Home > Appendices > Appendix J - Custom Azure App Permissions for Using AvePoint Cloud Governance
Download this articleAppendix J - Custom Azure App Permissions for Using AvePoint Cloud Governance
To use AvePoint Cloud Governance properly, your tenant must first create app profiles or Microsoft 365 service account profiles in AvePoint Online Services. With the apps or Microsoft 365 service account, AvePoint Cloud Governance can connect to your Microsoft 365 tenant, Microsoft Entra ID, or Viva Engage. For more details on app profiles and service account profiles, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
If you want to manually create an app in your Microsoft Entra ID, you need to add API permissions to the custom app. The tables below detail the AvePoint Cloud Governance features and the required permissions.
SharePoint Object Provisioning and Management
The table below details the required permissions for the provisioning and management of SharePoint objects.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Automatic Import for Site Collection | Sites.FullControl.All User.Read.All | No | No | No |
| Create Site Collection | Sites.FullControl.All User.Read.All Group.Read.All | Retrieve the latest site collection URL. | Sites.Read.All | - Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template. - Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites. |
| Create Site Collection | Sites.FullControl.All User.Read.All Group.Read.All | Manage sensitivity labels. | InformationProtectionPolicy.Read.All | - Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template. - Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites. |
| Create Site Collection | Sites.FullControl.All User.Read.All Group.Read.All | Manage classifications. | Directory.Read.All | - Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template. - Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites. |
| Change Site Collection Settings | Sites.FullControl.All User.Read.All | No | No | No |
| Change Site Collection Contact or Administrator | Sites.FullControl.All User.Read.All | No | No | No |
| Create Site | Sites.FullControl.All User.Read.All Group.Read.All | Retrieve the latest site URL. | Sites.Read.All | - Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template. - Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites. |
| Change Site Settings | Sites.FullControl.All User.Read.All | No | No | No |
| Change Site Contact | Sites.FullControl.All User.Read.All | No | No | No |
| Create Library/List | Sites.FullControl.All User.Read.All Group.Read.All | No | No | No |
| Change Library/List Settings | Sites.FullControl.All User.Read.All | No | No | No |
| Export & Import Site Collection | Sites.FullControl.All User.Read.All | No | No | No |
| Export & Import Site | Sites.FullControl.All User.Read.All | No | No | No |
| Content Move | Sites.FullControl.All User.Read.All | No | No | No |
| Change Permissions | Sites.FullControl.All User.Read.All | No | No | No |
| Clone or Transfer Permissions | Sites.FullControl.All User.Read.All | No | No | No |
| Grant Permissions | Sites.FullControl.All User.Read.All | No | No | Invite new guest user. |
| Manage Permissions | Sites.FullControl.All User.Read.All | Invite guest users. | User.Invite.All | No |
| Site Collection Lifecycle Management | Sites.FullControl.All User.Read.All | Retrieve last activity time for inactivity calculation. | Reports.Read.All | No |
| Site Lifecycle Management | Sites.FullControl.All User.Read.All | No | No | No |
| Site Collection Policy | User.Read.All | External sharing | Sites.FullControl.All | No |
| Update Site collection Information | Sites.FullControl.All User.Read.All | No | No | No |
| Dynamic Services - Create Site Collection | Directory.Read.All Sites.FullControl.All (SharePoint Online) | Sensitivity label | InformationProtectionPolicy.Read.All | Create site collections with the special template (Business Intelligence Center). |
| Dynamic Services - Create Site Collection | Directory.Read.All Sites.FullControl.All (SharePoint Online) | Content type | Sites.FullControl.All (Microsoft Graph API) | Create site collections with the special template (Business Intelligence Center). |
| Dynamic Services - Create Library | Sites.FullControl.All (SharePoint Online) Group.Read.All User.Read.All | Content type | Sites.FullControl.All (Microsoft Graph API) | No |
Microsoft 365 Group Provisioning and Management
The table below details the required permissions for the provisioning and management of Microsoft 365 Groups.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Automatic Import for Microsoft 365 Group | Group.ReadWrite.All Sites.FullControl.All User.Read.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | Group team sites provisioning in multi-geo locations | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | Invite guest users to groups. | User.Invite.All | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | Copy members from groups with hidden membership. | Member.Read.Hidden | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | Sensitivity label | InformationProtectionPolicy.Read.All | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | Outside sender | full_access_as_app | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | Subscribe members | full_access_as_app | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Group | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All | Create groups via invoking the Exchange Web Services API. | full_access_as_app | - Disable the welcome email to new group members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Change Group Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Classification | Directory.Read.All | No |
| Change Group Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Outside sender | full_access_as_app | No |
| Change Group Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Subscribe members | full_access_as_app | No |
| Change Group Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Invite guest users to groups. | User.Invite.All | No |
| Change Group Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Copy members from groups with hidden membership. | Member.Read.Hidden | No |
