AvePoint Docs
Contact support
Contact support
English

Home > Required Permissions

Export to PDF

Required Permissions

Refer to the sections below for the required permissions for using AvePoint Opus properly.

Permissions for Service Account Profile Authentication for Microsoft 365 (Obsolete)

If you select service account profile as the authentication method to manage Microsoft 365 objects, the account within the profile must have the following permissions:

- The **SharePoint** **Administrator** role - The **Exchange** **Administrator** role - The **ApplicationImpersonation** role - Managed Metadata Service: Term Store Administrator - Member of the **Site Collection Administrators** group

For instructions on how to create service account profiles in AvePoint Online Services > Management > Service account, refer to Manage Service Account Profiles.

Permissions for App Profile Authentication for Microsoft 365

If you select app profile as the authentication method to manage Microsoft 365 objects, refer to the table below to identify the right app and find its required permissions. For instructions on how to create app profiles in AvePoint Online Services > Management > App Management, refer to Manage App Profiles.

*Note: To manage Exchange mailboxes via app profile, you need to assign the Exchange Administrator role to the app in the Microsoft Entra admin center. For the detailed instructions on how to grant the Exchange Administrator role to the app, refer to How to Assign the Exchange Administrator Role to an App.

Setup Methods and App Types

The table below lists the supported setup methods and app types.

Setup MethodApp TypeNote
Classic ModeMicrosoft 365 (All permissions)Once you create this app profile, the AvePoint Online Services Administration for Microsoft365 app will be automatically created in your Microsoft Entra ID.To see the API permissions you need to accept when you authorize the app, refer to API Permissions Required by AvePoint Apps.
Modern Mode(Recommended)AvePoint OpusOnce you create this app profile, the AvePoint Opus app will be automatically created in your Microsoft Entra ID.To see the API permissions you need to accept when you authorize the app, refer to API Permissions Required by AvePoint Apps.
Modern Mode(Recommended)Reporting for Microsoft 365Once you create this app profile, the AvePoint Reporting for Microsoft365 app will be automatically created in your Microsoft Entra ID.To see the API permissions you need to accept when you authorize the app, refer to API Permissions Required by AvePoint Apps.
Custom ModeAzure appIf you want to create an Azure app in your Microsoft Entra ID, you need to add the API permissions required by AvePoint Opus to the custom app.*Note: For a custom Azure app, the Teams & Groups content source within the Storage Optimization module will be unavailable. If you want to use its functionalities, please create a custom Azure app with delegated permissions, instead of this Azure app.Refer to the following table for the required API permissions.
Custom ModeAzure app with delegated permissionsIf you want to create an Azure app with delegated permissions in your Microsoft Entra ID, you need to add the API permissions required by AvePoint Opus to the custom app with delegated permissions.*Note: Currently, the Discovery and Analysis module is not fully supported by this app. If you do not want to use the Teams & Groups content source within the Storage Optimization module, please use an Azure app instead.Refer to the following table for the required API permissions.

Permissions for Custom Azure App

This table lists the API permissions required by AvePoint Opus for a custom Azure app:

*Note: If you choose to use a custom Azure app, the Teams & Groups content source within the Storage Optimization module will be unavailable. If you want to use its functionalities, please create a custom Azure app with delegated permissions, instead of this Azure app.

APITypePermissionPurpose
SharePointDelegateUser.Read.All(Read all users’ full profiles)Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
SharePointApplicationSites.FullControl.All(Have full control of all site collections)Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
SharePointApplicationUser.Read.All(Read all users’ full profiles)Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
SharePointApplicationTermStore.ReadWrite.All(Read and write managed metadata)Retrieve information of Microsoft 365 user profiles related to OneDrive, update SharePoint objects, and synchronize term objects to the term store.
Microsoft GraphApplicationDirectory.Read.All(Read directory data)Search users and groups from Microsoft Entra.
Microsoft GraphApplicationGroup.Read.All(Read all groups)Search users and groups from Microsoft Entra.
Microsoft GraphApplicationUser.Read.All(Read all users’ full profiles)Search users and groups from Microsoft Entra.
Microsoft GraphApplicationMail.Send(Send mail as any user)Send email notifications from a user’s email address.
Microsoft GraphApplicationReports.Read.All(Read all usage reports)Retrieve file size of your Microsoft 365 tenant.This permission will be required if you want to use the Discovery and Analysis functionality.
Office 365 Exchange OnlineApplicationfull_access_as_app(Use Exchange Web Services with full access to all mailboxes)Retrieve information of mailboxes and update mailbox extended properties.
Office 365 Management APIsApplicationActivityFeed.Read(Read activity data for your organisation)Retrieve activity data in your organization.

