#Required Permissions

AvePoint Online Services is transitioning from Exchange Web Services (EWS) to Microsoft Graph. As part of this change, administrators must re-authorize the AvePoint applications to grant new Microsoft Graph permissions, or add the following Microsoft Graph API permissions to their custom Azure app:

• Application

  • User.Read.All

  • MailboxItem.ImportExport.All

  • MailboxFolder.Read.All

  • MailboxItem.Read.All

  • MailboxSettings.Read

  • Mail.ReadWrite

• Delegated

  • RecordsManagement.Read.All

For complete list of permissions required for a custom Azure app, refer to the Permissions for App Profile Authentication for Microsoft 365 section.

Refer to the sections below for the required permissions for using AvePoint Opus properly.

#Permissions for Service Account Profile Authentication for Microsoft 365 (Obsolete)

If you select service account profile as the authentication method to manage Microsoft 365 objects, the account within the profile must have the following permissions:

• The SharePoint Administrator role

• The Exchange Administrator role

• The ApplicationImpersonation role

• Managed Metadata Service: Term Store Administrator

• Member of the Site Collection Administrators group

For instructions on how to create service account profiles in AvePoint Online Services > Management > Service account, refer to Manage Microsoft Service Account Profiles.

#Permissions for App Profile Authentication for Microsoft 365

If you select app profile as the authentication method to manage Microsoft 365 objects, refer to the table below to identify the right app and find its required permissions. For instructions on how to create app profiles in AvePoint Online Services > Management > App Management, refer to App Management.

#Setup Methods and App Types

The table below lists the supported setup methods and app types.

Setup Method	App Type	Note
Classic Mode	Microsoft 365 (All permissions)	Once you create this app profile, the AvePoint Online Services Administration for Microsoft365 app will be automatically created in your Microsoft Entra ID. To see the API permissions you need to accept when you authorize the app, refer to Microsoft 365 (All Permissions).
Modern Mode (Recommended)	AvePoint Opus	Once you create this app profile, the AvePoint Opus app will be automatically created in your Microsoft Entra ID. To see the API permissions you need to accept when you authorize the app, refer to AvePoint Opus.
Modern Mode (Recommended)	Reporting for Microsoft 365	Once you create this app profile, the AvePoint Reporting for Microsoft365 app will be automatically created in your Microsoft Entra ID. To see the API permissions you need to accept when you authorize the app, refer to Reporting for Microsoft 365.
Custom Mode	Azure app	If you want to create an Azure app in your Microsoft Entra ID, you need to add the API permissions required by AvePoint Opus to the custom app. Refer to Permissions for Custom Azure App.
Custom Mode	Azure app with delegated permissions	If you want to create an Azure app with delegated permissions in your Microsoft Entra ID, you need to add the API permissions required by AvePoint Opus to the custom app with delegated permissions. Refer to Permissions for Custom Azure App with Delegated Permissions.

#Permissions for Custom Azure App

This table lists the API permissions required by AvePoint Opus for a custom Azure app:

API	Type	Permission	Purpose
SharePoint	Delegate	User.Read.All (Read all users’ full profiles)	Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
SharePoint	Application	Sites.FullControl.All (Have full control of all site collections)	Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
SharePoint	Application	User.Read.All (Read all users’ full profiles)	Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
SharePoint	Application	TermStore.ReadWrite.All (Read and write managed metadata)	Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
Microsoft Graph	Application	Directory.Read.All (Read directory data)	Search users and groups from Microsoft Entra.
Microsoft Graph	Application	Group.Read.All (Read all groups)	Search users and groups from Microsoft Entra.
Microsoft Graph	Application	User.Read.All (Read all users’ full profiles)	Search users and groups from Microsoft Entra.
Microsoft Graph	Application	Mail.Send (Send mail as any user)	Send email notifications from a user’s email address.
Microsoft Graph	Application	Reports.Read.All (Read all usage reports)	Retrieve file size of your Microsoft 365 tenant. This permission will be required if you want to use the Discovery and Analysis functionality.
Office 365 Exchange Online	Application	full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Retrieve information of mailboxes and update mailbox extended properties.
Office 365 Management APIs	Application	ActivityFeed.Read (Read activity data for your organisation)	Retrieve activity data in your organization.

#Permissions for Custom Azure App Required by Storage Optimization Only

This table lists the API permissions required by the Storage Optimization module within AvePoint Opus for a custom Azure app:

API	Type	Permission	Purpose
SharePoint	Application	Sites.FullControl.All (Have full control of all site collections)	Retrieve information of SharePoint Online site collections.
SharePoint	Application	User.Read.All (Read all users’ full profiles)	Retrieve information of Microsoft 365 user profiles related to OneDrive.
SharePoint	Application	TermStore.ReadWrite.All (Read and write managed metadata)	Archive and restore term store.
Microsoft Graph	Application	Group.Read.All (Read all groups)	Scan Microsoft Group team sites by scanning Microsoft 365 Groups and Microsoft Teams in AvePoint Online Services Auto Discovery.
Microsoft Graph	Application	User.Read.All (Read all users’ full profiles)	Retrieve user information when using ReCenter to restore or export archived files.
Microsoft Graph	Application	Reports.Read.All (Read all usage reports)	Retrieve file size of your Microsoft 365 tenant. Note that this permission will be required if you want to use the Discovery and Analysis functionality.