| Export & Import Microsoft 365 Group | Group.ReadWrite.All Sites.FullControl.All User.Read.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Group Lifecycle Management | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Group Lifecycle Management | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Retrieve last activity time for inactivity calculation. | Reports.Read.All | No |
| Group Policy | User.Read.All | External sharing | Directory.Read.All | No |
| Update Microsoft 365 Group Information | Group.ReadWrite.All Sites.FullControl.All User.Read.All | No | No | No |
| Dynamic Services - Create Microsoft 365 Group | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Group.ReadWrite.All | Sensitivity label | InformationProtectionPolicy.Read.All | No |
| Dynamic Services - Create Microsoft 365 Group | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Group.ReadWrite.All | Invite guests to groups. | User.Invite.All | No |
| Dynamic Services - Create Microsoft 365 Group | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Group.ReadWrite.All | Specify domains. | Exchange.ManageAsApp Exchange administrator role assigned to the app | No |
| Dynamic Services - Create Microsoft 365 Group | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Group.ReadWrite.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Dynamic Services - Create Microsoft 365 Group | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Group.ReadWrite.All | Content type | Sites.FullControl.All (Microsoft Graph API) | No |
| Dynamic Services - Create Microsoft 365 Group | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Group.ReadWrite.All | Outside sender | Group.ReadWrite.All (Delegated) | No |
Microsoft Team Provisioning and Management
The table below details the required permissions for the provisioning and management of Microsoft Teams.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Automatic Import for Microsoft Teams | Group.ReadWrite.All Sites.FullControl.All User.Read.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | Group team sites provisioning in multi-geo locations | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | Invite guest users. | User.Invite.All | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | Create teams via invoking the Exchange Web Services API. | full_access_as_app | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | Outside sender | full_access_as_app | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | Subscribe members | full_access_as_app | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | Copy members from groups with hidden membership. | Member.Read.Hidden | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Create Team | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All Team.Create | Sensitivity label | InformationProtectionPolicy.Read.All | - Disable the welcome email to new team members. - Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). - Enable integration with sensitivity labels. |
| Change Team Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Classification | Directory.Read.All | No |
| Change Team Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Outside sender | full_access_as_app | No |
| Change Team Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Subscribe members | full_access_as_app | No |
| Change Team Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Invite guest users to teams. | User.Invite.All | No |
| Change Team Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All | Copy members from groups with hidden membership. | Member.Read.Hidden | No |
| Export & Import Microsoft Team | Group.ReadWrite.All Sites.FullControl.All User.Read.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Team Lifecycle Management | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All TeamSettings.ReadWrite.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Team Lifecycle Management | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All TeamSettings.ReadWrite.All | Retrieve last activity time for inactivity calculation. | ChannelMessage.Read.All Reports.Read.All | No |
| Team Renewal Profile | User.Read.All Group.ReadWrite.All Sites.FullControl.All TeamMember.ReadWrite.All | No | No | No |
| Team Policy | User.Read.All | External sharing | Directory.Read.All | No |
| Update Microsoft Teams Information | Group.ReadWrite.All Sites.FullControl.All User.Read.All | No | No | No |
| Create Private Channels | User.Read.All ChannelMember.ReadWrite.All Group.Read.All Channel.Create ChannelSettings.ReadWrite.All Files.Read.All | No | No | No |
| Change Private Channel Settings | ChannelSettings.ReadWrite.All Group.Read.All User.Read.All ChannelMember.ReadWrite.All | No | No | No |
| Private Channel Renewal | ChannelSettings.ReadWrite.All Group.Read.All User.Read.All ChannelMember.ReadWrite.All | Delete private channel. | Channel.Delete.All | No |
| Shared Channel Renewal | ChannelSettings.ReadWrite.All Group.Read.All User.Read.All ChannelMember.ReadWrite.All Policy.Read.All | Delete shared channel. | Channel.Delete.All | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Sensitivity label | InformationProtectionPolicy.Read.All | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Invite guest users to teams. | User.Invite.All | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Add guest users to teams. | Group.ReadWrite.All | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Outlook experience | Group.ReadWrite.All | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Hide global address list. | Group.ReadWrite.All | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Add open extensions. | Group.ReadWrite.All | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Welcome email | Exchange.ManageAsApp Exchange administrator role assigned to the app | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Team ID | Exchange.ManageAsApp Exchange administrator role assigned to the app. | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | External sharing | Directory.ReadWrite.All or Groups administrator role assigned to the custom app | No |
| Dynamic Services - Create Team | Directory.Read.All Sites.FullControl.All (SharePoint Online API) Files.Read.All Team.Create TeamMember.ReadWrite.All TeamSettings.Read.All | Content type | Sites.FullControl.All (Microsoft Graph API) | No |
| Dynamic Services – Team Lifecycle Management | User.Read.All Group.ReadWrite.All TeamSettings.ReadWrite.All Sites.FullControl.All (SharePoint Online API) | No | No | No |
Microsoft Entra Group Provisioning and Management
