance Enabled
Disabled	Enabled	Inheritance Enabled

Permissions restore is turned on (overwrite)

There are a number of different situations you may find yourself in with regards to restoring items which inherit role assignments from their parents. In these situations, you should only break inheritance when the parent role assignments are changed. After the parent role assignments are changed, you then need to restore the new role assignments from the backup. When permissions are not changed, permissions inheritance should be turned on.

How it works:

If the original permissions differ from the backed up set:

Role Assignments	Action taken by the system
If it isn't identical:	Inheritance disabled All permissions cleared Only backed up permissions restored
If the item has another set of role assignments:	Role assignments are merged Merging means adding new permissions to the existing, without duplicating and overwriting.
If the item has role assignments which depend on one or several users:	If all users exist	All role assignments restored
	If none of those users exist	Role assignments not restored. In this case the item won't have explicit role assignments and it won't have inheritance, e.g. item won't have any access permissions set to it
	If some users still exist	Role assignments restored only to those users
	If some users don't exist anymore	Recreation of this user is not tried
If the item has role assignments which depend on one or several groups:	The role assignments are restored only for existing groups