#Permissions for Custom Azure App with Delegated Permissions

This table lists the API permissions required by AvePoint Opus for a custom Azure app with delegated permissions:

API	Type	Permission	Purpose
Microsoft Graph	Application	Directory.Read.All (Read directory data)	Search users or groups from Microsoft Entra ID.
Microsoft Graph	Application	Group.Read.All (Read all groups)	Search users or groups from Microsoft Entra ID.
Microsoft Graph	Application	TeamSettings.ReadWrite.All (Read and change all teams' settings)	Archive and restore teams’ settings.
Microsoft Graph	Application	TeamsTab.ReadWrite.All (Read and write tabs in Microsoft Teams)	Archive and restore teams’ settings.
Microsoft Graph	Application	Sites.ReadWrite.All (Read and write items in all site collections)	Archive and restore Microsoft Teams and Microsoft 365 Groups team sites data.
Microsoft Graph	Application	Team.Create (Create teams)	Restore teams.
Microsoft Graph	Application	Group.ReadWrite.All (Read and write all groups)	Scan Microsoft 365 Groups via Auto Discovery. Archive and restore Microsoft Teams and Microsoft 365 Groups data.
Microsoft Graph	Application	User.Read.All (Read all users' full profiles)	Retrieve the Microsoft 365 users’ user profiles.
Microsoft Graph	Application	TeamMember.ReadWrite.All (Add and remove members from all teams)	Archive and restore teams’ members.
Microsoft Graph	Application	Chat.Read.All (Read all chat messages)	Archive the Teams chat messages.
Microsoft Graph	Application	ChannelMessage.Read.All (Read all channel messages)	Archive and restore the members and messages of the Team’s private channels.
Microsoft Graph	Application	TeamsAppInstallation.ReadWriteForTeam.All (Manage Teams apps for all teams)	Archive and restore teams’ apps.
Microsoft Graph	Application	ChannelMember.ReadWrite.All (Add and remove members from all channels)	Archive and restore the members and messages of the Team’s private channels.
Microsoft Graph	Application	Tasks.ReadWrite.All (Read and write all users’ tasks and task lists)	Backup up and restore Planner data.
Microsoft Graph	Application	ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels)	Retrieve channel information for the data protection of Teams service.
Microsoft Graph	Application	Channel.Create (Create channels)	Restore teams’ channels.
Microsoft Graph	Application	Sites.FullControl.All (Have full control of all site collections)	Archive and restore site collections.
Microsoft Graph	Application	User.Read.All (Read all users' full profiles)	Retrieve information of user profiles.
Microsoft Graph	Application	MailboxItem.ImportExport.All (Allows the app to perform backup and restore for all mailbox items)	Import and export mailbox items.
Microsoft Graph	Application	MailboxFolder.Read.All (Read all the users’ mailbox folders.)	Retrieve users’ mailbox folders.
Microsoft Graph	Application	MailboxItem.Read.All (Read all the users’ mailbox items)	Retrieve users’ mailbox items.
Microsoft Graph	Application	MailboxSettings.Read (Read all user mailbox settings)	Retrieve users’ mailbox settings.
Microsoft Graph	Application	Mail.ReadWrite (Read and write access to user mail)	Access and modify items within users’ mailboxes.
Microsoft Graph	Delegated	Directory.Read.All (Read directory data)	Search users or groups from Microsoft Entra ID.
Microsoft Graph	Delegated	User.Read (Sign in and read user profile)	Search users or groups from Microsoft Entra ID.
Microsoft Graph	Delegated	Group.ReadWrite.All (Read and write all groups)	Retrieve tabs information from Microsoft Teams and protect planner data in Microsoft 365 Groups and Teams.
Microsoft Graph	Delegated	ChannelMessage.Send (Send channel messages)	Send messages to channels in Microsoft Teams.
Microsoft Graph	Delegated	TeamMember.ReadWrite.All (Add and remove members from teams)	Add members to Microsoft Teams.
Microsoft Graph	Delegated	ChannelMember.ReadWrite.All (Add and remove members from channels)	Add members to channels in Microsoft Teams.
Microsoft Graph	Delegated	User.Read.All (Read all users' full profiles)	Retrieve information of user profiles in Planner data restore.
Microsoft Graph	Delegated	RecordsManagement.Read.All (Read Records Management configuration, labels, and policies)	Retrieve the Records Management configuration in the Microsoft 365 Compliance Center.
SharePoint	Application	Sites.FullControl.All (Have full control of all site collections)	Update SharePoint objects
SharePoint	Application	TermStore.ReadWrite.All (Read and write managed metadata)	Sync term objects to term store.
SharePoint	Application	User.Read.All (Read all users’ full profiles)	Retrieve information of Microsoft 365 user profiles related to OneDrive.
Exchange	Application	full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Retrieve information of mailboxes and update mailbox extend properties.

