Home > Get Started > Permissions for App Authorization
Export to PDFPermissions for App Authorization
The table below lists the permissions that should be accepted when you authorize the EnPower service apps or the custom Azure app created in AvePoint Online Services for Microsoft 365 management, Calling management, Power Platform management, and Microsoft Azure management.
Permissions for Microsoft 365 Management
Refer to the table below for detailed API permissions and EnPower features that require them.
NOTE
- For Exchange-related tasks, including recipient management and protection features, you need to go to the Microsoft Entra admin center (or Azure portal) to assign the Exchange Administrator role to the EnPower for Microsoft 365 or your custom Azure app.
- For the retrieval of information barrier segments, the app you are using for EnPower Microsoft 365 management requires the Compliance Administrator role.
- To perform the following action against users with specific administrative roles, higher administrative roles as indicated in Who can perform sensitive actions requires to be granted to the app:
- Update user profile and phone numbers
- Restore deleted users
- Reset user password
For detailed steps, refer to Assign Administrator Roles to the App section in Create App Profile.
| EnPower feature | Permission | API | Type |
|---|---|---|---|
| Restore deleted users | User.DeleteRestore.All (Delete and restore all users) | Microsoft Graph | Application |
| Manage users’ and Groups’ administrative units | AdministrativeUnit.ReadWrite.All (Read and write all administrative units.) | Microsoft Graph | Application |
| View the user sign-in report | AuditLog.Read.All (Read all audit log data) | Microsoft Graph | Application |
| View Teams PSTN and SMS report | CallRecords.Read.All (Read all call records) | Microsoft Graph | Application |
| Create Teams channels | Channel.Create (Create channels) | Microsoft Graph | Application |
| Delete Teams channels | Channel.Delete.All (Delete channels) | Microsoft Graph | Application |
| View Teams channels | Channel.ReadBasic.All (Read the names and descriptions of all channels) | Microsoft Graph | Application |
| Manage Teams channels’ settings | ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels) | Microsoft Graph | Application |
| Create Groups | Group.Create (Create Groups) | Microsoft Graph | Application |
| View and manage Groups’ information and settings | Group.ReadWrite.All (Read and write all groups) | Microsoft Graph | Application |
| Delete, permanently delete, and restore Groups | Group.ReadWrite.All (Read and write all groups) | Microsoft Graph | Application |
| Create Group team sites | Group.ReadWrite.All (Read and write all groups) | Microsoft Graph | Application |
| Manage Group members | GroupMember.ReadWrite.All (Read and write all group memberships) | Microsoft Graph | Application |
| Send emails to the created users | Mail.Send (Send mail as any user) | Microsoft Graph | Application |
| View usage-related report charts on Dashboards | Reports.Read.All (Read all usage reports) | Microsoft Graph | Application |
| Manage users’ or Groups’ roles | RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings) | Microsoft Graph | Application |
| Scan OneDrive in your organization by the Auto Discovery scan profile to EnPower for management | Sites.ReadWrite.All (Read and write items in all site collections) | Microsoft Graph | Application |
| Create Teams | Team.Create (Create Teams) | Microsoft Graph | Application |
| View and manage Teams’ information | Team.ReadBasic.All (Get a list of all Teams) | Microsoft Graph | Application |
| View and manage Team members | TeamMember.ReadWrite.All (Add and remove members from all Teams) | Microsoft Graph | Application |
| View and manage Teams’ settings | TeamSettings.ReadWrite.All (Read and change all Teams' settings) | Microsoft Graph | Application |
| Archive Teams and update the associated SharePoint Online site to read-only status for Team members | TeamSettings.ReadWrite.All (Read and change all Teams' settings) | Microsoft Graph | Application |
| Create Teams | Teamwork.Migrate.All (Create chat and channel messages with anyone's identity and with any timestamp) | Microsoft Graph | Application |
| Invite guest users | User.Invite.All (Invite guest users to the organization) | Microsoft Graph | Application |
