English

Home > Settings > Manage Customer App Profiles

Manage Customer App Profiles

On the Settings > Additional > Customer app profile page, the app profiles that you created for your customers’ services are displayed. You can perform the following actions to manage customer app profiles:

- **Create** **app profile** – To get started with Nitro, Azure security management, Baseline management, Workspace management, Risk management, Change communication management, and User and device management, an app profile for your customer’s organization is required. You can also create app profiles for customer’s AvePoint services, including Cloud Backup for Microsoft 365, Policies for Microsoft 365, Insights, and Fly. For detailed instructions, refer to [Create a Customer App Profile](#missing-link).

- **Re-authorize app** – The app profiles with the **Expired** status must be re-authorized. To re-authorize the app for an app profile, select the app profile and click **Re-authorize app**. Enter the credentials of the customer’s tenant account, review the required permissions, and click **Accept**.

	> ***Note**: Currently, only modern app profiles can be re-authorized on this page. Classic app profiles and custom app profiles need to be re-authorized in AvePoint Online Services. For detailed instructions, refer to .

- **Delete** – To delete the app profiles, select the app profiles and click **Delete**. 

	> ***Note**: If the app type of an app profile is not supported for creation in **Customer app profile**, the app profile cannot be deleted.

Create a Customer App Profile

On the Customer app profile page, click Create app profile and follow the steps below to create an app profile for a customer organization:

Select customer and tenant – Select the customer and tenant for which you want to create app profiles. Click Next.
Select services – Select either an Elements premium service or AOS services for which you want to create app profiles. Click Next.
- Elements premium services
  - Other premium services – Premium services include Workspace management, Risk management, Change management communication, and User and device management.
  - Baseline management
  - Azure security management
  - Nitro
- AOS Services
  
  *Note: Only services that have been added for the customer can be displayed here.
  - Cloud Backup for Microsoft 365
  - Policies for Microsoft 365
  - Insights
  - Fly
Choose setup method (For AOS services only) – Now, only modern mode is supported. In this mode, the related apps are listed in a service-based view, and you can consent to apps separately for the selected services.
Consent to apps – Refer to the instructions below to consent:
- For other premium services, Azure security management, and Nitro, click Save and authenticate. Enter the credentials of the customer’s Microsoft 365 Global Administrator account. Review the permissions requested by this app and click Accept.
  - For Other premium services, the app type should be APElements Security and Analysis.
  - For Nitro, the app type should be APElements Automation.
  - For Azure security management, the app type should be APElements Azure Security Management.
  For the required permissions by the apps, refer to the app permissions sections below.
- For Baseline management, you can select a setup method based on your scenario:
  
  Modern mode is the recommended mode, which uses AvePoint’s default app, APElements Baseline Management. Click Authenticate. The APElements Baseline Management app will be automatically created in the Microsoft Entra ID. For the required permissions by the app, refer to the app permissions sections below.
  
  Custom app profile is recommended for organizations who have identified use cases with extremely limited required permissions. Instead of using AvePoint’s default app, you can configure the tenant’s custom app and create a custom app profile.
  
  Before creating a custom app profile, you must create a custom app with delegated permissions in Microsoft Entra ID, add the API permissions required by Baseline management to the app, and grant admin consent to the app. For the detailed instructions on creating a custom app with delegated permission, refer to . For the required permissions by the app, refer to the app permissions sections below.
  
  *Note: Redirect URI and ID tokens are required by a custom Azure app with delegated permissions. When editing the Redirect URIs setting, enter the following URL based on your Elements environments:
  
  Refer to the following steps to create a custom app profile:
  1. Click Authenticate.
  2. Complete the following information on the Create app profile window:
    - App profile name – Enter a name for the app profile.
    - Application ID – Enter the application ID of the application that has been created in Microsoft Entra ID.
    - Certificate file (.pfx) – Click Browse and select your app’s private certificate (the .pfx file).
      
