English

Home > Appendices > Appendix J - Custom Azure App Permissions for Using AvePoint Cloud Governance

Appendix J - Custom Azure App Permissions for Using AvePoint Cloud Governance

To use AvePoint Cloud Governance properly, your tenant must first create app profiles or Microsoft 365 service account profiles in AvePoint Online Services. With the apps or Microsoft 365 service account, AvePoint Cloud Governance can connect to your Microsoft 365 tenant, Microsoft Entra ID, or Viva Engage. For more details on app profiles and service account profiles, refer to Create App Profiles or Microsoft 365 Service Account Profiles.

If you want to manually create an app in your Microsoft Entra ID, you need to add API permissions to the custom app. The tables below detail the AvePoint Cloud Governance features and the required permissions.

SharePoint Object Provisioning and Management

The table below details the required permissions for the provisioning and management of SharePoint objects.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Automatic Import for Site Collection	Sites.FullControl.AllUser.Read.All	No	No	No
Create Site Collection	Sites.FullControl.AllUser.Read.AllGroup.Read.All	Retrieve the latest site collection URL.	Sites.Read.All	Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template.Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites.
Create Site Collection	Sites.FullControl.AllUser.Read.AllGroup.Read.All	Manage sensitivity labels.	InformationProtectionPolicy.Read.All	Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template.Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites.
Create Site Collection	Sites.FullControl.AllUser.Read.AllGroup.Read.All	Manage classifications.	Directory.Read.All	Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template.Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites.
Change Site Collection Settings	Sites.FullControl.AllUser.Read.All	No	No	No
Change Site Collection Contact or Administrator	Sites.FullControl.AllUser.Read.All	No	No	No
Create Site	Sites.FullControl.AllUser.Read.AllGroup.Read.All	Retrieve the latest site URL.	Sites.Read.All	Create site collections or sites in the Business Intelligence Center template or Visio Process Repository template.Use the AvePoint Cloud Management Deployment Manager plan to deploy design elements or solutions to the site collections or sites.
Change Site Settings	Sites.FullControl.AllUser.Read.All	No	No	No
Change Site Contact	Sites.FullControl.AllUser.Read.All	No	No	No
Create Library/List	Sites.FullControl.AllUser.Read.AllGroup.Read.All	No	No	No
Change Library/List Settings	Sites.FullControl.AllUser.Read.All	No	No	No
Export & Import Site Collection	Sites.FullControl.AllUser.Read.All	No	No	No
Export & Import Site	Sites.FullControl.AllUser.Read.All	No	No	No
Content Move	Sites.FullControl.AllUser.Read.All	No	No	No
Change Permissions	Sites.FullControl.AllUser.Read.All	No	No	No
Clone or Transfer Permissions	Sites.FullControl.AllUser.Read.All	No	No	No
Grant Permissions	Sites.FullControl.AllUser.Read.All	No	No	Invite new guest user.
Manage Permissions	Sites.FullControl.AllUser.Read.All	Invite guest users.	User.Invite.All	No
Site Collection Lifecycle Management	Sites.FullControl.AllUser.Read.All	Retrieve last activity time for inactivity calculation.	Reports.Read.All	No
Site Lifecycle Management	Sites.FullControl.AllUser.Read.All	No	No	No
Site Collection Policy	User.Read.All	External sharing	Sites.FullControl.All	No
Update Site collection Information	Sites.FullControl.AllUser.Read.All	No	No	No
Dynamic Services - Create Site Collection	Directory.Read.AllSites.FullControl.All (SharePoint Online)	Sensitivity label	InformationProtectionPolicy.Read.All	Create site collections with the special template (Business Intelligence Center).
Dynamic Services - Create Site Collection	Directory.Read.AllSites.FullControl.All (SharePoint Online)	Content type	Sites.FullControl.All (Microsoft Graph API)	Create site collections with the special template (Business Intelligence Center).
Dynamic Services - Create Library	Sites.FullControl.All (SharePoint Online)Group.Read.AllUser.Read.All	Content type	Sites.FullControl.All (Microsoft Graph API)	No

