Home > App Management > Manage App Profiles for Microsoft Tenants > API Permissions Required by Default AvePoint Apps for Microsoft Tenants > Policies for Microsoft 365
Export to PDFPolicies for Microsoft 365
Refer to the table below for the apps that you can use for Policies for Microsoft 365 and the requirements to consent to app permissions.
| Category | App type in AOS | App setup method | Feature/Module | App name in Entra ID | New or updated? | Consent |
|---|---|---|---|---|---|---|
| Service app | Policies for Microsoft 365 | Modern mode | View details in Policies for Microsoft 365 permission table | AvePoint Policies for Microsoft365 | No changes | Create or re-authorize an app profile in AOS > Management > App management. |
| Classic app | Microsoft 365 (All Permissions) | Classic mode | SharePoint Online OneDrive Microsoft Teams Microsoft 365 Group | AvePoint Online Services Administration for Microsoft365 | No changes | App management > Classic mode > Consented for all services. |
| Classic app | Microsoft Entra ID | Classic mode | Microsoft 365 Group Management Microsoft 365 Team Management Microsoft 365 User Management | AvePoint Online Services Administration for Entra ID | No changes | App management > Classic mode > Consented for all services. |
| Classic app | Reporting for Microsoft 365 | Modern mode | Collect Microsoft 365 data | AvePoint Reporting for Microsoft365 | No changes | App management > Modern mode > Consented for all services. |
Permissions Required by Policies for Microsoft 365
When you create the Policies for Microsoft 365 app profile in AvePoint Online Services, the AvePoint Policies for Microsoft365 app will be automatically set up in your Microsoft Entra ID.
The table below lists the permissions that should be accepted when you authorize AvePoint Policies for Microsoft365.
| API | Permission | Type | Purpose | Is newly required? |
|---|---|---|---|---|
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange As Application) | Application | Retrieve and manage Exchange Online mailboxes. | No |
| Microsoft Graph | ChannelMember.ReadWrite.All (Add and remove members from all channels) | Application | Add and remove members from Teams channels. | No |
| Microsoft Graph | AuditLog.Read.All (Read all audit log data) | Application | Read all audit logs. | No |
| Microsoft Graph | Files.Read.All (Read files in all site collections) | Application | Retrieve the URLs of the group team sites. | No |
| Microsoft Graph | User.ReadWrite.All (Read and write all users’ full profiles) | Application | Read and write users’ settings. | No |
| Microsoft Graph | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Application | Manage sensitivity labels. | No |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Application | Update groups’ members and settings. | No |
| Microsoft Graph | Directory.ReadWrite.All (Read and write data in the organization’s directory) | Application | Read and write user and group data in the organization’s directory. | No |
| Microsoft Graph | TeamSettings.ReadWrite.All (Read and change all teams' settings) | Application | Update Teams' settings. | No |
| Microsoft Graph | Channel.ReadBasic.All (Read the names and descriptions of all channels) | Application | Retrieve owner numbers of private channels. | No |
| Microsoft Graph | Channel.Delete.All (Delete channels) | Application | Delete channels. | No |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant) | Application | Retrieve information of published sensitivity labels from Microsoft 365. | No |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve and update the information of site collections and groups/teams’ sites. | No |
| SharePoint/Office 365 SharePoint Online | User.Read.All (Read user profiles) | Application | Retrieve user profiles for OneDrive that are scanned by AvePoint Online Services. | No |
| Skype and Teams Tenant Admin API | user_impersonation (Access Microsoft Teams and Skype for Business data as the signed in user) | Delegated | Retrieve and update Teams admin settings. | No |
| Azure Rights Management Services *Note: Make sure your organization has a subscription (or service principal) for the Azure Rights Management Services API. | Content.SuperUser (Read all protected content for this tenant) | Application | Retrieve sensitivity labels in your organization and apply sensitivity labels to files. | No |
| Azure Rights Management Services *Note: Make sure your organization has a subscription (or service principal) for the Azure Rights Management Services API. | Content.Writer (Create protected content) | Application | Retrieve sensitivity labels in your organization and apply sensitivity labels to files. | No |
NOTE
If you want to use the Teams Tagging Settings rule, you must assign the Teams Administrator role to the app in the Microsoft Entra admin center (or Microsoft Azure portal). For the detailed instructions on how to assign the Teams Administrator role to the app, refer to the Policies for Microsoft 365 User Guide.
On this page