      *Note: Ensure this .pfx file is paired with the .cer/.crt file uploaded to Microsoft Entra ID when your organization creates this custom app. If your organization does not have any certificates, you can create self-signed certificates by referring to .
    - Certificate password – Enter the password of the certificate.
  3. Click Consent.
  4. Enter the credentials of the customer’s Microsoft 365 Global Administrator account.
  5. Review the permissions requested by this app and click Accept.
- For AOS services, click Authenticate next to the app. When creating an app profile for a delegated app used by the Cloud Backup for Microsoft 365 service, you also need to choose the functions that will use this app.
  
  Enter the credentials of the customer’s Microsoft 365 Global Administrator account. Review the permissions requested by this app and click Accept.
  
  For the app types of AOS services and required permissions, refer to .
When you finish creating app profiles, click Save.
After you create app profiles for the apps that will be used to manage Exchange mailboxes and settings / Security and distribution group objects / Microsoft 365 Defender settings, you may need to go to Microsoft Entra admin center (or Microsoft Azure portal) to assign the Exchange Administrator role to the app. For additional details on assigning the role, refer to .

*Note: For the APElements Baseline Management and APElements Security and Analysis apps required by premium services, the required roles will be automatically assigned to the apps in the Microsoft Entra ID within 24 hours after authorization. However, for AvePoint Online Services, the Exchange Administrator role must be assigned manually.

App Permissions Required by Nitro

The table below lists the permissions that need to be accepted when you authorize the APElements Automation app.

API	Permission	Type
Microsoft Graph	Group.Create(Create groups)	Application
Microsoft Graph	GroupMember.ReadWrite.All(Read and write all group memberships)	Application
Microsoft Graph	DeviceManagementRBAC.ReadWrite.All(Read and write Microsoft Intune RBAC settings)	Application
Microsoft Graph	Group.ReadWrite.All(Read and write all groups)	Application
Microsoft Graph	RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings)	Application
Microsoft Graph	User.ReadWrite.All(Read and write all users' full profiles)	Application
Microsoft Graph	Directory.ReadWrite.All(Read and write directory data)	Application
Microsoft Graph	Policy.Read.All(Read your organization's policies)	Application
Microsoft Graph	Policy.ReadWrite.ConditionalAccess(Read and write your organization's conditional access policies)	Application
Microsoft Graph	Domain.ReadWrite.All(Read and write domains)	Application
Microsoft Graph	Policy.ReadWrite.Authorization(Read and write your organization's authorization policy)	Application
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All(Read and write Microsoft Intune configuration)	Application
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune device configuration and policies)	Application
Microsoft Graph	DeviceManagementManagedDevices.ReadWrite.All(Read and write Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps)	Application
SharePoint	Sites.FullControl.All(Have full control of all site collections)	Application

App Permissions Required by Baseline Management

The table below lists the permissions that should be accepted when you authorize the APElements Baseline Management app under the modern mode app profile.

For the custom app profile, the permissions required by Baseline management remain identical to those of the modern mode app profile.

Additional role requirements: the app requires the Exchange Administrator, Attribute Definition Reader, and Security Administrator roles. For the modern mode app profile, these roles will be automatically assigned to the app in the Microsoft Entra ID within 24 hours after authorization (no manual action is needed). However, for the custom app profile, you must manually assign these roles to the app before the authorization.

