English

Home > Aviator > Aviator for Microsoft 365 Groups > Permissions Required by Destination Microsoft 365 Groups

Permissions Required by Destination Microsoft 365 Groups

To connect to the destination, you can choose to only use a service account, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account and a Fly app profile, or the combination of a service account and a custom app profile.

Refer to the following sections to view the permissions required by the authentication methods.

Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and the required permissions of the Fly app profile.

NOTE

With the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Groups need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment.

Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

You can ignore this step if you have a certificate.
Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.
Connect your tenant to AvePoint Online Services.
Create an App Profile for a Custom Azure App in AvePoint Online Services.

NOTE

After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Permissions Required by Copy Group

Refer to the following tables to add API permissions required to the custom Azure app for Aviator copy Group jobs.

API	Permission	Type	Purpose
Microsoft Graph	Directory.ReadWrite.All (Read directory data)	Application	Only required if the destination is multi-geo tenant with the following situations: The authentication uses the custom app profile only. The destination Groups need to be created in a defined location.
Microsoft Graph	Domain.Read.All	Application	Retrieve domains.
Microsoft Graph	RoleManagement.Read.Directory	Application	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application	Retrieve and migrate Microsoft 365 Groups and Group members.
Microsoft Graph	Sites.Read.All (Read items in all site collections)	Application	Retrieve team sites.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Application	Retrieve information of Microsoft 365 user profiles.
Microsoft Graph	InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization)	Application	Only required if you want to manage sensitivity labels of files/emails/Teams/Groups/sites.
Microsoft Graph	Reports.Read.All (Read all usage reports)	Application	Only required by tenant discovery. *Note: This permission is not required by 21Vianet tenants.
Microsoft Graph	Tasks.ReadWrite.All (Read and write all users’ tasks and tasklists)	Application	Migrate planners and data in planners to the destination. *Note: This permission is not required by 21Vianet tenants.
Microsoft Graph	ReportSettings.Read.All (Read all admin report settings)	Application	Retrieve the Reports setting of the Microsoft 365 admin center. *Note: This permission is not required by 21Vianet tenants.
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange As Application)	Application	Use Exchange PowerShell to retrieve mailbox permissions.
Office 365 Exchange Online	Full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Application	Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
SharePoint/Office 365 SharePoint Online	Sites.FullControl.All (Have full control of all site collections)	Application	Retrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All (Read and write managed metadata)	Application	Retrieve and migrate Managed Metadata Service. *Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.DelegatedWriter (Create protected content on behalf of a user)	Application	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.Writer (Create protected content)	Application	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read	Application	Only required if you want to manage the sensitivity labels of files/emails/Groups.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
        "type": "Role"
      },
      {
        "id": "62a82d76-70ea-41e2-9197-370581804d09",
        "type": "Role"
      },
      {
        "id": "19da66cb-0fb0-4390-b071-ebc76a349482",
        "type": "Role"
      },
      {
        "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
        "type": "Role"
      },
      {
        "id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
        "type": "Role"
      },
      {
        "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
        "type": "Role"
      },
      {
        "id": "332a536c-c7ef-4017-ab91-336970924f0d",
        "type": "Role"
      },
      {
        "id": "44e666d1-d276-445b-a5fc-8815eeb81d55",
        "type": "Role"
      },
      {
        "id": "df021288-bdef-4463-88db-98f22de89214",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
        "type": "Role"
      },
      {
        "id": "678536fe-1083-478a-9c59-b99265e6b0d3",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
        "type": "Role"
      },
      {
        "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
    "resourceAccess": [
      {
        "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000012-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
        "type": "Role"
      },
      {
        "id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
        "type": "Role"
      }
    ]
  }
]

Permissions Required by Merge Group

Refer to the following tables to add API permissions required to the custom Azure app for Aviator merge Group jobs.

