The ability to backup and recover OneDrive permissions helps maintain data security and meet compliance requirements. This article describes how and when Redstor protects OneDrive permissions.


PAGE CONTENTS


How does it work?

From the release of this feature, OneDrive permissions will automatically be protected as part of any new backups of OneDrive data from the RedApp. You will not be able to restore permissions from backups that completed before this date.


Whenever you recover OneDrive data using the RedApp (not InstantData), you will be asked to select certain restore settings. At this point, you can select to restore permissions (on by default) and/or restore shareable links (off by default). This applies to account recovery as well as single item recovery. 


After a permissions recovery completes, the restored permissions may not reflect in the OneDrive admin center immediately. Permissions information is not displayed in the RedApp.


Note: 

  • To recover, you need to be both a RedApp company administrator, and a Microsoft 365 global administrator for your tenant organisation. 
  • Read more about Microsoft's admin roles in this article on their knowledge base.
  • Read more about Redstor's OneDrive backup and recovery in Article 1159.


Restoring permissions

The Restore permissions setting includes both inherited permissions and explicit permissions, as well as shareable links. The following definitions apply:         

Shareable linkA link to a specific OneDrive item (file or folder) that grants permissions based on a link scope such as anonymous, organisation (i.e. users within the Microsoft 365 tenant), or specific users.
Inherited permissionsPermissions inherited by child OneDrive items from a parent item.
Explicit permissions Unique permissions that have been set for specific users of a OneDrive item by breaking (stopping) inheritance for it.


Recovery option: Overwrite

When recovering inherited permissions with the Overwrite option, the following logic applies:

Target item inheritanceSource item inheritanceExpected result
Inheritance enabledInheritance enabledItem continues to inherit permissions from its parent.
Inheritance disabledInheritance disabledRestore explicit permissions that have been backed up.
Inheritance disabledInheritance enabledEnable inheritance on the target to match the source. Log this change.
Inheritance enabledInheritance disabledBreak inheritance on the target and apply the explicit permissions from the source.
Parent has explicit permissionsInheritance disabledMaintain broken inheritance. Restore the explicit permissions from the source.


When recovering explicit permissions with the Overwrite option, any missing or deleted permissions will be restored and existing permissions will be updated. No permissions will be removed from the selected backup in order to preserve access. If this results in unwanted permissions, you can remove them in the OneDrive admin center.


During single item recovery with the Overwrite option, we restore the item's location and its permissions, as well as all parent folders and their respective permissions if they have been deleted. Folder contents are not restored, aside from the item you selected.


Recovery options: New folder or Different account

When recovering items with inherited permissions using the New folder option (recovering to a new OneDrive account within the same Microsoft 365 tenant) or the Different account option (recovering to an existing, different OneDrive account within the same Microsoft 365 tenant), we restore each item's permissions, as well as all parent folders of the item's location and their respective permissions.  


When recovering items with explicit permissions using the New folder or Different account option, permissions will be applied as in the selected backup.


During single item recovery using the New folder or Different account option, we restore the item's location and its permissions, as well as all parent folders and their respective permissions. Folder contents are not restored, aside from the item you selected.


When a shareable link is restored with the New folder, Different account or Overwrite option, an email notification from Microsoft containing a new link will automatically be sent to all users who had access to the original link. Restoring multiple links will therefore result in multiple notifications, and you may want to inform users to expect this.

The following rules will apply:

  • For password-protected links, no password will be set on the new link.
  • For expired links, no expiry will be set on the new link.


Limitations

The following is excluded from OneDrive permissions protection:

  • Restoring of explicit permissions if the users or groups they are granted to do not exist in the target Microsoft 365 tenant (e.g. because they have been deleted or have been recreated with new IDs).
    • Note: Restoring permissions does not restore the users or groups they were granted to. Users and groups must be restored from an Entra ID backup or must be newly created via the admin center.
  • Browsing of permissions associated with a backed-up OneDrive item.
  • Browsing of permissions associated with a restored OneDrive item.
  • Restoring of permissions when accessing an item via InstantData.
  • Backup and restoring of "create-only" links for uploading files.


Removing or updating a user's explicit permssions does not affect or remove their access via shareable links. For more detail about updating permissions on a shared file, see this article on Microsoft's knowledge base.