Home > Get Started > Permissions for Service Account
Export to PDFPermissions for Service Account
The following tables list the permissions required for the service account profile you configured in AvePoint Online Services for specific Microsoft 365 and Power Platform management operations.
Service Account Permissions for Microsoft 365 Management
| Management | Feature | Service Account Permission | Why we need it? |
|---|---|---|---|
| Users | Block users with the Global Administrator role from signing in | Global Administrator | The Global Administrator role is required for service account when calling the API. |
| Users | Invite users individually or in bulk | Global Administrator | The Global Administrator role is required for service account when calling the API. |
| Users | Delete users and permanently delete users | User Administrator | The User Administrator role is required for service account when calling the API. |
| Users | Block user sign-in | User Administrator/Authentication Administrator | The User Administrator and Authentication Administrator is required for service account when calling the API. |
| Users | Restore deleted users | User Administrator/Global Administrator | The User Administrator role is required for service account when calling the API. To restore deleted users with specific administrative roles, a Global Administrator role is required for service account when calling the API. For more details, refer to Who can perform sensitive actions. |
| Users | Update user profile and phone numbers | User Administrator/Authentication Administrator/Global Administrator | The User Administrator and Authentication Administrator role is required for service account when calling the API. To update profile and phone numbers for users with specific administrative roles, a Global Administrator role is required for service account when calling the API. For more details, refer to Who can perform sensitive actions. |
| Users | Reset user passwords | Password Administrator/Global Administrator | The Password Administrator role is required for service account when calling the API. To reset passwords for users with specific administrative roles, a Global Administrator role is required for service account when calling the API. For more details, refer to Who can perform sensitive actions. |
| Exchange | Update mail users’ phone numbers | Global Administrator | The Global Administrator role is required for service account when calling the API. |
| Teams | View and update Teams sensitivity | Groups Administrator | The Groups Administrator role is required to call API. |
| Teams | Access the Call quality report | Teams Administrator | The Teams Administrator role is required to call specific APIs. |
| Teams | Archive Teams and update the associated SharePoint Online site to read-only status for Team members | Teams Administrator | The Teams Administrator role is required to call specific APIs. |
| Groups | Manage sensitivity labels for Microsoft 365 Groups | Groups Administrator | The Groups Administrator role is required for service account when calling the API. |
| Groups | Delete or permanently delete Microsoft 365 Groups and security groups | Groups Administrator | The Groups Administrator role is required for service account when calling the API. |
| Groups | Restore deleted Microsoft 365 Groups | Groups Administrator | The Groups Administrator role is required for service account when calling the API. |
| SharePoint | Manage SharePoint sites, including: Create Group team sites Connect sites to new Microsoft 365 Groups Update hub settings for sites in multi geo tenants | SharePoint Administrator | The SharePoint Administrator role is required to call rest API and CSOM API. |
| SharePoint | Create sites with the Visio Process Repository template | Global Administrator | Sites with these two templates are not available to be created with app profiles or service accounts with the SharePoint administrator role. |
| OneDrive | Pre-provision OneDrive with workflows | SharePoint Administrator | The SharePoint Administrator role is required to call CSOM API. |
The following service account permissions can now be replaced by permissions assigned to app profiles. To switch to app profile usage, refer to Quick Start Setups.
| EnPower Functionality | Service Account Permission | App Profile Permission (Microsoft Graph API) |
|---|---|---|
| Block user sign-in | Authentication Administrator User Administrator Global Administrator | User.ReadWrite.All (Read and write all users' full profiles) |
| Update user profile and phone numbers | Authentication Administrator User Administrator Global Administrator | User.ReadWrite.All (Read and write all users' full profiles) |
| Update users’ MFA settings | Authentication Administrator Global Administrator | UserAuthenticationMethod.ReadWrite.All (Read and write all users' authentication methods) |
| Update users’ MFA settings | Authentication Administrator Global Administrator | Policy.ReadWrite.AuthenticationMethod (Read and write all authentication method policies) |
| Invite users | Global Administrator | User.Invite.All (Invite guest users to the organization) |
| Reset user password | Global Administrator Password Administrator | User.ReadWrite.All (Read and write all users' full profiles) |
| Delete users or permanently delete users | User Administrator | User.ReadWrite.All (Read and write all users' full profiles) |
| Restore deleted users | User Administrator | User.ReadWrite.All (Read and write all users' full profiles) |
| Restore deleted users | User Administrator | User.DeleteRestore.All (Delete and restore all users) |
| Manage sensitivity labels for Teams and Microsoft 365 Groups | Groups Administrator | Group.ReadWrite.All (Read and write all users' full profiles) |
| Delete or permanently delete Microsoft 365 and security Groups | Groups Administrator | Group.ReadWrite.All (Read and write all groups) |
| Restore deleted Microsoft 365 Group | Groups Administrator | Group.ReadWrite.All (Read and write all groups) |
| Create Group team sites | SharePoint Administrator | Group.Create (Create groups) or Group.ReadWrite.All (Read and write all groups) |
| Create Group team sites | SharePoint Administrator | Sites.ReadWrite.All (Read and write items in all site collections) |
| Archive Teams and update the associated SharePoint Online site to read-only status for Team members | Teams Administrator | TeamSettings.ReadWrite.All (Read and change all teams' settings) |
Service Account Permissions for Power Platform Management
The table below lists the permissions required for the service account configured in AvePoint Online Services for specific Power Platform management operations.
| Management | Feature | Service Account Permission/License | Why we need it? |
|---|---|---|---|
| Power Platform Environments/Power Automate/Power Apps | Copy apps and flows in environments not using Dataverse | Admin in source and destination environments | The administrator role is required to retrieve and copy apps’/flows’ information and settings in environments. |
| Power Platform Environments/Power Automate/Power Apps | Copy apps and flows in environments using Dataverse | System Administrator role in source and destination environments | The administrator role is required to retrieve and copy apps’/flows’ information and settings in environments. |
| Power BI | Manage Power BI workspaces and artifacts | Account with Power BI license *Note: To perform relevant operations, the service account needs to be manually added as an administrator in workspaces. You can also specify an account with Power BI license in Quick start so that the account can be automatically added to workspaces as administrator. | The service account is required for delegated permissions. |
| Power BI | Retrieve scorecards | Account with Power BI license *Note: To perform relevant operations, the service account needs to be manually added as an administrator in workspaces. You can also specify an account with Power BI license in Quick start so that the account can be automatically added to workspaces as administrator. | The service account is required for delegated permissions. |
| Power BI | Retrieve semantic model’s refresh history | Account with Power BI license *Note: To perform relevant operations, the service account needs to be manually added as an administrator in workspaces. You can also specify an account with Power BI license in Quick start so that the account can be automatically added to workspaces as administrator. | The service account is required for delegated permissions. |
| Power BI | Retrieve whether semantic model’s permission is direct or indirect | Account with Power BI license *Note: To perform relevant operations, the service account needs to be manually added as an administrator in workspaces. You can also specify an account with Power BI license in Quick start so that the account can be automatically added to workspaces as administrator. | The service account is required for delegated permissions. |
On this page