| View user details | User.ReadWrite.All (Read and write all users' full profiles) | Microsoft Graph | Application |
| Block user sign-in | User.ReadWrite.All (Read and write all users' full profiles) | Microsoft Graph | Application |
| Update user profile and phone numbers | User.ReadWrite.All (Read and write all users' full profiles) | Microsoft Graph | Application |
| Reset user password | User.ReadWrite.All (Read and write all users' full profiles) | Microsoft Graph | Application |
| Delete, permanently delete, and restore deleted users | User.ReadWrite.All (Read and write all users' full profiles) | Microsoft Graph | Application |
| View user licenses | Organization.Read.All (Read organization information) | Microsoft Graph | Application |
| Apply sensitivity labels to SharePoint Online sites | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Microsoft Graph | Application |
| Display names of users, Groups, and sites in reports | ReportSettings.Read.All (Read all admin report settings) | Microsoft Graph | Application |
| Retrieve users’ sign-in logs | Directory.ReadWrite.All (Read and write directory data) | Microsoft Graph | Application |
| Update users’ MFA settings | UserAuthenticationMethod.ReadWrite.All (Read and write all users' authentication methods) | Microsoft Graph | Application |
| Update users’ MFA settings | Policy.ReadWrite.AuthenticationMethod (Read and write all authentication method policies) | Microsoft Graph | Application |
| Assign sensitivity label to Groups and archive Teams | Group.ReadWrite.All (Read and write all groups) | Microsoft Graph | Delegated Permissions |
| Manage Teams policies | User.Read.All (Read all users’ full profiles) | Microsoft Graph | Delegated Permissions |
| Manage Teams policies | user_impersonation (Access Microsoft Teams data as the signed in user) | Skype and Teams Tenant Admin API | Delegated |
| Scan your OneDrive by the Auto Discovery scan profile to EnPower for management | User.ReadWrite.All (Read and write user profiles) | SharePoint | Application |
| Scan your SharePoint Online sites by the Auto Discovery scan profile to EnPower for management | Sites.FullControl.All (Have full control of all site collections) | SharePoint | Application |
| Scan your Loop sites by the Auto Discovery scan profile to EnPower for management | Sites.FullControl.All (Have full control of all site collections) | SharePoint | Application |
| Scan your mailboxes by the Auto Discovery scan profile to EnPower for management | Exchange.ManageAsApp (Manage Exchange as application) *Note: The app must have the Exchange Administrator role, or you need to assign custom Exchange Online role groups to the app. For how to assign roles or Exchange Online role groups to the app, refer to the instructions in How to Assign the Exchange Administrator Role to an App?. | Office 365 Exchange Online | Application |
| Apply sensitivity labels | Content.DelegatedReader (Read protected content on behalf of a user) | Azure Rights Management Services | Application |
| Apply sensitivity labels | Content.DelegatedWriter (Create protected content on behalf of a user) | Azure Rights Management Services | Application |
| Apply sensitivity labels | Content.SuperUser (Read all protected content for this tenant) | Azure Rights Management Services | Application |
| Apply sensitivity labels | Content.Writer (Create protected content) | Azure Rights Management Services | Application |
| Apply sensitivity labels | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant) | Microsoft Information Protection Sync Service | Application |
| Customize email sender in AvePoint Online Services. | Mail.Send (Send mail as any user) *Note: This permission is not contained in the EnPower service app. To customize the email sender, you need to configure a custom app with this permission added. | Microsoft Graph | Application |
Permissions for Calling Management
The table below lists the permissions that you need to consent when adding the EnPower for Teams Calling service app in AvePoint Online Services. Currently, custom Azure app cannot be used for calling management in EnPower.
NOTE
For Exchange-related tasks, including recipient management and protection features, you need to go to the Microsoft Entra admin center (or Azure portal) to assign the Exchange Administrator role to the EnPower for Teams calling app. For detailed steps, refer to Assign Administrator Roles to the App section in Create App Profile.
