Home > Get Started > Required Permissions
Export to PDFRequired Permissions
Refer to the sections below for the required permissions for using AvePoint Cloud Governance properly.
SharePoint Management
To use AvePoint Cloud Governance to manage SharePoint content, ensure one of the following app profile setups is in place:
| Setup Mode | Required App Type |
|---|---|
| Classic Mode | Microsoft 365 (All permissions) |
| Classic Mode | Microsoft Entra ID |
| Modern Mode | Cloud Governance for Microsoft 365 |
| Custom Mode | Azure app |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
Several scenarios require a Microsoft 365 service account profile with a SharePoint Administrator account. For details, see When a Microsoft 365 Service Account Profile is Required.
Microsoft 365 Groups Management
To use AvePoint Cloud Governance to manage Microsoft 365 Groups, ensure one of the following app profile setups is in place:
A Cloud Governance for Exchange app profile in modern mode is also required in the following situations:
-
You want to configure the group ID and welcome email settings for the Microsoft 365 Groups.
-
Your tenant is using the Microsoft 365 GCC High environment and you want to hide Microsoft 365 Groups’ associated groups from the Outlook global address list.
If you've setup app profiles in custom mode, to configure the outside sender setting for the Create Microsoft 365 Group service in dynamic services, an app profile with a custom Azure app with delegated permissions is required instead.
| Setup Mode | Required App Type |
|---|---|
| Classic Mode | Microsoft 365 (All permissions) |
| Classic Mode | Microsoft Entra ID |
| Modern Mode | Cloud Governance for Microsoft 365 |
| Custom Mode | Azure app |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
-
AvePoint Cloud Governance uses Microsoft Graph API as the default method for group provisioning and management since Graph API is recommended by Microsoft. If your Microsoft 365 tenant only has one domain, AvePoint recommends that you use the Microsoft Graph API to create and manage groups. For details, refer to Appendix H - About Microsoft Graph API (Recommended Method for Microsoft 365 Groups and Microsoft Teams Management).
-
For other scenarios that require Exchange Web Services API, refer to Appendix I - About Exchange Web Services API.
-
Several scenarios require a Microsoft 365 service account. For details, see When a Microsoft 365 Service Account Profile is Required.
Microsoft Teams Management
To use AvePoint Cloud Governance to manage Microsoft Teams, ensure one of the following app profile setups is in place:
-
You want to configure the team ID and welcome email settings for Microsoft Teams.
-
Your tenant is using the Microsoft 365 GCC High environment, and you want to hide Microsoft Teams’ associated groups from the Outlook global address list.
| Setup Mode | Required App Type |
|---|---|
| Classic Mode | Microsoft 365 (All permissions) |
| Classic Mode | Microsoft Entra ID |
| Modern Mode | Cloud Governance for Microsoft 365 |
| Custom Mode | Azure app |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
Apart from an app profile, make sure all team owners have the license for Microsoft Teams assigned in Microsoft 365.
-
AvePoint Cloud Governance uses Microsoft Graph API as the default method for team provisioning and management since Graph API is recommended by Microsoft. If your Microsoft 365 tenant only has one domain, AvePoint recommends that you use the Microsoft Graph API to create and manage teams. For details, refer to Appendix H - About Microsoft Graph API (Recommended Method for Microsoft 365 Groups and Microsoft Teams Management).
-
For other scenarios that require Exchange Web Services API, refer to Appendix I - About Exchange Web Services API.
-
Several scenarios require a Microsoft 365 service account. For details, see When a Microsoft 365 Service Account Profile is Required.
Microsoft Entra Group Management
To use AvePoint Cloud Governance to manage distribution groups, security groups, or mail-enabled security groups, ensure one of the following app profile setups is in place:
| Setup Mode | Required App Type | Note |
|---|---|---|
| Classic Mode | Microsoft 365 (All permissions) | A Cloud Governance for Exchange app profile in modern mode is also required. |
| Classic Mode | Microsoft Entra ID | A Cloud Governance for Exchange app profile in modern mode is also required. |
| Modern Mode | Cloud Governance for Microsoft 365 | |
| Modern Mode | Cloud Governance for Exchange | |
| Custom Mode | Azure app |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
Exchange Mailbox Management
To use AvePoint Cloud Governance to manage shared mailboxes and resource mailboxes, ensure one of the following app profile setups is in place:
| Setup Mode | Required App Type | Note |
|---|---|---|
| Classic Mode | Microsoft 365 (All permissions) | A Cloud Governance for Exchange app profile in modern mode is also required. |
| Classic Mode | Microsoft Entra ID | A Cloud Governance for Exchange app profile in modern mode is also required. |
| Modern Mode | Cloud Governance for Microsoft 365 | |
| Modern Mode | Cloud Governance for Exchange | |
| Custom Mode | Azure app |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
Viva Engage Community Management
To use AvePoint Cloud Governance to manage Viva Engage communities, ensure one of the following app profile setups is in place:
This is only required if you are using the classic admin center for community management.
| Setup Mode | Required App Type |
|---|---|
| Classic Mode | Microsoft 365 (All permissions) |
| Classic Mode | Microsoft Entra ID |
| Classic Mode | Viva Engage |
| Modern Mode | Cloud Governance for Microsoft 365 |
| Modern Mode | Viva Engage |
| Custom Mode | Azure app or Azure app with delegated permissions |
| Custom Mode | Viva Engage |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the Microsoft 365, Microsoft Entra ID, or Cloud Governance for Microsoft 365 app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
The account used to consent to the Viva Engage app when creating the app profile must have the Engage admin role (Yammer Administrator role in Microsoft Entra ID).
Power Platform Management
To use AvePoint Cloud Governance to manage Power Apps, Power Platform environments, Power Automate flows, Power BI workspaces, or Power Pages sites, ensure one of the following app profile setups is in place:
| Setup Mode | Required App Type |
|---|---|
| Classic Mode | Microsoft Entra ID |
| Classic Mode | Cloud Governance for Power Platform in modern mode |
| Modern Mode | Cloud Governance for Microsoft 365 |
| Modern Mode | Cloud Governance for Power Platform |
| Custom Mode | Azure app with delegated permissions |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
To manage Power BI workspaces, the account used to consent to the AvePoint Cloud Governance for Power Platform app or custom Azure app when creating the app profile must have the Power BI license.
Microsoft 365 User Management
To use AvePoint Cloud Governance to manage Microsoft 365 users, ensure one of the following app profile setups is in place:
| Setup Mode | Required App Type |
|---|---|
| Classic Mode | Microsoft Entra ID |
| Modern Mode | Cloud Governance for Microsoft 365 |
| Custom Mode | Azure app |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.
Guest User Management
To use AvePoint Cloud Governance to manage guest users, ensure one of the following app profile setups is in place:
| Setup Mode | Required App Type |
|---|---|
| Classic Mode | Microsoft Entra ID |
| Modern Mode | Cloud Governance for Microsoft 365 |
| Custom Mode | Azure app |
For instructions about how to create app profiles and a detailed list of the API permissions, refer to Create App Profiles or Microsoft 365 Service Account Profiles.
The Microsoft 365 account used to consent to the app when creating the app profile must have the Global Administrator role, which is a requirement from Microsoft. For details, see the article Why is Admin Consent Required to Use the AvePoint Apps.