Home > App Management > Manage App Profiles for Microsoft Tenants > API Permissions Required by Default AvePoint Apps for Microsoft Tenants > Cloud Governance
Export to PDFCloud Governance
Refer to the table below for the apps that you can use for Cloud Governance and the requirements to consent to app permissions.
| Category | App type in AOS | App setup method | Feature/Module | App name in Entra ID | New or updated? | Consent |
|---|---|---|---|---|---|---|
| Service app | Cloud Governance for Microsoft 365 | Modern mode | All objects management | AvePoint Cloud Governance for Microsoft365 | No changes | Create or re-authorize an app profile in AOS > Management > App management. |
| Service app | Cloud Governance for Exchange | Modern mode | Microsoft Entra group, shared mailbox, Microsoft 365 Group, and Microsoft Team management | AvePoint Cloud Governance Exchange App | No changes | Create or re-authorize an app profile in AOS > Management > App management. |
| Service app | Cloud Governance for Power Platform | Modern mode | Power Platform object management | AvePoint Cloud Governance for Power Platform | No changes | Create or re-authorize an app profile in AOS > Management > App management. |
| Service app | Cloud Governance Delegated App | Modern mode | Configure outside sender settings for Microsoft 365 Groups | AvePoint Cloud Governance Delegated App | No changes | Create or re-authorize an app profile in AOS > Management > App management. |
| Classic app | Microsoft 365 (All Permissions) | Classic mode | SharePoint object management Microsoft 365 Group management Microsoft Team management Viva Engage community management | AvePoint Online Services Administration for Microsoft365 | No changes | App management > Classic mode > Consented for all services. |
| Classic app | Microsoft 365 (SharePoint Permissions) | / | SharePoint object management | AvePoint Online Services Administration for SharePoint | No changes | Unsupported to create new. |
| Classic app | Microsoft 365 (Exchange Permissions) | / | Microsoft 365 Group management Microsoft Team management | AvePoint Online Services Administration for Exchange | No changes | Unsupported to create new. |
| Classic app | Microsoft Entra ID | Classic mode | Microsoft 365 group management Microsoft Team management Viva Engage community management Microsoft Entra group management | AvePoint Online Services Administration for Entra ID | No changes | App management > Classic mode > Consented for all services. |
| Classic app | Viva Engage | Classic mode / Modern mode | Viva Engage community management | AvePoint Online Services Administration for Viva Engage | No changes | App management > Classic mode or Modern mode > Consented for all services. |
Permissions Required by Cloud Governance for Microsoft 365
When you create a Cloud Governance for Microsoft 365 app profile in AvePoint Online Services, the AvePoint Cloud Governance for Microsoft365 app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Governance for Microsoft365 app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | AuditLog.Read.All (Read all audit log data) | Application | Retrieve the user who invited the guest user to the tenant. | No |
| Microsoft Graph | Channel.Create (Create channels) | Application | Create private channels. | No |
| Microsoft Graph | Channel.Delete.All (Delete channels) | Application | Delete private channels. | No |
| Microsoft Graph | ChannelMember.ReadWrite.All (Add and remove members from all channels) | Application | Add members to private channels. | No |
| Microsoft Graph | ChannelMessage.Read.All (Read all channel messages) | Application | Retrieve Microsoft Teams channel conversations for team inactivity threshold calculation. | No |
| Microsoft Graph | ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels) | Application | Update private channel properties. | No |
| Microsoft Graph | Community.ReadWrite.All (Read and write all Viva Engage communities) | Application | Create a new community in Viva Engage. | No |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve information from your organization’s Active Directory. | No |
| Microsoft Graph | Files.Read.All (Read files in all site collections) | Application | Retrieve the URLs of the group team sites. | No |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Application | Create and manage groups/teams. | No |
| Microsoft Graph | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Application | Manage sensitivity labels. | No |
| Microsoft Graph | Mail.Send (Send mail as any user) | Application | Use a Microsoft 365 account as the email sender to send notification emails. | No |
| Microsoft Graph | Member.Read.Hidden (Read all hidden memberships) | Application | Read the members of a group/team with hidden membership to copy members. | No |
