Home > Required Permissions
Export to PDFRequired Permissions
The objects that are managed or reported in AvePoint Cloud Management must be scanned through the Auto Discovery in AvePoint Online Services. After the objects are scanned, the users who have permission to use an AvePoint Cloud Management module can fully use the functionalities to manage or report the objects.
Auto Discovery provides the service account profile and app profile authentication methods to scan objects. The easiest way to work with your environment is by registering an app profile. This ensures that all jobs that run in your environment are tagged as AvePoint activities and also ensures that we do not need to store any service accounts or passwords. When you use the app profile authentication method to scan objects, the app token within the app profile will be used to manage data, and the credentials of the Microsoft 365 Global Administrator account will not be stored by AvePoint Online Services – only your Administrator’s consent is recorded and this consent can be monitored in your Microsoft Entra ID and can be revoked at any time from your environment. While we do suggest you use the app profile method, there are specific instances when this method is not recommended. Refer to Unsupported SharePoint Online Data Types and Supported and Unsupported Functionalities to help you determine if using the app profile method will satisfy your data management requirements.
If you want to use the Identity Manager module to manage users and groups in Microsoft Entra, both a service account profile and an app profile are required.
Refer to the scenarios below for the permissions required by AvePoint Cloud Management.
I Want AvePoint Online Services to Automatically Create Apps in My Microsoft Entra ID
If you want AvePoint Online Services to automatically create apps in your Microsoft Entra ID, refer to the table below to select the app when you create the app profile in AvePoint Online Services.
| Mode | App Type | Note |
|---|---|---|
| Classic Mode | Microsoft 365 (All permissions) | Once you create this app profile, the AvePoint Online Services Administration for Microsoft365 app will be automatically created in your Microsoft Entra ID.To see the API permissions you need to accept when you authorize the app, refer to the Microsoft 365 (All permissions) section in the AvePoint Online Services user guide. |
| Classic Mode | Microsoft Entra ID | Once you create this app profile, the AvePoint Online Services Administration for Microsoft Entra ID app will be automatically created in your Microsoft Entra ID. To see the API permissions you need to accept when you authorize the app, refer to the Microsoft Entra ID section in the AvePoint Online Services user guide.*Note: This app is only required by the Identity Manager module. |
| Modern Mode | Cloud Management Service for Microsoft 365 | Once you create this app profile, the AvePoint Cloud Management Service for Microsoft365 app will be automatically created in your Microsoft Entra ID. To see the API permissions you need to accept when you authorize the app, refer to the Cloud Management Services for Microsoft 365 section in the AvePoint Online Services user guide. |
| Modern Mode | Reporting for Microsoft 365 | Once you create this app profile, the AvePoint Reporting for Microsoft365 app will be automatically created in your Microsoft Entra ID.To see the API permissions you need to accept when you authorize the app, refer to the Reporting for Microsoft 365 section in the AvePoint Online Services user guide. |
Refer to Manage App Profiles find instructions on how to create app profiles.
I Want to Manually Create an App in My Microsoft Entra ID
A custom app can replace the automatically created apps. The app can be used for SharePoint, Microsoft 365 Group team site, Microsoft 365 users, and Microsoft 365 Groups management.
If you want to manually create an app in your Microsoft Entra ID, refer to the permissions listed in the table below to add API permissions required by AvePoint Cloud Management to the custom app.
| Module | API Name | Permission | Type | Purpose |
|---|---|---|---|---|
| Administrator | SharePoint | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve information of site collections. |
| Administrator | SharePoint | User.ReadWrite.All(Read and write user profiles) | Application | Retrieve information of Microsoft 365 user profiles related to OneDrive. |
| Administrator | Microsoft Graph | Group.Read.All(Read all groups) | Application | Scan Microsoft Group team sites by scanning Microsoft 365 Groups and Microsoft Teams in AvePoint Online Services Auto Discovery. |
| Content Manager | SharePoint | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve information of site collections. |
| Content Manager | SharePoint | User.ReadWrite.All(Read and write user profiles) | Application | Retrieve information of Microsoft 365 user profiles related to OneDrive. |
| Content Manager | SharePoint | TermStore.ReadWrite.All(Read and write managed metadata) | Application | Copy or Move Managed Metadata Service. |
| Content Manager | Microsoft Graph | Group.Read.All(Read all groups) | Application | Scan Microsoft Group team sites by scanning Microsoft 365 Groups and Microsoft Teams in AvePoint Online Services Auto Discovery. |
| Deployment Manager | SharePoint | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve information of site collections. |
| Deployment Manager | SharePoint | User.ReadWrite.All(Read and write user profiles) | Application | Retrieve information of Microsoft 365 user profiles related to OneDrive. |
