AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Appendices > Fly App Profile Permissions

    Export to PDF

    Fly App Profile Permissions

    The Tenant Owner and Service Administrators can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant via the Fly app.

    Refer to the following steps to create a Fly app profile:

    *Note: If your app profile using the Fly app cannot be created or authorized, you can check if it is due to an Azure Rights Management Service issue in your tenant. Refer to the How to Check and Activate Azure Rights Management Service? section for details.

    1. Click Create on the App management page.

    2. On the Create app profile page, select a Microsoft 365 tenant where you want to create the app profile.

      *Note: Make sure your selected tenant has been connected to AvePoint Online Services.

    3. Click Fly, and click Next.

    4. Click Modern mode.

    5. Click Consent of Fly to consent to the Fly app.

    6. On the Microsoft 365 sign-in page, sign in with a Microsoft 365 Global Administrator account to consent to the app. The Microsoft 365 Global Administrator account is a requirement from Microsoft. Refer to the for more information.

      *Note: This account will be added as a Service Administrator of AvePoint Online Services if the account does not already exist in any existing AvePoint Online Services tenant.

      You can also use a Privileged Role Administrator account to consent to the app, but ensure it has the following additional permissions based on different workspaces.

    WorkspacePermission
    Microsoft Teams to Microsoft TeamsWith the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Teams need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignments.
    Microsoft 365 GroupWith the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Teams need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignments.
    Aviator Microsoft TeamsWith the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Teams need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignments.
    Aviator Microsoft 365 GroupsWith the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Teams need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignments.
    > ***Note**: If you use a Privileged Role Administrator account to consent to the app, the **User consent** method will be unavailable when you re-authorize the app. To use an end user to re-authorize the app, use a Global Administrator account to consent to the app when you create the app. On the **Permissions requested** page, review the permissions required for using Fly and click **Accept** to accept the permissions to ensure the AvePoint Online Services and Fly functionality works. (The required permissions are listed in the table below.)

    7. Click Finish to create the Fly app.

    Once you create a Fly app profile, the AvePoint Fly app for authentication can be created.

    *Note: You need to assign the Exchange Administrator role to the AvePoint Fly app in the following situations:

    - [Exchange Online Migration] - Required by the source - To create a mailbox for the account that authorizes the app using Exchange Online PowerShell. - To migrate distribution lists or mail-enabled security groups. - To migrate shared calendar permissions. - To enable email forwarding. - To migrate mailbox permissions. - Required by the destination - To add X500 email addresses to destination mailboxes. - To create shared mailboxes/distribution lists/mail-enabled security groups in the destination. - To create a mailbox for the account that authorizes the app using Exchange Online PowerShell. - To add mailbox permissions in the destination. - [Microsoft 365 Groups Migration/Microsoft Teams Migration] The destination is a multi-geo tenant, and the destination Groups/Teams need to be created in a defined location.

    *Note: After you re-authorize the Fly app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

    Refer to the following permissions requested by the AvePoint Fly app:

