AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Get Started > Permissions for Service Account > Service Account Permissions for Microsoft 365 Management

    Export to PDF

    Service Account Permissions for Microsoft 365 Management

    ManagementFeatureService Account PermissionWhy we need it?
    UsersBlock users with the Global Administrator role from signing inGlobal AdministratorThe Global Administrator role is required for service account when calling the API.
    UsersInvite users individually or in bulkGlobal AdministratorThe Global Administrator role is required for service account when calling the API.
    UsersDelete users and permanently delete usersUser AdministratorThe User Administrator role is required for service account when calling the API.
    UsersBlock user sign-inUser Administrator/Authentication AdministratorThe User Administrator and Authentication Administrator is required for service account when calling the API.
    UsersRestore deleted usersUser Administrator/Global AdministratorThe User Administrator role is required for service account when calling the API.To restore deleted users with specific administrative roles, a Global Administrator role is required for service account when calling the API. For more details, refer to Who can perform sensitive actions.
    UsersUpdate user profile and phone numbersUser Administrator/Authentication Administrator/Global AdministratorThe User Administrator and Authentication Administrator role is required for service account when calling the API.To update profile and phone numbers for users with specific administrative roles, a Global Administrator role is required for service account when calling the API. For more details, refer to Who can perform sensitive actions.
    UsersReset user passwordsPassword Administrator/Global AdministratorThe Password Administrator role is required for service account when calling the API.To reset passwords for users with specific administrative roles, a Global Administrator role is required for service account when calling the API. For more details, refer to Who can perform sensitive actions.
    ExchangeUpdate mail users’ phone numbersGlobal AdministratorThe Global Administrator role is required for service account when calling the API.
    TeamsView and update Teams sensitivityGroups AdministratorThe Groups Administrator role is required to call API.
    TeamsAccess the Call quality reportTeams AdministratorThe Teams Administrator role is required to call specific APIs.
    TeamsArchive Teams and update the associated SharePoint Online site to read-only status for Team membersTeams AdministratorThe Teams Administrator role is required to call specific APIs.
    GroupsManage sensitivity labels for Microsoft 365 GroupsGroups AdministratorThe Groups Administrator role is required for service account when calling the API.
    GroupsDelete or permanently delete Microsoft 365 Groups and security groupsGroups AdministratorThe Groups Administrator role is required for service account when calling the API.
    GroupsRestore deleted Microsoft 365 GroupsGroups AdministratorThe Groups Administrator role is required for service account when calling the API.
    SharePointManage SharePoint sites, including:Create Group team sitesConnect sites to new Microsoft 365 GroupsUpdate hub settings for sites in multi geo tenantsSharePoint AdministratorThe SharePoint Administrator role is required to call rest API and CSOM API.
    SharePointCreate sites with the Visio Process Repository templateGlobal AdministratorSites with these two templates are not available to be created with app profiles or service accounts with the SharePoint administrator role.
    OneDrivePre-provision OneDrive with workflowsSharePoint AdministratorThe SharePoint Administrator role is required to call CSOM API.

    The following service account permissions can now be replaced by permissions assigned to app profiles. To switch to app profile usage, refer to Quick Start Setups.

    EnPower FunctionalityService Account PermissionApp Profile Permission(Microsoft Graph API)
    Block user sign-inAuthentication AdministratorUser AdministratorGlobal AdministratorUser.ReadWrite.All(Read and write all users' full profiles)
    Update user profile and phone numbersAuthentication AdministratorUser AdministratorGlobal AdministratorUser.ReadWrite.All(Read and write all users' full profiles)
    Update users’ MFA settingsAuthentication AdministratorGlobal AdministratorUserAuthenticationMethod.ReadWrite.All(Read and write all users' authentication methods)
    Update users’ MFA settingsAuthentication AdministratorGlobal AdministratorPolicy.ReadWrite.AuthenticationMethod(Read and write all authentication method policies)
    Invite usersGlobal AdministratorUser.Invite.All(Invite guest users to the organization)
    Reset user passwordGlobal AdministratorPassword AdministratorUser.ReadWrite.All(Read and write all users' full profiles)
    Delete users or permanently delete usersUser AdministratorUser.ReadWrite.All(Read and write all users' full profiles)
    Restore deleted usersUser AdministratorUser.ReadWrite.All(Read and write all users' full profiles)
    Restore deleted usersUser AdministratorUser.DeleteRestore.All(Delete and restore all users)
    Manage sensitivity labels for Teams and Microsoft 365 GroupsGroups AdministratorGroup.ReadWrite.All(Read and write all users' full profiles)
    Delete or permanently delete Microsoft 365 and security GroupsGroups AdministratorGroup.ReadWrite.All(Read and write all groups)
    Restore deleted Microsoft 365 GroupGroups AdministratorGroup.ReadWrite.All(Read and write all groups)
    Create Group team sitesSharePoint AdministratorGroup.Create(Create groups)or Group.ReadWrite.All (Read and write all groups)
    Create Group team sitesSharePoint AdministratorSites.ReadWrite.All(Read and write items in all site collections)
    Archive Teams and update the associated SharePoint Online site to read-only status for Team membersTeams AdministratorTeamSettings.ReadWrite.All(Read and change all teams' settings)