| EnPower feature | Permission | API | Type |
|---|---|---|---|
| View user details | User.Read.All (Read all users’ full profiles) | Microsoft Graph | Delegated |
| View user details | AppCatalog.ReadWrite.All (Read and write to all app catalogs) | Microsoft Graph | Delegated |
| Add Groups to call queues and auto attendants | Group.ReadWrite.All (Read and write all groups) | Microsoft Graph | Delegated |
| Update user licenses | User.ReadWrite.All (Read and write all users’ full profiles) | Microsoft Graph | Application |
| View user license | Directory.Read.All (Read directory data) | Microsoft Graph | Application |
| View user the calling information in user details | CallRecords.Read.All (Read all call records) | Microsoft Graph | Application |
| View users’ Team settings in user details | TeamMember.Read.All (Read the members of all teams) | Microsoft Graph | Application |
| View and manage channels in call queues | Channel.ReadBasic.All (Read the names and descriptions of all channels) | Microsoft Graph | Application |
| View and manage Teams in call queues | Team.ReadBasic.All (Get a list of all teams) | Microsoft Graph | Application |
| View and manage user assignment in call queues and auto attendants | user_impersonation (Access Microsoft Teams data as the signed in user) | Skype and Teams Tenant Admin API | Delegated |
| Assign phone number to users | user_impersonation (Access Microsoft Teams data as the signed in user) | Skype and Teams Tenant Admin API | Delegated |
| Add security groups, mail-enabled security group, and distribution groups to call queues | Exchange.ManageAsApp (Manage Exchange as application) *Note: The app must have the Exchange Administrator role, or you need to assign custom Exchange Online role groups to the app. For how to assign roles or Exchange Online role groups to the app, refer to the instructions in How to Assign the Exchange Administrator Role to an App?. | Office 365 Exchange Online | Application |
Permissions for Power Platform Management
The table below lists the permissions that you need to consent when adding the EnPower for Power Platform service app and the permissions you need to grant to your custom Azure app with delegated permissions in AvePoint Online Services.
Permissions for Power Platform Management
| EnPower feature | Permission | API | Type |
|---|---|---|---|
| Load users in people pickers | User.Read.All (Read all users’ full profiles) | Microsoft Graph | Application |
| Load groups in people pickers | Group.Read.All (Read all groups) | Microsoft Graph | Application |
| Manage security groups in environments | GroupMember.ReadWrite.All (Read and write all group memberships) | Microsoft Graph | Application |
| Apply sensitivity labels to Power Platform resources | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Microsoft Graph | Application |
| Retrieve user properties | Directory.Read.All (Read directory data) | Microsoft Graph | Application |
| Manage mail-enabled security groups and distribution groups in environments | Exchange.ManageAsApp (Manage Exchange as application) *Note: The app must have the Exchange Administrator role, or you need to assign custom Exchange Online role groups to the app. For how to assign roles or Exchange Online role groups to the app, refer to the instructions in How to Assign the Exchange Administrator Role to an App?. | Office 365 Exchange Online | Application |
| Retrieve and list environments, connections, connectors, Power Apps, and flows | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Manage environment settings and membership of environment teams | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Update Managed Environments settings | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Retrieve and update DLP policies | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Create and delete connections | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Manage flow permissions | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Retrieve flows’ trigger history | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Manage Power Apps’ permissions | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Enable or disable flows | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Copy environments, apps, and flows | User (Access the Power Apps Service API) | Commercial environment: PowerApps Service GCC environment: PowerApps Service – GCC GCC High environment: PowerApps Service – GCC L4 | Delegated |
| Retrieve and list environments, connections, connectors, Power Apps, Power Automate flows, and Copilot Studio agents | user_impersonation (Access Common Data Service as organization users) | Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | Delegated |
| Manage environment settings and membership of environment teams | user_impersonation (Access Common Data Service as organization users) | Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | Delegated |
| Manage flow owners, | user_impersonation (Access Common Data Service as organization users) | Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | Delegated |
| Manage Power Apps’ permissions | user_impersonation (Access Common Data Service as organization users) | Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | Delegated |
| Enable or disable flows | user_impersonation (Access Common Data Service as organization users) | Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | Delegated |
| Copy environments, apps, and flows | user_impersonation (Access Common Data Service as organization users) | Commercial environment: Dynamics CRM GCC or GCC High environment: Dataverse | Delegated |