Permissions for Custom Azure App Required by Storage Optimization Only

This table lists the API permissions required by the Storage Optimization module within AvePoint Opus for a custom Azure app:

*Note: This permission list is relevant only when you use the SharePoint Online and OneDrive content sources within the Storage Optimization module. If you want to use the Teams & Groups content source as well, please create a custom Azure app with delegated permissions, instead of this Azure app.

APITypePermissionPurpose
SharePointApplicationSites.FullControl.All(Have full control of all site collections)Retrieve information of SharePoint Online site collections.
SharePointApplicationUser.Read.All(Read all users’ full profiles)Retrieve information of Microsoft 365 user profiles related to OneDrive.
SharePointApplicationTermStore.ReadWrite.All(Read and write managed metadata)Archive and restore term store.
Microsoft GraphApplicationGroup.Read.All(Read all groups)Scan Microsoft Group team sites by scanning Microsoft 365 Groups and Microsoft Teams in AvePoint Online Services Auto Discovery.
Microsoft GraphApplicationUser.Read.All(Read all users’ full profiles)Retrieve user information when using ReCenter to restore or export archived files.
Microsoft GraphApplicationReports.Read.All(Read all usage reports)Retrieve file size of your Microsoft 365 tenant.*Note: This permission will be required if you want to use the Discovery and Analysis functionality.

Permissions for Custom Azure App with Delegated Permissions

This table lists the API permissions required by AvePoint Opus for a custom Azure app with delegated permissions:

*Note: Currently, the Discovery and Analysis module is not fully supported by this app. If you do not want to use the Teams & Groups content source within the Storage Optimization module, please use an Azure app instead.