#Permissions for App Profile Authentication for Google Workspace (Preview)

Opus allows you to use a custom Google app to manage Google Workspaces. Follow the instructions below to configure a custom Google app and create an app profile to consent to the custom app:

1. Configure a custom Google app by referring to the Create a Custom Google App section in the AvePoint Online Services user guide.

2. Refer to the information below to enable the required APIs:

   • Admin SDK API must be enabled to retrieve domains and activity reports.

   • Google Drive API must be enabled to scan containers and manage files.

   • Drive Labels API must be enabled to manage labels.

3. Enter the following scopes in the OAuth scopes field.

   https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/drive.admin.labels,https://www.googleapis.com/auth/drive.labels,https://www.googleapis.com/auth/drive

Refer to the table below for details about why we need the scopes:

Service	API	Scope	Purpose
Common	Admin SDK API	https://www.googleapis.com/auth/admin.directory.group.readonly	Retrieve groups in your domain.
Common	Admin SDK API	https://www.googleapis.com/auth/admin.directory.user.readonly	Retrieve users in your domain.
Common	Admin SDK API	https://www.googleapis.com/auth/admin.directory.domain.readonly	Retrieve domain of your organization.
Common	Admin SDK API	https://www.googleapis.com/auth/admin.reports.audit.readonly	Retrieve activity reports.
Common	Admin SDK API	https://www.googleapis.com/auth/admin.reports.usage.readonly	Retrieve the size usage of all My Drive and Shared Drive.
Drive Labels	Drive Labels API	https://www.googleapis.com/auth/drive.admin.labels	Retrieve all Google Drive labels in your organization.
Drive Labels	Drive Labels API	https://www.googleapis.com/auth/drive.labels	Retrieve all information of labels on files.
Drive	Google Drive API	https://www.googleapis.com/auth/drive	Retrieve all folders and files under My Drive and shared drives.
Drive	Google Drive API	https://www.googleapis.com/auth/drive.readonly	Retrieve all information of files under My Drive and shared drives.

#Permissions for Installing the Related Records App

To install the Related Records app, ensure the following permissions:

• The user who uploads the Related Records app package to the App Catalog site in the Microsoft 365 tenant must have at least Design permission to the App Catalog site.

• The user who approves the pending request must have the Global administrator role.

#Permissions for Restoring Archived Apps

If you want to restore archived apps, a service account profile will be required. The service account within the profile must have the following permissions:

• The SharePoint Administrator role

• Member of the Site Collection Administrators group

#Permissions for the Agent Account

You can register agents to connect AvePoint Opus to on-premises content sources to access and manage the content.

To connect AvePoint Opus to the File System, make sure the agent account has the following permissions:

• The Logon as a service permission

• A member of the local Administrators group

To connect AvePoint Opus to SharePoint On-Premises, make sure the agent account has the following permissions.

• For Windows, the permissions are listed below:

• The Logon as a service permission

• A member of the IIS_WPG (for IIS 6) or IIS_IUSRS (for IIS 7, IIS 8, and IIS 10) group

• A member of the Performance Monitor Users group

• Read to the Registry of \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

• Full Control to the agent installation path: …\AvePoint\Cloud

For SQL Server, the permissions are listed below:

• The database role of db_owner for all databases related to SharePoint, including content databases, configuration databases, and central administration databases

• The server role of dbcreator and securityadmin in SQL Server

For SharePoint On-Premises, the permissions are listed below:

• A member of the Farm Administrators group

• Full Control and Account operates as System permission to all zones of the web applications via User Policy for Web Applications

• User Profile Service Application:

  • Create Personal Site

  • Follow People and Edit Profile

  • Use Tags and Notes

• Connection Permissions to User Profile Service Application: Full Control

• Managed Metadata Service: Term Store Administrator.

For detailed instructions on how to add a user account to the Term Store Administrators group, refer to How to Add a Term Store Administrator in SharePoint On-Premises.

#Enable Custom Script

AvePoint Opus will enable custom script on a particular site when it runs jobs to manage the site content as below:

• Declare content as records.

• Apply term to SharePoint Online container level objects to classify the container level objects with the term ID.

• Add the Related Records app to SharePoint Online lists/libraries to manage related records.

• Add a unique identifier to SharePoint Online items and documents.

#Allow People Outside the Organization to Email Groups

During the review process (for example, record review process, classification review process, etc.), you can select groups as reviewers who are responsible for reviewing. To make sure the groups that are configured as reviewers can receive email notifications sent from AvePoint Opus, you need to enable the Let people outside the organization email the group setting for those groups in the Microsoft 365 admin center. Note that it may take up to 30 minutes before this setting takes effect.