| Manage workspace basic information | Tenant.ReadWrite.All (Read and write all content in tenant) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Add users to workspaces | Tenant.ReadWrite.All (Read and write all content in tenant) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Retrieve capacities | Tenant.ReadWrite.All (Read and write all content in tenant) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Retrieve artifact users | Tenant.ReadWrite.All (Read and write all content in tenant) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Manage artifacts’ sensitivity labels | Tenant.ReadWrite.All (Read and write all content in tenant) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| View and manage workspace permissions | Workspace.ReadWrite.All (View and write all workspaces) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Delete workspaces | Workspace.ReadWrite.All (View and write all workspaces) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Manage dashboard permissions | Dashboard.ReadWrite.All (Read and write all dashboards) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Delete dashboards | Dashboard.ReadWrite.All (Read and write all dashboards) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Delete dataflows | Dataflow.ReadWrite.All (Read and write all dataflows) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Retrieve dataflow refresh history | Dataflow.ReadWrite.All (Read and write all dataflows) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Delete reports | Report.ReadWrite.All (Read and write all reports) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Manage semantic model permissions | Dataset.ReadWrite.All (Read and write all datasets) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Delete datasets | Dataset.ReadWrite.All (Read and write all datasets) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Retrieve semantic model refresh history | Dataset.ReadWrite.All (Read and write all datasets) | Commercial environment: Power BI Service GCC or GCC High environment: Microsoft Power BI Government Community Cloud | Delegated |
| Customize email sender in AvePoint Online Services. | Mail.Send (Send mail as any user) Note: This permission is not contained in the EnPower service app. To customize the email sender, you need to configure a custom app with this permission added. | Microsoft Graph | Application |
| Load and manage Power Pages sites Note: Service principal is required if you create or re-authorize the EnPower for Power Platform service app or assign these permissions to your custom Azure app. For more details on the service principal configurations, refer to Authentication. | PowerPages.Websites.Read (Read Power Pages websites) | Power Platform API | Delegated |
| Load and manage Power Pages sites Note: Service principal is required if you create or re-authorize the EnPower for Power Platform service app or assign these permissions to your custom Azure app. For more details on the service principal configurations, refer to Authentication. | PowerPages.Website.Write (Write Power Pages websites) | Power Platform API | Delegated |
Permissions for the Additional Setting in Copy
The table below lists the permissions that should be granted to the EnPower for Power Platform service app or the custom Azure app created in AvePoint Online Services for Power Platform management if you would like to configure the additional setting to display user friendly object names in analysis reports when copying Power Platform environments, Power Apps, and Power Automate flows.
| API | Permission | Type | Why do we need it? |
|---|---|---|---|
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Retrieve and display information of Groups in copy analysis reports. |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Retrieve and display information of content in SharePoint Online sites in copy analysis reports. |
| Microsoft Graph | Team.ReadBasic.All (Get a list of all teams) | Application | Retrieve and display information of Teams in copy analysis reports. |
| Microsoft Graph | Channel.ReadBasic.All (Read the names and descriptions of all channels) | Application | Retrieve and display information of channels in copy analysis reports. |
| Microsoft Graph | Contacts.Read (Read contacts in all mailboxes) | Application | Retrieve and display information of mailbox contacts in copy analysis reports. |
| Microsoft Graph | Mail.ReadBasic.All (Read basic mail in all mailboxes) | Application | Retrieve and display information of basic mails in copy analysis reports. |
| Microsoft Graph | Calendars.Read (Read calendars in all mailboxes) | Application | Retrieve and display information of mailbox calendars in copy analysis reports. |
Permission for Dynamic Workflows
For dynamic workflows triggered by events or activity-related conditions, the Reporting for Microsoft 365 app is required. To view detailed list of permissions required by the app, refer to Reporting for Microsoft 365.
If you are using a custom Azure app out of your organization’s compliance requirements, for the trigger of the workflows, make sure the custom app has the following permission:
| Permission | API | Type |
|---|---|---|
| ActivityFeed.Read (Read activity data for your organization) | Office 365 Management APIs | Application |
Permissions for Microsoft Azure configuration management and permission analysis
| EnPower feature | Permission | API | Type |
|---|---|---|---|
| View role assignment changes on Azure resources | Group.Read.All (Read all groups) | Microsoft Graph | Application |
| View role assignment changes on Azure resources | Directory.Read.All (Read directory data) | Microsoft Graph | Application |
Permissions for Azure Entra ID enterprise applications
| EnPower feature | Permission | API | Type |
|---|---|---|---|
| Load group information | Group.Read.All (Read all groups) | Microsoft Graph | Application |
| Load user information | Directory.Read.All (Read directory data) | Microsoft Graph | Application |
| Retrieve and list app registrations and enterprise applications. | Application.Read.All (Read all applications) | Microsoft Graph | Application |
| Load the audit and sign-in information | AuditLog.Read.All (Read all audit log data) | Microsoft Graph | Application |
| View and monitor changes in tenant settings. | Policy.Read.All (Read your organization's policies) | Microsoft Graph | Application |
On this page