| Microsoft Graph | Policy.Read.All (Read your organization's policies) | Application | Retrieve your organization’s policies. | No |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Get user activities to filter active workspaces. | No |
| Microsoft Graph | Sites.FullControl.All (Have full control of all site collections) | Application | Manage content types. | No |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Retrieve the latest site collection URLs. | No |
| Microsoft Graph | Team.Create (Create teams) | Application | Create teams. | No |
| Microsoft Graph | TeamMember.ReadWrite.All (Add and remove members from all teams) | Application | Add or remove members from teams. | No |
| Microsoft Graph | TeamSettings.ReadWrite.All (Read and change all teams' settings) | Application | Retrieve and update team settings. | No |
| Microsoft Graph | User.Invite.All (Invite guest users to the organization) | Application | Invite guest users to groups/teams. | No |
| Microsoft Graph | User.ReadWrite.All (Read and write all users' full profiles) | Application | Retrieve and update user properties. | No |
| Microsoft Graph | User.Read (Sign in and read user profile) | Delegated | Search for users and retrieve user information. | No |
| Office 365 Management APIs | ActivityFeed.Read (Read activity data for your organization) | Application | Retrieve activity data in your organization. | No |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All | Application | Retrieve and manage SharePoint objects. | No |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All (Read and write managed metadata) | Application | Retrieve term store information. | No |
| SharePoint/Office 365 SharePoint Online | User.Read.All (Read user profiles) | Application | Retrieve user properties from user profiles. | No |
| Microsoft Information Protection Sync Services | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant) | Application | Retrieve sensitivity labels in your organization. *Note: This API is used when sensitivity labels cannot be retrieved by the Microsoft Graph API. | No |
Permissions Required by Cloud Governance for Exchange
When you create a Cloud Governance for Exchange app profile in AvePoint Online Services, the AvePoint Cloud Governance Exchange App will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Governance Exchange App.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | User.Read (Sign in and read user profile) | Delegated | Search for users and retrieve user information. | No |
| Office 365 Exchange Online | full_access_as_app (Use Exchange Web Services with full access to all mailboxes) | Application | Create Microsoft 365 Groups/teams and update their properties. | No |
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange as application) | Application | Provision and manage shared mailboxes, distribution lists, and mail-enabled security groups. Update Microsoft 365 Group properties. | No |
Permissions Required by Cloud Governance for Power Platform
When you create a Cloud Governance for Power Platform app profile in AvePoint Online Services, the AvePoint Cloud Governance for Power Platform app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Governance for Power Platform app.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Dynamics CRM | user_impersonation (Access Common Data Service as organization users) | Delegated | Manage Power Apps and Power Platform environments. | No |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Retrieve information from your organization’s Active Directory. | No |
| Power BI Service | Tenant.Read.All (View all content in tenant) | Delegated | Retrieve information of Power BI workspace. | No |
| Power BI Service | Tenant.ReadWrite.All (Read and write all content in tenant) | Delegated | Update Power BI workspace roles. | No |
| Power BI Service | Workspace.ReadWrite.All (Read and write all workspaces) | Delegated | Delete Power BI workspaces. | No |
| PowerApps Service | User (Access the PowerApps Service API) | Delegated | Retrieve information of Power Apps. | No |
| Power Platform API | PowerPages.Websites.Read (Read Power Pages websites) | Delegated | Manage Power Pages sites. | No |
| Power Platform API | PowerPages.Website.Write (Write Power Pages websites) | Delegated | Manage Power Pages sites. | No |
Permissions Required by Cloud Governance Delegated App
When you create an app profile for Cloud Governance delegated app in AvePoint Online Services, the AvePoint Cloud Governance Delegated App will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Cloud Governance Delegated App.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Delegated | Retrieve and update Microsoft 365 Group’s information. | No |
On this page