| Deployment Manager | SharePoint | TermStore.ReadWrite.All(Read and write managed metadata) | Application | Deploy Managed Metadata Service. |
| Deployment Manager | Microsoft Graph | Group.Read.All(Read all groups) | Application | Scan Microsoft Group team sites by scanning Microsoft 365 Groups and Microsoft Teams in AvePoint Online Services Auto Discovery. |
| Replicator | SharePoint | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve information of site collections. |
| Replicator | SharePoint | User.ReadWrite.All(Read and write user profiles) | Application | Retrieve information of Microsoft 365 user profiles related to OneDrive. |
| Replicator | SharePoint | TermStore.ReadWrite.All(Read and write managed metadata) | Application | Replicate Managed Metadata Service. |
| Replicator | Microsoft Graph | Group.Read.All(Read all groups) | Application | Scan Microsoft Group team sites by scanning Microsoft 365 Groups and Microsoft Teams in AvePoint Online Services Auto Discovery. |
| Report Center | SharePoint | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve site collection information to generate reports. |
| Report Center | Office 365 Management APIs | ActivityFeed.Read(Read activity data for your organization) | Application | Retrieve activity data in your organization to generate reports. |
| Report Center | Microsoft Graph | User.Read.All(Read all users’ full profiles) | Application | Retrieve user information to generate reports. |
| Report Center | Microsoft Graph | Group.Read.All(Read all groups) | Application | Retrieve group information to generate reports. |
| Identity Manager | Microsoft Graph | User.ReadWrite.All(Read and write all users' full profiles) | Application | Search for users and display them on the interface, as well as invite guest users to organizations. |
| Identity Manager | Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Search for groups and display them on the interface. |
| Identity Manager | Microsoft Graph | Directory.Read.All(Read directory data) | Application | Manage licenses, users, roles, and applications that can be accessed by users. |
| Identity Manager | Microsoft Graph | Member.Read.Hidden(Read all hidden memberships) | Application | Delete ghost guest users that exist as hidden membership. |
| Identity Manager | SharePoint | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve site collection information to manage ghost guest users. |
If you are using a Microsoft 365 U.S. Government environment and you want to use a custom Azure app for SharePoint management, you must add SharePoint API permissions to the custom app through Manifest. Microsoft Azure Government does not allow you to select SharePoint API permissions on the Azure Governance Portal interface.
The table below lists the required information for adding SharePoint API permissions to the custom app:
| API | Permission | resourceAppId | id | type |
|---|---|---|---|---|
| SharePoint | Sites.FullControl.All(Have full control of all site collections) | 00000003-0000-0ff1-ce00-000000000000 | 678536fe-1083-478a-9c59-b99265e6b0d3 | Role |
| SharePoint | TermStore.ReadWrite.All(Read and write managed metadata) | 00000003-0000-0ff1-ce00-000000000000 | c8e3537c-ec53-43b9-bed3-b2bd3617ae97 | Role |
| SharePoint | User.ReadWrite.All(Read and write user profiles) | 00000003-0000-0ff1-ce00-000000000000 | 741f803b-c850-494e-b5df-cde7c675a1ca | Role |
I Want to Use a Microsoft 365 Service Account Profile
If you want to use the Identity Manager module to manage users and groups in Microsoft Entra, a service account profile is required.
If you have reviewed Unsupported SharePoint Online Data Types and Supported and Unsupported Functionalities and decided to use the service account profile authentication method, refer to the table below to prepare a Microsoft 365 account.
For details on the Global Administrator, SharePoint Administrator, and Exchange Administrator roles, refer to the Microsoft article About Microsoft 365 admin roles.
| Module | Service Account Role | Additional Permissions |
|---|---|---|
| Administrator | SharePoint Administrator | Exchange Administrator* |
| Content Manager | SharePoint Administrator | Term Store Administrator*Exchange Administrator* |
| Deployment Manager | SharePoint Administrator | Term Store Administrator*Exchange Administrator* |
| Replicator | SharePoint Administrator | Term Store Administrator*Exchange Administrator* |
| Report Center > Audit Controller | SharePoint Administrator | |
| Identity Manager | Global Administrator* | No |
*Note: To use Administrator, Content Manager, Deployment Manager, or Replicator to manage Microsoft 365 Group team site data, apart from the SharePoint Administrator role, the service account must have the Exchange Administrator role. This is required by AvePoint Online Services Auto Discovery. Microsoft 365 Group team sites can be scanned by scanning Microsoft 365 Groups or Microsoft Teams in AvePoint Online Services.
*Note: To copy, move, deploy, or replicate Managed Metadata Service, the Term Store Administrator role is required. AvePoint Online Services Auto Discovery scan jobs will add the service account as the Term Store Administrator automatically.
*Note: To use the Identity Manager module, the service account must have the Global Administrator role to retrieve the properties of users and groups in the Microsoft 365 tenant and manage licenses, applications, and mailboxes for the users and groups.