    APIPermissionTypePurpose
    SharePointSites.FullControl.All(Have full control of all site collections)ApplicationRetrieve and migrate settings and permissions of SharePoint Online site collections and team sites.
    SharePointTermStore.ReadWrite.All(Read and write managed metadata)ApplicationRetrieve and migrate Managed Metadata Service.
    SharePointUser.ReadWrite.All(Read and write user profiles)ApplicationRetrieve and migrate Microsoft 365 user profiles.
    Microsoft GraphCalendars.ReadWrite(Read and write calendars in all mailboxes)ApplicationRetrieve the information of Microsoft 365 user profiles.
    Microsoft GraphChannel.Create(Create channels)ApplicationCreate channels in Microsoft Teams migrations.
    Microsoft GraphChannelMember.ReadWrite.All(Add and remove members from all channels)ApplicationRetrieve and migrate private channel members.
    Microsoft GraphChannelMessage.Read.All(Read all channel messages)ApplicationRetrieve and migrate all channel messages.
    Microsoft GraphChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels)ApplicationRetrieve and migrate channel settings in Microsoft Teams migrations.
    Microsoft GraphChat.Create(Create chats)ApplicationCreate chats in Microsoft Teams Chat migrations.
    Microsoft GraphChat.ReadWrite.All(Read and write all chat messages)ApplicationRetrieve and migrate chat members/chat messages in Microsoft Teams Chat migrations.
    Microsoft GraphDirectory.Read.All(Read directory data)ApplicationRetrieve and migrate Microsoft 365 users.
    Microsoft GraphGroup.ReadWrite.All(Read and write all groups)ApplicationRetrieve and migrate Microsoft 365 Groups and Group members.
    Microsoft GraphInformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization)ApplicationOnly required if you want to manage sensitivity labels of files/emails/Teams/Groups/sites.
    Microsoft GraphOnlineMeetings.ReadWrite.All(Read and create online meetings)ApplicationMake sure the replaced meeting links in the destination are available to all attendees.
    Microsoft GraphReports.Read.All(Read all usage reports)ApplicationOnly required by tenant discovery.
    Microsoft GraphReportSettings.Read.All(Read all admin report settings)ApplicationRetrieve the Reports setting of the Microsoft 365 admin center.
    Microsoft GraphSchedule.ReadWrite.All(Read and write all schedule items)ApplicationRetrieve and migrate Teams Shifts app data in Microsoft Teams migrations.
    Microsoft GraphSites.ReadWrite.All(Read and write items in all site collections)ApplicationMigrate channel folders and files of team sites and private channels’ site collections.
    Microsoft GraphTasks.ReadWrite.All(Read and write all users’ tasks and tasklists)ApplicationRetrieve and migrate planners and data in planners.
    Microsoft GraphTeamsAppInstallation.ReadForUser.All(Read installed Teams apps for all users)ApplicationRetrieve the list of apps installed in the personal scope of the specified user.
    Microsoft GraphTeamsAppInstallation.ReadWriteAndConsentForTeam.All(Manage installation and permission grants of Teams apps for all teams)ApplicationRead, install, upgrade, and uninstall Teams apps in Teams and manage Teams access permissions.
    Microsoft GraphTeamsAppInstallation.ReadWriteForTeam.All(Manage Teams apps for all teams)ApplicationRetrieve and migrate Team apps in Microsoft Teams migrations. 
    Microsoft GraphTeam.Create(Create teams)ApplicationCreate Teams in Microsoft Teams migrations.
    Microsoft GraphTeamMember.ReadWrite.All(Add and remove members from all teams)ApplicationRetrieve and migrate Team members.
    Microsoft GraphTeamwork.Migrate.All(Create chat and channel messages with anyone’s identity and with any timestamp)ApplicationCreate Teams and channels, and migrate channel messages with any message sender and timestamp.
    Microsoft GraphTeamworkTag.ReadWrite.All(Read and write tags in Teams)ApplicationRetrieve and migrate tags in Microsoft Teams migrations.
    Microsoft GraphTeamSettings.ReadWrite.All(Read and change all teams' settings)ApplicationRetrieve and migrate Team settings in Microsoft Teams migrations. 
    Microsoft GraphTeamsTab.Create(Create tabs in Microsoft Teams)ApplicationCreate tabs in destination chats in Microsoft Teams Chat migrations.
    Microsoft GraphTeamsTab.Read.All(Read tabs in Microsoft Teams)ApplicationRetrieve tabs in destination chats in Microsoft Teams Chat migrations.
    Microsoft GraphTeamsTab.ReadWriteForTeam.All(Allow the Teams app to manage all tabs for all teams)ApplicationRetrieve and migrate Team tabs in Microsoft Teams migrations. 
    Microsoft GraphTeamsTab.ReadWriteSelfForChat(Allow the Teams app to manage only its own tabs in chats)ApplicationUpdate tabs in destination chats.
    Microsoft GraphUser.Read.All(Read all users' full profiles)ApplicationRetrieve the information of Microsoft 365 user profiles.
    Microsoft GraphUser.Read(Sign in and read user profile)DelegatedRetrieve information of Microsoft 365 user profiles.
    Office 365 Exchange OnlineExchange.ManageAsApp(Manage Exchange As Application)ApplicationUse Exchange PowerShell to migrate mailbox permissions and distribution lists.
    Office 365 Exchange Onlinefull_access_as_app(Use Exchange Web Services with full access to all mailboxes)ApplicationRetrieve and migrate items from all mailboxes.*Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
    Azure Rights Management ServicesContent.DelegatedReader(Read protected content on behalf of a user)ApplicationOnly required if you want to manage sensitivity labels of files/emails/Teams/sites.
    Azure Rights Management ServicesContent.DelegatedWriter(Create protected content on behalf of a user)ApplicationOnly required if you want to manage sensitivity labels of files/emails/Teams/sites.
    Azure Rights Management ServicesContent.SuperUser(Read all protected content for this tenant)ApplicationOnly required if you want to manage sensitivity labels of files/emails/Teams/sites.
    Azure Rights Management ServicesContent.Writer(Create protected content)ApplicationOnly required if you want to manage sensitivity labels of files/emails/Teams/sites.
    Microsoft Information Protection Sync ServiceUnifiedPolicy.Tenant.Read(Read all unified policies of the tenant)ApplicationOnly required if you want to manage sensitivity labels of files/emails/Teams/sites.

    How to Check and Activate Azure Rights Management Service?

    When your app profile using the Fly app cannot be created or authorized, you can check if it is caused by the lack of Azure Rights Management Service subscription:

    1. When the authentication error occurs after you authorize the app, navigate to the Developer Tools interface by pressing F12 on the keyboard.

    2. Check the information under the Console tab.

    3. If you can find the access denied error shown in the screenshot below, the error is caused by the lack of Azure Rights Management Service subscription.

    The access denied error

    For this error, we provide you with the following two solutions:

    - Purchase and apply any of the licenses that can provide the rights for a user. After applying the license, assign the license to the authentication user. Refer to for the available licenses. - Solve it via Graph Explorer. 1. Log in to using your Global Administrator account with required permissions. Refer to to view the required permissions. 2. Create a new servicePrincipal object using the following request:

    POST https://graph.microsoft.com/v1.0/servicePrincipals

    3. Request body:

    {    

        "appId": "00000012-0000-0000-c000-000000000000"

    }

    ![Create the servicePrincipal object.](/en/fly-user-guide/appendices/images/image821.png "Create the servicePrincipal object.") 4. Check if the **AccountEnabled** value is **true** using the following request:

    GET https://graph.microsoft.com/v1.0/servicePrincipals(appId='00000012-0000-0000-c000-000000000000')

    ![Check the AccountEnabled value.](/en/fly-user-guide/appendices/images/image822.png "Check the AccountEnabled value.") 1. If the **AccountEnabled** value is **false** in the response, enable it using the following request:

    PATCH https://graph.microsoft.com/v1.0/servicePrincipals/{id}

    Replace **{id}** with the id value in step **iii**. Request body:

    {

        "accountEnabled":true

    }