Microsoft 365 Group Provisioning and Management

The table below details the required permissions for the provisioning and management of Microsoft 365 Groups.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Automatic Import for Microsoft 365 Group	Group.ReadWrite.AllSites.FullControl.AllUser.Read.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	Group team sites provisioning in multi-geo locations	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	Invite guest users to groups.	User.Invite.All	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	Copy members from groups with hidden membership.	Member.Read.Hidden	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	Sensitivity label	InformationProtectionPolicy.Read.All	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	Outside sender	full_access_as_app	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	Subscribe members	full_access_as_app	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Group	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.All	Create groups via invoking the Exchange Web Services API.	full_access_as_app	Disable the welcome email to new group members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Change Group Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Classification	Directory.Read.All	No
Change Group Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Outside sender	full_access_as_app	No
Change Group Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Subscribe members	full_access_as_app	No
Change Group Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Invite guest users to groups.	User.Invite.All	No
Change Group Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Copy members from groups with hidden membership.	Member.Read.Hidden	No
Export & Import Microsoft 365 Group	Group.ReadWrite.AllSites.FullControl.AllUser.Read.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Group Lifecycle Management	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Group Lifecycle Management	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Retrieve last activity time for inactivity calculation.	Reports.Read.All	No
Group Policy	User.Read.All	External sharing	Directory.Read.All	No
Update Microsoft 365 Group Information	Group.ReadWrite.AllSites.FullControl.AllUser.Read.All	No	No	No
Dynamic Services - Create Microsoft 365 Group	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllGroup.ReadWrite.All	Sensitivity label	InformationProtectionPolicy.Read.All	No
Dynamic Services - Create Microsoft 365 Group	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllGroup.ReadWrite.All	Invite guests to groups.	User.Invite.All	No
Dynamic Services - Create Microsoft 365 Group	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllGroup.ReadWrite.All	Specify domains.	Exchange.ManageAsAppExchange administrator role assigned to the app	No
Dynamic Services - Create Microsoft 365 Group	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllGroup.ReadWrite.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Dynamic Services - Create Microsoft 365 Group	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllGroup.ReadWrite.All	Content type	Sites.FullControl.All (Microsoft Graph API)	No
Dynamic Services - Create Microsoft 365 Group	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllGroup.ReadWrite.All	Outside sender	Group.ReadWrite.All (Delegated)	No