API	Permission	Type
Microsoft Graph	Application.ReadWrite.All(Read and write all terms of use agreements)	Application
Microsoft Graph	CustomSecAttributeDefinition.ReadWrite.All(Read and write custom security attribute definitions)	Application
Microsoft Graph	DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps)	Application
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune device configuration and policies)	Application
Microsoft Graph	DeviceManagementManagedDevices.ReadWrite.All(Read and write Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementRBAC.ReadWrite.All(Read and write Microsoft Intune RBAC settings)	Application
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All(Read and write Microsoft Intune configuration)	Application
Microsoft Graph	Directory.ReadWrite.All(Read and write directory data)	Application
Microsoft Graph	Group.Create(Create groups)	Application
Microsoft Graph	Group.ReadWrite.All(Read and write all groups)	Application
Microsoft Graph	GroupMember.ReadWrite.All(Read and write all group memberships)	Application
Microsoft Graph	IdentityRiskEvent.ReadWrite.All(Read and write all risk detection information)	Application
Microsoft Graph	IdentityRiskyServicePrincipal.ReadWrite.All(Read and write all identity risky service principal information)	Application
Microsoft Graph	IdentityRiskyUser.ReadWrite.All(Read and write all risky user information)	Application
Microsoft Graph	Organization.ReadWrite.All(Read and write organization information)	Application
Microsoft Graph	OrganizationalBranding.ReadWrite.All(Read and write organizational branding information)	Application
Microsoft Graph	Policy.Read.All(Read your organization's policies)	Application
Microsoft Graph	Policy.ReadWrite.AccessReview(Read and write your organization's directory access review default policy)	Application
Microsoft Graph	Policy.ReadWrite.ApplicationConfiguration(Read and write your organization's application configuration policies)	Application
Microsoft Graph	Policy.ReadWrite.AuthenticationFlows(Read and write authentication flow policies)	Application
Microsoft Graph	Policy.ReadWrite.AuthenticationMethod(Read and write all authentication method policies)	Application
Microsoft Graph	Policy.ReadWrite.Authorization(Read and write your organization’s authorization policy)	Application
Microsoft Graph	Policy.ReadWrite.ConditionalAccess(Read and write your organization's conditional access policies.)	Application
Microsoft Graph	RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings)	Application
Microsoft Graph	User.ReadWrite.All(Read and write all users’ full profiles)	Application
Microsoft Graph	Application.ReadWrite.OwnedBy(Manage apps that this app creates or owns)	Application
Microsoft Graph	IdentityProvider.ReadWrite.All(Read and write identity providers)	Application
Microsoft Graph	Policy.ReadWrite.ExternalIdentities(Read and write your organization's external identities policy)	Application
Microsoft Graph	RoleManagementPolicy.ReadWrite.Directory(Read, update, and delete all policies for privileged role assignments of your company's directory)	Application
Microsoft Graph	Policy.ReadWrite.CrossTenantAccess(Read and write your organization’s cross tenant access policy)	Application
Microsoft Graph	SharePointTenantSettings.ReadWrite.All(Read and change SharePoint and OneDrive tenant settings)	Application
Microsoft Graph	OrgSettings-Forms.ReadWrite.All(Read and write organization-wide Microsoft Forms settings)	Application
Microsoft Graph	OrgSettings-AppsAndServices.ReadWrite.All(Read and write organization-wide apps and services settings)	Application
Microsoft Graph	OrgSettings-Todo.ReadWrite.All(Read and write organization-wide Microsoft To Do settings)	Application
Microsoft Graph	ReportSettings.ReadWrite.All(Read and write all admin report settings)	Application
Microsoft Graph	OrgSettings-Microsoft365Install.ReadWrite.All(Read and write organization-wide Microsoft 365 apps installation settings)	Application
Microsoft Graph	OrgSettings-DynamicsVoice.ReadWrite.All(Read and write organization-wide Dynamics customer voice settings)	Application
Microsoft Graph	SecurityEvents.Read.All(Read your organization's security events)	Application
Microsoft Graph	Policy.ReadWrite.DeviceConfiguration(Read and write your organization's device configuration policies)	Delegated
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All(Read and write Microsoft Intune configuration)	Delegated
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune device configuration and policies)	Delegated
Microsoft Graph	Policy.ReadWrite.MobilityManagement(Read and write your organization's mobility management policies)	Delegated
Microsoft Graph	Directory.AccessAsUser.All(Access directory as the signed-in user)	Delegated
Microsoft Graph	Group.ReadWrite.All(Read and write all groups)	Delegated
Office 365 Exchange Online	Exchange.ManageAsApp(Manage Exchange as application)	Application
Office 365 Exchange Online	Exchange.Manage(Manage Exchange configuration)	Delegated
Skype and Teams Tenant Admin API	application_access(application_access)	Application
Skype and Teams Tenant Admin API	user_impersonation(Access Microsoft Teams and Skype for Business data as the signed in user)	Delegated
ProjectWorkManagement	OrgSettings-Planner.ReadWrite.All(Read and write organization-wide Microsoft Planner settings)	Application
SharePoint	Sites.FullControl.All(Have full control of all site collections)	Application
PowerApps Service	User(Access the PowerApps Service API)	Delegated

App Permissions Required by Other Premium Services

The table below lists the permissions that should be accepted when you authorize the APElements Security and Analysis app for the following premium services: Workspace management, Risk management, Change management communication, and User and device management.