The table below details the required permissions for the provisioning and management of distribution groups, security groups and mail-enabled security groups.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Dynamic Services - Create Distribution Group | Exchange.ManageAsApp Group.Read.All User.Read.All Exchange administrator role assigned to the app. | Invite guest users to groups. | User.Invite.All | No |
| Dynamic Services - Create Security Group | Group.ReadWrite.All User.Read.All | Invite guest users to groups. | User.Invite.All | No |
| Dynamic Services - Create Mail-enabled Security Group | Exchange.ManageAsApp Group.Read.All User.Read.All Exchange administrator role assigned to the app. | Invite guest users to groups. | User.Invite.All | No |
| Dynamic Services - Change Microsoft Entra Group Ownership or Membership | Exchange.ManageAsApp Group.ReadWrite.All, User.Read.All Exchange administrator role assigned to the app. | Invite guest users to groups. | User.Invite.All | No |
| Dynamic Services - Microsoft Entra Group Lifecycle Management | Exchange.ManageAsApp Group.ReadWrite.All User.Read.All Exchange administrator role assigned to the app. | No | No | No |
Shared Mailbox Provisioning and Management
The table below details the required permissions for the provisioning and management of shared mailboxes.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Dynamic Services - Create Shared Mailbox | Exchange.ManageAsApp User.ReadWrite.All Group.Read.All Exchange administrator role assigned to the app. | No | No | No |
Resource Mailbox Provisioning and Management
The table below details the required permissions for the provisioning and management of resource mailboxes.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Dynamic Services - Create Equipment/Room Mailbox | Exchange.ManageAsApp User.ReadWrite.All Group.Read.All Exchange administrator role assigned to the app. | No | No | No |
Viva Engage Community Provisioning and Management
The table below details the required permissions for the provisioning and management of Viva Engage communities.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Automatic Import for Viva Engage Community | Group.ReadWrite.All Sites.FullControl.All User.Read.All user_impersonation (Yammer API) | No | No | No |
| Create Viva Engage Communities | Directory.Read.All Group.ReadWrite.All Sites.FullControl.All Files.Read.All user_impersonation (Yammer API) | No | No | Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment). |
| Change Viva Engage Community Settings | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All user_impersonation (Yammer API) | Classification | Directory.Read.All | No |
| Export & Import Viva Engage Community | Group.ReadWrite.All Sites.FullControl.All User.Read.All user_impersonation (Yammer API) | No | No | No |
| Viva Engage Community Lifecycle Management | Group.ReadWrite.All Sites.FullControl.All User.Read.All Files.Read.All user_impersonation (Yammer API) | Retrieve last activity time for inactivity calculation. | Reports.Read.All | No |
| Viva Engage Community Policy | User.Read.All user_impersonation (Yammer API) | No | No | No |
Power App Management
The table below details the required permissions for management of Power Apps.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Manage Power Apps | User User.Read.All Group.Read.All user_impersonation (Dynamics CRM API) | No | No | No |
Environment Management
The table below details the required permissions for management of Power Platform environments.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Manage Environments | User.Read.All Group.ReadWrite.All user_impersonation (Dynamics CRM API) | No | No | No |
Power Automate Flow Management
The table below details the required permissions for management of Power Automate flows.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Manage Power Automate Flows | User User.Read.All Group.Read.All | No | No | No |
Power BI Workspace Management
The table below details the required permissions for management of Power BI workspaces.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Manage Power BI Workspaces | Directory.Read.All Tenant.ReadWrite.All Workspace.ReadWrite.All | No | No | No |
Microsoft 365 User Management
The table below details the required permissions for the management of Microsoft 365 users.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Manual Import Microsoft 365 User | User.ReadWrite.All | No | No | No |
| Dynamic Services – Change Microsoft 365 user settings | User.ReadWrite.All | No | No | No |
| Dynamic Services – Manage Microsoft 365 licenses | User.ReadWrite.All Directory.Read.All | No | No | No |
Guest User Invitation and Management
The table below details the required permissions for the invitation and management of guest users.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Automatic Import for Guest User | User.Read.All Group.Read.All | Retrieve the user who invited the guest user to the tenant. | AuditLog.Read.All | No |
| Export & Import Guest User | User.Read.All Group.Read.All | No | No | No |
| Invite New Guest User | User.ReadWrite.All Group.ReadWrite.All User.Invite.All | No | No | No |
Approval Process, Metadata, and Settings
The table below details the required permissions for the approval process, metadata, and settings.
| AvePoint Cloud Governance Feature | Required App Permission | Advanced Settings | Required Additional Permissions | Functionality Requires Service Account |
|---|---|---|---|---|
| Approval Process | User.Read.All Group.Read.All | No | No | No |
| Metadata | No | Manage Person or Group metadata. | User.Read.All Group.Read.All | Retrieve user profile properties. |
| Metadata | No | Manage Microsoft Entra metadata. | User.Read.All Group.Read.All | Retrieve user profile properties. |
| Metadata | No | Manage Managed metadata. | TeamStore.ReadWrite.All | Retrieve user profile properties. |
| Metadata | No | Manage Lookup metadata. | Sites.FullControl.All | Retrieve user profile properties. |
| Email Settings | No | Use a Microsoft 365 account as the email sender. | Mail.Send | No |
| Integration with AvePoint Insights for renewal permission index | ActivityFeed.Read Make sure the API permissions required by AvePoint Insights are contained in the Azure app in a tenant. For details, refer to Use a Custom Azure App in AvePoint Insights. | No | No | No |
On this page