API	Permission	Type	Purpose
Microsoft Graph	Domain.Read.All	Application	Retrieve domains.
Microsoft Graph	RoleManagement.Read.Directory	Application	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All	Application	Retrieve and migrate Microsoft 365 Groups and Group members.
Microsoft Graph	Sites.Read.All (Read items in all site collections)	Application	Retrieve team sites.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Application	Retrieve information of Microsoft 365 user profiles.
Microsoft Graph	InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization)	Application	Only required if you want to manage sensitivity labels of files/emails/Teams/Groups/sites.
Microsoft Graph	Reports.Read.All (Read all usage reports)	Application	Only required by tenant discovery. *Note: This permission is not required by 21Vianet tenants.
Microsoft Graph	Tasks.ReadWrite.All (Read and write all users’ tasks and tasklists)	Application	Migrate planners and data in planners to the destination. *Note: This permission is not required by 21Vianet tenants.
Microsoft Graph	ReportSettings.Read.All (Read all admin report settings)	Application	Retrieve the Reports setting of the Microsoft 365 admin center. *Note: This permission is not required by 21Vianet tenants.
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange As Application)	Application	Use Exchange PowerShell to retrieve mailbox permissions.
Office 365 Exchange Online	Full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Application	Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
SharePoint/Office 365 SharePoint Online	Sites.FullControl.All (Have full control of all site collections)	Application	Retrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All	Application	Retrieve and migrate Managed Metadata Service. *Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.DelegatedWriter (Create protected content on behalf of a user)	Application	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.Writer (Create protected content)	Application	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read	Application	Only required if you want to manage the sensitivity labels of files/emails/Groups.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [ 
        { 
            "resourceAppId": "00000003-0000-0000-c000-000000000000", 
            "resourceAccess": [ 
                { 
                    "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664", 
                    "type": "Role" 
                }, 
                { 
                    "id": "62a82d76-70ea-41e2-9197-370581804d09", 
                    "type": "Role" 
                }, 
                { 
                    "id": "19da66cb-0fb0-4390-b071-ebc76a349482", 
                    "type": "Role" 
                }, 
                { 
                    "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef", 
                    "type": "Role" 
                }, 
                { 
                    "id": "ee353f83-55ef-4b78-82da-555bfa2b4b95", 
                    "type": "Role" 
                }, 
                { 
                    "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c", 
                    "type": "Role" 
                }, 
                { 
                    "id": "332a536c-c7ef-4017-ab91-336970924f0d", 
                    "type": "Role" 
                }, 
                { 
                    "id": "44e666d1-d276-445b-a5fc-8815eeb81d55", 
                    "type": "Role" 
                }, 
                { 
                    "id": "df021288-bdef-4463-88db-98f22de89214", 
                    "type": "Role" 
                } 
            ] 
        }, 
        { 
            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000", 
            "resourceAccess": [ 
                { 
                    "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97", 
                    "type": "Role" 
                }, 
                { 
                    "id": "678536fe-1083-478a-9c59-b99265e6b0d3", 
                    "type": "Role" 
                } 
            ] 
        }, 
        { 
            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", 
            "resourceAccess": [ 
                { 
                    "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40", 
                    "type": "Role" 
                }, 
                { 
                    "id": "dc50a0fb-09a3-484d-be87-e023b12c6440", 
                    "type": "Role" 
                } 
            ] 
        }, 
        { 
            "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725", 
            "resourceAccess": [ 
                { 
                    "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64", 
                    "type": "Role" 
                } 
            ] 
        }, 
        { 
            "resourceAppId": "00000012-0000-0000-c000-000000000000", 
            "resourceAccess": [ 
                { 
                    "id": "d13f921c-7f21-4c08-bade-db9d048bd0da", 
                    "type": "Role" 
                }, 
                { 
                    "id": "006e763d-a822-41fc-8df5-8d3d7fe20022", 
                    "type": "Role" 
                } 
            ] 
        } 
    ],

Service Account Permissions

The service account permissions required by the destination are the same as Microsoft 365 Groups Migration. Refer to Service Account Permissions for details.

Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

NOTE

The license and permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.

NOTE

If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.

NOTE

If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

The steps of creating a default or custom delegated app profile for the destination are the same as the steps in Delegated App Profile Permissions for the source.

For Fly delegated app profile permissions, refer to the table in Fly Delegated App Profile Permissions.

For custom delegated app profile permissions, refer to the sections below.

Custom Delegated App Profile for Copy Group

Make sure the custom delegated app has the following permissions.

API	Permission	Type	Purpose
Microsoft Information Protection Sync Service	UnifiedPolicy.User.Read	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft Graph	Directory.Read.All (Read directory data)	Delegated	Only required if the destination is multi-geo tenant.
Microsoft Graph	Domain.Read.All	Delegated	Retrieve domains.
Microsoft Graph	RoleManagement.Read.Directory	Delegated	Retrieve directory roles.
Microsoft Graph	Group.Read.All	Delegated	Retrieve Microsoft 365 Groups and group members.
Microsoft Graph	Group.ReadWrite.All	Delegated	Required if the consent user is not the group owner of source Groups. Meanwhile, the consent user must have the Groups Administrator role. This can automatically add the consent user as the group owner. If the consent user is already the group owner, you can change this permission to Group.Read.All.
Microsoft Graph	Sites.Read.All	Delegated	Retrieve files of team sites.
Microsoft Graph	User.Read.All	Delegated	Retrieve information of Microsoft 365 user profiles.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	user_impersonation	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Office 365 Exchange Online	EWS.AccessAsUser.All	Delegated	Use Exchange Web Services with full access to user data via impersonation.
Office 365 Exchange Online	Exchange.Manage	Delegated	Retrieve mailbox permissions.
SharePoint/Office 365 SharePoint Online	AllSites.FullControl	Delegated	Retrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online	TermStore.Read.All	Delegated	Retrieve Managed Metadata Service data.

For easy use, you can directly use the following commands to add required API permissions through Manifest.