Additional role requirements: this app requires the Exchange Administrator and Groups Administrator roles. These roles will be automatically assigned to the app in the Microsoft Entra ID within 24 hours after authorization. No manual action is needed.

API	Permission	Type
Azure Rights Management Services	Content.DelegatedReader(Read protected content on behalf of a user)	Application
Azure Rights Management Services	Content.SuperUser(Read all protected content for this tenant)	Application
Azure Service Management	user_impersonation(Access Azure Resource Manager as organization users)	Delegated
Dynamics CRM	user_impersonation(Access Common Data Service as organization users)	Delegated
Microsoft Graph	AdministrativeUnit.ReadWrite.All(Read and write administrative units)	Application
Microsoft Graph	AuditLog.Read.All(Read all audit log data)	Application
Microsoft Graph	CallRecords.Read.All(Read all call records)	Application
Microsoft Graph	Channel.ReadBasic.All(Read the names and descriptions of all channels)	Application
Microsoft Graph	ChannelMember.Read.All(Read the members of all channels)	Application
Microsoft Graph	ChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels)	Application
Microsoft Graph	Directory.ReadWrite.All(Read and write directory data)	Application
Microsoft Graph	Files.Read.All(Read files in all site collections)	Application
Microsoft Graph	Group.ReadWrite.All(Read and write all groups)	Application
Microsoft Graph	GroupMember.ReadWrite.All(Read and write all group memberships)	Application
Microsoft Graph	InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization)	Application
Microsoft Graph	Reports.Read.All(Read all usage reports)	Application
Microsoft Graph	RoleManagement.ReadWrite.Directory(Read and write all directory RBAC settings)	Application
Microsoft Graph	Sites.ReadWrite.All(Read and write items in all site collections)	Application
Microsoft Graph	Team.ReadBasic.All(Get a list of all Teams)	Application
Microsoft Graph	TeamMember.ReadWrite.All(Add and remove members from all Teams)	Application
Microsoft Graph	TeamSettings.ReadWrite.All(Read and change all Teams' settings)	Application
Microsoft Graph	User.ReadWrite.All(Read and write all users’ full profiles)	Application
Microsoft Graph	ReportSettings.Read.All(Read all admin report settings)	Application
Microsoft Graph	Policy.ReadWrite.AuthenticationMethod(Read and write all authentication method policies)	Application
Microsoft Graph	BitlockerKey.Read.All(Read BitLocker keys)	Application
Microsoft Graph	Device.ReadWrite.All(Read and write devices)	Application
Microsoft Graph	DeviceManagementApps.ReadWrite.All(Read and write Microsoft Intune apps)	Application
Microsoft Graph	DeviceManagementConfiguration.ReadWrite.All(Read and write Microsoft Intune device configuration and policies)	Application
Microsoft Graph	DeviceManagementManagedDevices.PrivilegedOperations.All(Perform user-impacting remote actions on Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementManagedDevices.ReadWrite.All(Read and write Microsoft Intune devices)	Application
Microsoft Graph	DeviceManagementServiceConfig.ReadWrite.All(Read and write Microsoft Intune configuration)	Application
Microsoft Graph	Policy.ReadWrite.DeviceConfiguration(Read and write your organization's device configuration policies)	Application
Microsoft Graph	UserAuthenticationMethod.ReadWrite.All(Read and write all users' authentication methods)	Application
Microsoft Graph	Policy.Read.All(Read your organization's policies)	Application
Microsoft Graph	Directory.AccessAsUser.All(Access directory as the signed-in user)	Delegated
Microsoft Graph	User.Read.all(Read all users’ full profiles)	Delegated
Microsoft Graph	TeamSettings.ReadWrite.All(Read and change all teams' settings)	Delegated
Microsoft Graph	ChannelMessage.Send(Send channel messages)	Delegated
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read(Read all unified policies of the tenant)	Application
Office 365 Exchange Online	Exchange.ManageAsApp(Manage Exchange as application)	Application
Office 365 Exchange Online	full_access_as_app(Use Exchange Web Services with full access to all mailboxes)	Application
Office 365 Management APIs	ActivityFeed.Read(Read activity data for your organization)	Application
Power BI Service	Tenant.Read.All(View all content in tenant)	Application
Power BI Service	Dashboard.ReadWrite.All(Read and write all dashboards)	Delegated
Power BI Service	Dataflow.ReadWrite.All(Read and write all dataflows)	Delegated
Power BI Service	Dataset.ReadWrite.All(Read and write all datasets)	Delegated
Power BI Service	Report.ReadWrite.All(Read and write all reports)	Delegated
Power BI Service	Tenant.ReadWrite.All(Read and write all content in tenant)	Delegated
Power BI Service	Workspace.ReadWrite.All(View and write all workspaces)	Delegated
PowerApps Service	User(Access the PowerApps Service API)	Delegated
SharePoint	Sites.FullControl.All(Have full control of all site collections)	Application
SharePoint	User.ReadWrite.All(Read and write user profiles)	Application
SharePoint	AllSites.FullControl(Have full control of all site collections)	Delegated

