Home > Appendices > Fly Delegated App Profile Permissions
Export to PDFFly Delegated App Profile Permissions
The Tenant Owner and Service Administrators can create a Fly delegated app profile using the Modern mode in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant via the AvePoint Fly Delegated App.
Note the following before you consent the app:
-
You can also use a Privileged Role Administrator account to consent to the app, but ensure it has the following additional permissions based on different workspaces.
NOTEIf you use a Privileged Role Administrator account to consent to the app, the User consent method will be unavailable when you re-authorize the app. To use an end user to re-authorize the app, use a Global Administrator account to consent to the app when you create the app.
Workspace Source Permission Destination Permission SharePoint Online Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. OneDrive Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. Aviator SharePoint Online Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. Aviator OneDrive Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. Microsoft Teams to Google Chat Space Refer to Delegated APP Profile Permissions for details. N/A Microsoft Teams to Microsoft Teams Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. Microsoft Teams Chat N/A Refer to Delegated App Profile Permissions for details. Aviator Microsoft Teams Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. Aviator Microsoft 365 Groups Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. Microsoft 365 Group Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. SharePoint Online to Google Drive Refer to Delegated App Profile Permissions for details. N/A OneDrive to Google Drive Refer to Delegated App Profile Permissions for details. N/A Google Drive N/A Refer to Delegated App Profile Permissions for details. Gmail N/A Refer to Delegated App Profile Permissions for details. Exchange Online Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. Exchange Online Public Foder Refer to Delegated App Profile Permissions for details. Refer to Delegated App Profile Permissions for details. -
When consenting the delegated app profile for the first time, you must select the Consent on behalf of your organization option on the Permissions requested page and use a Microsoft 365 Global Administrator to consent.
After granting consent, if your organization needs to revoke the Global Administrator role, you have two options:
-
Remove the Global Administrator role from the consent user.
-
Re-authorize the app profile, change to use the User consent method, and use a normal user to re-authorize the app profile. Refer to Re-authorize an App Profile for Microsoft Tenants for more information. After you re-authorize the delegated app profile, wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
NOTEIf you use a Privileged Role Administrator account to consent to the app, the User consent method will be unavailable when you re-authorize the app. To use an end user to re-authorize the app, use a Global Administrator account to consent to the app when you create the app.
Refer to the following permissions requested by the AvePoint Fly Delegated App:
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | RoleManagement.Read.Directory (Read directory RBAC settings) | Delegated | Retrieve Microsoft global groups. Check Service Account available roles. |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Delegated | Allow to create groups and read all group properties and memberships. Additionally, allow group owners to manage their groups and allow group members to update group content. |
| Microsoft Graph | Domain.Read.All (Read domains) | Delegated | Retrieve the Microsoft 365 tenant domain. |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Delegated | Retrieve information of user profiles. |
| Microsoft Graph | Chat.ReadWrite (Read and write user chat messages) | Delegated | Retrieve and migrate chat members / chat messages in Microsoft Teams Chat migrations. |
| Microsoft Graph | TeamsTab.ReadWriteForTeam (Allow the Teams app to manage all tabs in teams) | Delegated | Retrieve and migrate team tabs in Microsoft Teams migrations. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteAndConsentForTeam (Manage installed Teams apps in teams) | Delegated | Read, install, upgrade, and uninstall Teams apps in Teams and manage Teams access permissions. |
| Microsoft Graph | TeamSettings.ReadWrite.All (Read and change teams’ settings) | Delegated | Retrieve and migrate team settings in Microsoft Teams migrations. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteForTeam (Manage installed Teams apps in teams) | Delegated | Retrieve and migrate team apps in Microsoft Teams migrations. |
| Microsoft Graph | TeamMember.ReadWrite.All (Add and remove members from teams) | Delegated | Migrate team members to the destination. |
| Microsoft Graph | Team.Create (Create teams) | Delegated | Create Teams in Microsoft Teams migrations. |
| Microsoft Graph | ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of channels) | Delegated | Retrieve and migrate channel settings in Microsoft Teams migrations. |
| Microsoft Graph | ChannelMessage.Send (Send channel messages) | Delegated | Migrate channel messages in Microsoft Teams migrations. |
| Microsoft Graph | ChannelMessage.Read.All (Read user channel messages) | Delegated | Retrieve channel messages in Microsoft Teams migrations. |
| Microsoft Graph | ChannelMember.ReadWrite.All (Add and remove members from channels) | Delegated | Retrieve and migrate channel members in Microsoft Teams migrations. |
| Microsoft Graph | Channel.Create (Create channels) | Delegated | Create channels in Microsoft Teams migrations. |
| Microsoft Graph | Schedule.ReadWrite.All (Read and write all schedule items) | Delegated | Retrieve and migrate Teams Shifts app data in Microsoft Teams migrations. |
| Microsoft Graph | TeamsTab.Create (Create tabs in Microsoft Teams) | Delegated | Create tabs in destination chats in Microsoft Teams Chat migrations. |
| Microsoft Graph | TeamsTab.Read.All (Read tabs in Microsoft Teams) | Delegated | Retrieve tabs of destination chats in Microsoft Teams Chat migrations. |
| Microsoft Graph | TeamworkTag.ReadWrite (Read and write tag and tag member) | Delegated | Retrieve and migrate Teams work tags in Microsoft Teams migrations. |
| Microsoft Graph | TeamsTab.ReadWriteSelfForChat (Allow the Teams app to manage only its own tabs in chats) | Delegated | Update tabs in destination chats. |
| Microsoft Graph | Files.ReadWrite.All (Have full access to all files user can access) | Delegated | Migrate files of team sites to the destination. |
| Microsoft Graph | Sites.Read.All (Real content in all site collections) | Delegated | Retrieve all site collections. |
| SharePoint | AllSites.FullControl (Have full control of all site collections) | Delegated | Retrieve and migrate content in SharePoint migrations. |
| SharePoint | TermStore.ReadWrite.All (Read and write managed metadata) | Delegated | Retrieve and migrate Managed Metadata Service data. |
| Office 365 Exchange Online | EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services) | Delegated | Use Exchange Web Services with full access to user data via impersonation. |
| Office 365 Exchange Online | Exchange.Manage (Manage Exchange configuration) | Delegated | Retrieve and migrate mailbox permissions, distribution groups, and other data related to Exchange PowerShell. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read (Read all unified policies a user has access to) | Delegated | Retrieve sensitivity labels of files/mails/Groups. |
| Azure Rights Management Services | user_impersonation (Create and access protected content for users) | Delegated | Migrate sensitivity labels of files/mails/Groups. |