APITypePermissionPurpose
Microsoft GraphApplicationDirectory.Read.All(Read directory data)Search users or groups from Microsoft Entra ID.
Microsoft GraphApplicationGroup.Read.All(Read all groups)Search users or groups from Microsoft Entra ID.
Microsoft GraphApplicationTeamSettings.ReadWrite.All(Read and change all teams' settings)Back up and restore teams’ settings.
Microsoft GraphApplicationTeamsTab.ReadWrite.All(Read and write tabs in Microsoft Teams)Back up and restore teams’ settings.
Microsoft GraphApplicationSites.ReadWrite.All(Read and write items in all site collections)Back up and restore Microsoft Teams and Microsoft 365 Groups team sites data.
Microsoft GraphApplicationTeam.Create(Create teams)Restore teams.
Microsoft GraphApplicationGroup.ReadWrite.All(Read and write all groups)Scan Microsoft 365 Groups via Auto Discovery. Back up and restore Microsoft Teams and Microsoft 365 Groups data.
Microsoft GraphApplicationUser.Read.All(Read all users' full profiles)Retrieve the Microsoft 365 users’ user profiles.
Microsoft GraphApplicationTeamMember.ReadWrite.All(Add and remove members from all teams)Back up and restore teams’ members.
Microsoft GraphApplicationChat.Read.All(Read all chat messages)Back up the Teams chat messages.
Microsoft GraphApplicationChannelMessage.Read.All(Read all channel messages)Back up and restore the members and messages of the Team’s private channels.
Microsoft GraphApplicationTeamsAppInstallation.ReadWriteForTeam.All(Manage Teams apps for all teams)Back up and restore teams’ apps.
Microsoft GraphApplicationChannelMember.ReadWrite.All(Add and remove members from all channels)Back up and restore the members and messages of the Team’s private channels.
Microsoft GraphApplicationTasks.ReadWrite.All(Read and write all users’ tasks and task lists)Backup up and restore Planner data.
Microsoft GraphApplicationChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels)Retrieve channel information for the data protection of Teams service.
Microsoft GraphApplicationChannel.Create(Create channels)Restore teams’ channels.
Microsoft GraphApplicationSites.FullControl.All(Have full control of all site collections)Back up and restore site collections.
Microsoft GraphApplicationUser.Read.All(Read all users' full profiles)Retrieve information of user profiles.
Microsoft GraphApplicationMailboxItem.ImportExport.All(Allows the app to perform backup and restore for all mailbox items)Import and export mailbox items.
Microsoft GraphApplicationMailboxFolder.Read.All(Read all the users’ mailbox folders.)Retrieve users’ mailbox folders.
Microsoft GraphApplicationMailboxItem.Read.All(Read all the users’ mailbox items)Retrieve users’ mailbox items.
Microsoft GraphApplicationMailboxSettings.Read(Read all user mailbox settings)Retrieve users’ mailbox settings.
Microsoft GraphApplicationMail.ReadWrite(Read and write access to user mail)Access and modify items within users’ mailboxes.
Microsoft GraphDelegatedDirectory.Read.All(Read directory data)Search users or groups from Microsoft Entra ID.
Microsoft GraphDelegatedUser.Read(Sign in and read user profile)Search users or groups from Microsoft Entra ID.
Microsoft GraphDelegatedGroup.ReadWrite.All(Read and write all groups)Retrieve tabs information from Microsoft Teams.
Protect planner data in Microsoft 365 Groups and Teams.
Microsoft GraphDelegatedChannelMessage.Send(Send channel messages)Send messages to channels in Microsoft Teams.
Microsoft GraphDelegatedTeamMember.ReadWrite.All(Add and remove members from teams)Add members to Microsoft Teams.
Microsoft GraphDelegatedChannelMember.ReadWrite.All(Add and remove members from channels)Add members to channels in Microsoft Teams.
Microsoft GraphDelegatedUser.Read.All(Read all users' full profiles)Retrieve information of user profiles in Planner data restore.
Microsoft GraphDelegatedRecordsManagement.Read.All(Read Records Management configuration, labels, and policies)Retrieve the Records Management configuration in the Microsoft 365 Compliance Center.
SharePointApplicationSites.FullControl.All(Have full control of all site collections)Update SharePoint objects
SharePointApplicationTermStore.ReadWrite.All(Read and write managed metadata)Sync term objects to term store.
SharePointApplicationUser.Read.All(Read all users’ full profiles)Retrieve information of Microsoft 365 user profiles related to OneDrive.
ExchangeApplicationfull_access_as_app(Use Exchange Web Services with full access to all mailboxes)Retrieve information of mailboxes and update mailbox extend properties.

*Note: If your organization doesn’t want to grant the SharePoint Application permission Sites.FullControl.All to your Azure app, you can choose Sites.Selected instead. Unlike Sites.FullControl.All that grants the Azure app complete administrative access over all site collections within the tenant, Sites.Selected allows you to grant Azure app necessary access over designated site collections. By default, an Azure app with the Sites.Selected permission has no access to any SharePoint site collections until explicitly configured. To ensure the Azure app can manage site collections and their content, you need to explicitly assign the fullcontrol role to the Azure app for each specific site collection to be managed by Opus.

Permissions for App Profile Authentication for Google Workspace (Preview)

Opus allows you to use a custom Google app to manage Google Workspaces. Follow the instructions below to configure a custom Google app and create an app profile to consent to the custom app:

  1. Configure a custom Google app by referring to the Create a Custom Google App section in the AvePoint Online Services user guide.

  2. Refer to the information below to enable the required APIs:

    • Admin SDK API must be enabled to retrieve domains and activity reports.

    • Google Drive API must be enabled to scan containers and manage files.

    • Drive Labels API must be enabled to manage labels.