App Permissions Required by Azure Security Management

The table below lists the permissions that should be accepted when you authorize the APElements Azure Security Management app.

Add this app to the subscriptions that you want to manage and grant this app the Contributor role and below roles.

*Note: The roles must be added after you consent the app and before you save the app profile in Elements.

- Azure Kubernetes service:

	- If the authentication and authorization of the cluster is **Microsoft Entra ID authentication with Kubernetes RBAC**, the app must be added to the group with admin access within the cluster.

	- If the authentication and authorization of the cluster is **Microsoft Entra ID authentication with Azure RBAC**, the app must have the **Azure Kubernetes Service RBAC Cluster Admin** role assigned.

- Key Vault:

	- If the permission model is **Azure role-based access control**, the app must have the **Key Vault Administrator** role assigned.

	- If the permission model is **Vault access policy**, the app must have the **Get** and **List** permissions for keys and secrets.

API	Permission	Type
Azure Service Management	User_impersonation(Access Azure Resource Manager as organization users)	Delegated
Microsoft Graph	User.Read.All(Read all users' full profiles)	Delegated

On this page

Manage Baselines

Supported Baseline Configurations

Deploy Configurations to a Tenant

Restore Tenant Configurations

View and Modify Tenant Configurations

View Workspaces of a Tenant

User Template Management

License Unit Cost Profile Management

AD Naming Profile Management

View Overview Statistics of a Tenant

Manage Users

Create a User

Manage User Personal Information

Manage Groups

Create a Group

Edit a Group

Campaigns for SharePoint Banner

Campaigns for Teams

Campaigns for Emails

Microsoft CSP

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

ArrowSphere

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Ingram Micro Xvantage

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Integration with ConnectWise

Manage Customer App Profiles

Create a Customer App Profile

App Permissions Required by Nitro

App Permissions Required by Baseline Management

App Permissions Required by Other Premium Services

App Permissions Required by Azure Security Management

Supported Baseline Configurations

Create a User

Manage User Personal Information

Create a Group

Edit a Group

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

Manage Resellers

Manage Subscriptions and Licenses for a Tenant

#Manage Customer App Profiles

#Create a Customer App Profile

#App Permissions Required by Nitro

#App Permissions Required by Baseline Management

#App Permissions Required by Other Premium Services

#App Permissions Required by Azure Security Management

Manage Customer App Profiles

Create a Customer App Profile

App Permissions Required by Nitro

App Permissions Required by Baseline Management

App Permissions Required by Other Premium Services

App Permissions Required by Azure Security Management