"requiredResourceAccess": [ 
    { 
      "resourceAppId": "00000003-0000-0ff1-ce00-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "a468ea40-458c-4cc2-80c4-51781af71e41", 
          "type": "Scope" 
        }, 
        { 
          "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c", 
          "type": "Scope" 
        }, 
        { 
          "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "00000012-0000-0000-c000-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "00000003-0000-0000-c000-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "06da0dbc-49e2-44d2-8312-53f166ab848a", 
          "type": "Scope" 
        }, 
        { 
          "id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311", 
          "type": "Scope" 
        }, 
        { 
          "id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d", 
          "type": "Scope" 
        }, 
        { 
          "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0", 
          "type": "Scope" 
        }, 
        { 
          "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83", 
          "type": "Scope" 
        }, 
        { 
          "id": "205e70e5-aba6-4c52-a976-6d2d46c48043", 
          "type": "Scope" 
        }, 
        { 
          "id": "a154be20-db9c-4678-8ab7-66f6cc099a59", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725", 
      "resourceAccess": [ 
        { 
          "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a", 
          "type": "Scope" 
        } 
      ] 
    } 
  ],

Custom Delegated App Profile for Merge Group

Make sure the custom delegated app has the following permissions.

API	Permission	Type	Purpose
Microsoft Information Protection Sync Service	UnifiedPolicy.User.Read	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft Graph	Domain.Read.All	Delegated	Retrieve domains.
Microsoft Graph	RoleManagement.Read.Directory	Delegated	Retrieve directory roles.
Microsoft Graph	Group.Read.All	Delegated	Retrieve Microsoft 365 Groups and group members.
Microsoft Graph	Group.ReadWrite.All	Delegated	Required if the consent user is not the group owner of source Groups. Meanwhile, the consent user must have the Groups Administrator role. This can automatically add the consent user as the group owner. If the consent user is already the group owner, you can change this permission to Group.Read.All.
Microsoft Graph	Sites.Read.All	Delegated	Retrieve files of team sites.
Microsoft Graph	User.Read.All	Delegated	Retrieve information of Microsoft 365 user profiles.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	user_impersonation	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Groups.
Office 365 Exchange Online	EWS.AccessAsUser.All	Delegated	Use Exchange Web Services with full access to user data via impersonation.
Office 365 Exchange Online	Exchange.Manage	Delegated	Retrieve mailbox permissions.
SharePoint/Office 365 SharePoint Online	AllSites.FullControl	Delegated	Retrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online	TermStore.Read.All	Delegated	Retrieve Managed Metadata Service data.

For easy use, you can directly use the following commands to add required API permissions through Manifest.

"requiredResourceAccess": [ 
    { 
      "resourceAppId": "00000003-0000-0ff1-ce00-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "a468ea40-458c-4cc2-80c4-51781af71e41", 
          "type": "Scope" 
        }, 
        { 
          "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c", 
          "type": "Scope" 
        }, 
        { 
          "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "00000012-0000-0000-c000-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "00000003-0000-0000-c000-000000000000", 
      "resourceAccess": [ 
        { 
          "id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311", 
          "type": "Scope" 
        }, 
        { 
          "id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d", 
          "type": "Scope" 
        }, 
        { 
          "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0", 
          "type": "Scope" 
        }, 
        { 
          "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83", 
          "type": "Scope" 
        }, 
        { 
          "id": "205e70e5-aba6-4c52-a976-6d2d46c48043", 
          "type": "Scope" 
        }, 
        { 
          "id": "a154be20-db9c-4678-8ab7-66f6cc099a59", 
          "type": "Scope" 
        } 
      ] 
    }, 
    { 
      "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725", 
      "resourceAccess": [ 
        { 
          "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a", 
          "type": "Scope" 
        } 
      ] 
    } 
  ],

On this page

Required Permissions for Exchange Online Migration

Required Permissions for Microsoft 365 Groups Migration

Required Permissions for Microsoft Teams Migration

Required Permissions for Microsoft Teams Chat Migration

Required Permissions for OneDrive Migration

Required Permissions for Power Platform Migration

Required Permissions for SharePoint Online Migration

Required Permissions for Google Drive Migration

Create a Connection

Aviator for Microsoft Teams

Aviator for Microsoft 365 Groups

Aviator for SharePoint Online

Aviator for OneDrive

Configurations for Customized Features

Fly App Profile Permissions

Permissions Required by Destination Microsoft 365 Groups

Fly App Profile Permissions

Custom App Profile Permissions

Permissions Required by Copy Group

Permissions Required by Merge Group

Service Account Permissions

Delegated App Profile Permissions

Custom Delegated App Profile for Copy Group

Custom Delegated App Profile for Merge Group

#Permissions Required by Destination Microsoft 365 Groups

#Fly App Profile Permissions

#Custom App Profile Permissions

#Permissions Required by Copy Group

#Permissions Required by Merge Group

#Service Account Permissions

#Delegated App Profile Permissions

#Custom Delegated App Profile for Copy Group

#Custom Delegated App Profile for Merge Group

Permissions Required by Destination Microsoft 365 Groups

Fly App Profile Permissions

Custom App Profile Permissions

Permissions Required by Copy Group

Permissions Required by Merge Group

Service Account Permissions

Delegated App Profile Permissions

Custom Delegated App Profile for Copy Group

Custom Delegated App Profile for Merge Group