  3. Enter the following scopes in the OAuth scopes field.

    https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/drive.admin.labels,https://www.googleapis.com/auth/drive.labels,https://www.googleapis.com/auth/drive

Refer to the table below for details about why we need the scopes:

ServiceAPIScopePurpose
CommonAdmin SDK APIhttps://www.googleapis.com/auth/admin.directory.group.readonlyRetrieve groups in your domain.
CommonAdmin SDK APIhttps://www.googleapis.com/auth/admin.directory.user.readonlyRetrieve users in your domain.
CommonAdmin SDK APIhttps://www.googleapis.com/auth/admin.directory.domain.readonlyRetrieve domain of your organization.
CommonAdmin SDK APIhttps://www.googleapis.com/auth/admin.reports.audit.readonlyRetrieve activity reports.
CommonAdmin SDK APIhttps://www.googleapis.com/auth/admin.reports.usage.readonlyRetrieve the size usage of all My Drive and Shared Drive.
Drive LabelsDrive Labels APIhttps://www.googleapis.com/auth/drive.admin.labelsRetrieve all Google Drive labels in your organization.
Drive LabelsDrive Labels APIhttps://www.googleapis.com/auth/drive.labelsRetrieve all information of labels on files.
DriveGoogle Drive APIhttps://www.googleapis.com/auth/driveRetrieve all folders and files under My Drive and shared drives.
DriveGoogle Drive APIhttps://www.googleapis.com/auth/drive.readonlyRetrieve all information of files under My Drive and shared drives.

Permissions for Installing the Related Records App

To install the Related Records app, ensure the following permissions:

- The user who uploads the Related Records app package to the App Catalog site in the Microsoft 365 tenant must have at least Design permission to the App Catalog site. - The user who approves the pending request must have the Global administrator role.

Permissions for Restoring Archived Apps

If you want to restore archived apps, a service account profile will be required. The service account within the profile must have the following permissions:

- The **SharePoint Administrator** role - Member of the **Site Collection Administrators** group

Permissions for the Agent Account

You can register agents to connect AvePoint Opus to on-premises content sources to access and manage the content.

To connect AvePoint Opus to the File System, make sure the agent account has the following permissions:

- The **Logon as a service** permission - A member of the local **Administrators** group

To connect AvePoint Opus to SharePoint On-Premises, make sure the agent account has the following permissions:

- Windows - The **Logon as a service** permission - A member of the **IIS_WPG** (for IIS 6) or **IIS_IUSRS** (for IIS 7, IIS 8, and IIS 10) group - A member of the **Performance Monitor Users** group - Read to the Registry of *\HKEY_LOCAL_MACHINE\SYSTEM\**CurrentControlSet**\Control\**Lsa* - Full Control to the agent installation path: *…\AvePoint\Cloud* - SQL Server - The database role of **db_owner** for all databases related to SharePoint, including content databases, configuration databases, and central administration databases - The server role of **dbcreator** and **securityadmin** in SQL Server - SharePoint On-Premises - A member of the **Farm Administrators** group - Full Control and Account operates as System permission to all zones of the web applications via User Policy for Web Applications - User Profile Service Application: - Create Personal Site - Follow People and Edit Profile - Use Tags and Notes - Connection Permissions to User Profile Service Application: Full Control - Managed Metadata Service: Term Store Administrator For detailed instructions on how to add a user account to the **Term Store Administrators** group, refer to [How to Add a Term Store Administrator in SharePoint On-Premises](#missing-link).

Enable Custom Script

AvePoint Opus will enable custom script on a particular site when it runs jobs to manage the site content as below:

- Declare content as records. - Apply term to SharePoint Online container level objects to classify the container level objects with the term ID. - Add the Related Records app to SharePoint Online lists/libraries to manage related records. - Add a unique identifier to SharePoint Online items and documents.

Allow People Outside the Organization to Email Groups

During the review process (for example, record review process, classification review process, etc.), you can select groups as reviewers who are responsible for reviewing. To make sure the groups that are configured as reviewers can receive email notifications sent from AvePoint Opus, you need to enable the Let people outside the organization email the group setting for those groups in the Microsoft 365 admin center.

*Note: It may take up to 30 minutes before this setting takes effect.