Microsoft Team Provisioning and Management

The table below details the required permissions for the provisioning and management of Microsoft Teams.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Automatic Import for Microsoft Teams	Group.ReadWrite.AllSites.FullControl.AllUser.Read.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	Group team sites provisioning in multi-geo locations	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	Invite guest users.	User.Invite.All	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	Create teams via invoking the Exchange Web Services API.	full_access_as_app	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	Outside sender	full_access_as_app	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	Subscribe members	full_access_as_app	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	Copy members from groups with hidden membership.	Member.Read.Hidden	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Create Team	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.AllTeam.Create	Sensitivity label	InformationProtectionPolicy.Read.All	Disable the welcome email to new team members.Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).Enable integration with sensitivity labels.
Change Team Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Classification	Directory.Read.All	No
Change Team Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Outside sender	full_access_as_app	No
Change Team Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Subscribe members	full_access_as_app	No
Change Team Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Invite guest users to teams.	User.Invite.All	No
Change Team Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.All	Copy members from groups with hidden membership.	Member.Read.Hidden	No
Export & Import Microsoft Team	Group.ReadWrite.AllSites.FullControl.AllUser.Read.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Team Lifecycle Management	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.AllTeamSettings.ReadWrite.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Team Lifecycle Management	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.AllTeamSettings.ReadWrite.All	Retrieve last activity time for inactivity calculation.	ChannelMessage.Read.AllReports.Read.All	No
Team Renewal Profile	User.Read.AllGroup.ReadWrite.AllSites.FullControl.AllTeamMember.ReadWrite.All	No	No	No
Team Policy	User.Read.All	External sharing	Directory.Read.All	No
Update Microsoft Teams Information	Group.ReadWrite.AllSites.FullControl.AllUser.Read.All	No	No	No
Create Private Channels	User.Read.AllChannelMember.ReadWrite.AllGroup.Read.AllChannel.CreateChannelSettings.ReadWrite.AllFiles.Read.All	No	No	No
Change Private Channel Settings	ChannelSettings.ReadWrite.AllGroup.Read.AllUser.Read.AllChannelMember.ReadWrite.All	No	No	No
Private Channel Renewal	ChannelSettings.ReadWrite.AllGroup.Read.AllUser.Read.AllChannelMember.ReadWrite.All	Delete private channel.	Channel.Delete.All	No
Shared Channel Renewal	ChannelSettings.ReadWrite.AllGroup.Read.AllUser.Read.AllChannelMember.ReadWrite.All Policy.Read.All	Delete shared channel.	Channel.Delete.All	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Sensitivity label	InformationProtectionPolicy.Read.All	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Invite guest users to teams.	User.Invite.All	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Add guest users to teams.	Group.ReadWrite.All	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Outlook experience	Group.ReadWrite.All	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Hide global address list.	Group.ReadWrite.All	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Add open extensions.	Group.ReadWrite.All	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Welcome email	Exchange.ManageAsAppExchange administrator role assigned to the app	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Team ID	Exchange.ManageAsAppExchange administrator role assigned to the app.	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	External sharing	Directory.ReadWrite.All or Groups administrator role assigned to the custom app	No
Dynamic Services - Create Team	Directory.Read.AllSites.FullControl.All (SharePoint Online API)Files.Read.AllTeam.CreateTeamMember.ReadWrite.AllTeamSettings.Read.All	Content type	Sites.FullControl.All (Microsoft Graph API)	No
Dynamic Services – Team Lifecycle Management	User.Read.AllGroup.ReadWrite.AllTeamSettings.ReadWrite.AllSites.FullControl.All (SharePoint Online API)	No	No	No

Microsoft Entra Group Provisioning and Management

The table below details the required permissions for the provisioning and management of distribution groups, security groups and mail-enabled security groups.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Dynamic Services - Create Distribution Group	Exchange.ManageAsAppGroup.Read.AllUser.Read.AllExchange administrator role assigned to the app.	Invite guest users to groups.	User.Invite.All	No
Dynamic Services - Create Security Group	Group.ReadWrite.AllUser.Read.All	Invite guest users to groups.	User.Invite.All	No
Dynamic Services - Create Mail-enabled Security Group	Exchange.ManageAsAppGroup.Read.AllUser.Read.AllExchange administrator role assigned to the app.	Invite guest users to groups.	User.Invite.All	No
Dynamic Services - Change Microsoft Entra Group Ownership or Membership	Exchange.ManageAsAppGroup.ReadWrite.All,User.Read.All Exchange administrator role assigned to the app.	Invite guest users to groups.	User.Invite.All	No
Dynamic Services - Microsoft Entra Group Lifecycle Management	Exchange.ManageAsAppGroup.ReadWrite.AllUser.Read.AllExchange administrator role assigned to the app.	No	No	No

Shared Mailbox Provisioning and Management

The table below details the required permissions for the provisioning and management of shared mailboxes.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Dynamic Services - Create Shared Mailbox	Exchange.ManageAsAppUser.ReadWrite.AllGroup.Read.AllExchange administrator role assigned to the app.	No	No	No

Resource Mailbox Provisioning and Management

The table below details the required permissions for the provisioning and management of resource mailboxes.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Dynamic Services - Create Equipment/Room Mailbox	Exchange.ManageAsAppUser.ReadWrite.AllGroup.Read.AllExchange administrator role assigned to the app.	No	No	No

Viva Engage Community Provisioning and Management

The table below details the required permissions for the provisioning and management of Viva Engage communities.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Automatic Import for Viva Engage Community	Group.ReadWrite.AllSites.FullControl.AllUser.Read.Alluser_impersonation (Yammer API)	No	No	No
Create Viva Engage Communities	Directory.Read.AllGroup.ReadWrite.AllSites.FullControl.AllFiles.Read.Alluser_impersonation (Yammer API)	No	No	Configure the Outlook Experience (only when your organization is using the Microsoft 365 GCC High environment).
Change Viva Engage Community Settings	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.Alluser_impersonation (Yammer API)	Classification	Directory.Read.All	No
Export & Import Viva Engage Community	Group.ReadWrite.AllSites.FullControl.AllUser.Read.Alluser_impersonation (Yammer API)	No	No	No
Viva Engage Community Lifecycle Management	Group.ReadWrite.AllSites.FullControl.AllUser.Read.AllFiles.Read.Alluser_impersonation (Yammer API)	Retrieve last activity time for inactivity calculation.	Reports.Read.All	No
Viva Engage Community Policy	User.Read.Alluser_impersonation (Yammer API)	No	No	No

Power App Management

The table below details the required permissions for management of Power Apps.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Manage Power Apps	UserUser.Read.AllGroup.Read.Alluser_impersonation (Dynamics CRM API)	No	No	No

Environment Management

The table below details the required permissions for management of Power Platform environments.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Manage Environments	User.Read.AllGroup.ReadWrite.Alluser_impersonation(Dynamics CRM API)	No	No	No

Power Automate Flow Management

The table below details the required permissions for management of Power Automate flows.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Manage Power Automate Flows	UserUser.Read.AllGroup.Read.All	No	No	No

Power BI Workspace Management

The table below details the required permissions for management of Power BI workspaces.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Manage Power BI Workspaces	Directory.Read.AllTenant.ReadWrite.AllWorkspace.ReadWrite.All	No	No	No

Microsoft 365 User Management

The table below details the required permissions for the management of Microsoft 365 users.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Manual Import Microsoft 365 User	User.ReadWrite.All	No	No	No
Dynamic Services – Change Microsoft 365 user settings	User.ReadWrite.All	No	No	No
Dynamic Services – Manage Microsoft 365 licenses	User.ReadWrite.AllDirectory.Read.All	No	No	No

Guest User Invitation and Management

The table below details the required permissions for the invitation and management of guest users.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Automatic Import for Guest User	User.Read.AllGroup.Read.All	Retrieve the user who invited the guest user to the tenant.	AuditLog.Read.All	No
Export & Import Guest User	User.Read.AllGroup.Read.All	No	No	No
Invite New Guest User	User.ReadWrite.AllGroup.ReadWrite.AllUser.Invite.All	No	No	No

Approval Process, Metadata, and Settings

The table below details the required permissions for the approval process, metadata, and settings.

AvePoint Cloud Governance Feature	Required App Permission	Advanced Settings	Required Additional Permissions	Functionality Requires Service Account
Approval Process	User.Read.AllGroup.Read.All	No	No	No
Metadata	No	Manage Person or Group metadata.	User.Read.AllGroup.Read.All	Retrieve user profile properties.
Metadata	No	Manage Microsoft Entra metadata.	User.Read.AllGroup.Read.All	Retrieve user profile properties.
Metadata	No	Manage Managed metadata.	TeamStore.ReadWrite.All	Retrieve user profile properties.
Metadata	No	Manage Lookup metadata.	Sites.FullControl.All	Retrieve user profile properties.
Email Settings	No	Use a Microsoft 365 account as the email sender.	Mail.Send	No
Integration with AvePoint Insights for renewal permission index	ActivityFeed.ReadMake sure the API permissions required by AvePoint Insights are contained in the Azure app in a tenant. For details, refer to Use a Custom Azure App in AvePoint Insights.	No	No	No

On this page

Settings

Configure Library Templates

Appendix E - Integration with ServiceNow

Appendix G - Supported References in Email Templates