Home > Aviator > Aviator for Microsoft 365 Groups > Permissions Required by Destination Microsoft 365 Groups > Custom App Profile Permissions
Export to PDFCustom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Permissions Required by Copy Group
Refer to the following tables to add API permissions required to the custom Azure app for Aviator copy Group jobs.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | Directory.ReadWrite.All(Read directory data) | Application | Only required if the destination is multi-geo tenant with the following situations:The authentication uses the custom app profile only.The destination Groups need to be created in a defined location. |
| Microsoft Graph | Domain.Read.All | Application | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory | Application | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Retrieve and migrate Microsoft 365 Groups and Group members. |
| Microsoft Graph | Sites.Read.All(Read items in all site collections) | Application | Retrieve team sites. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization) | Application | Only required if you want to manage sensitivity labels of files/emails/Teams/Groups/sites. |
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Only required by tenant discovery.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | Tasks.ReadWrite.All(Read and write all users’ tasks and tasklists) | Application | Migrate planners and data in planners to the destination.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | ReportSettings.Read.All(Read all admin report settings) | Application | Retrieve the Reports setting of the Microsoft 365 admin center.*Note: This permission is not required by 21Vianet tenants. |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. |
| Office 365 Exchange Online | Full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All (Read and write managed metadata) | Application | Retrieve and migrate Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.DelegatedWriter (Create protected content on behalf of a user) | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.Writer (Create protected content) | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "19da66cb-0fb0-4390-b071-ebc76a349482",
"type": "Role"
},
{
"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
"type": "Role"
},
{
"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "332a536c-c7ef-4017-ab91-336970924f0d",
"type": "Role"
},
{
"id": "44e666d1-d276-445b-a5fc-8815eeb81d55",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
"type": "Role"
},
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
"type": "Role"
},
{
"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
"type": "Role"
}
]
}
],
Permissions Required by Merge Group
Refer to the following tables to add API permissions required to the custom Azure app for Aviator merge Group jobs.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | Domain.Read.All | Application | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory | Application | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All | Application | Retrieve and migrate Microsoft 365 Groups and Group members. |
| Microsoft Graph | Sites.Read.All(Read items in all site collections) | Application | Retrieve team sites. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization) | Application | Only required if you want to manage sensitivity labels of files/emails/Teams/Groups/sites. |
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Only required by tenant discovery.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | Tasks.ReadWrite.All(Read and write all users’ tasks and tasklists) | Application | Migrate planners and data in planners to the destination.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | ReportSettings.Read.All(Read all admin report settings) | Application | Retrieve the Reports setting of the Microsoft 365 admin center.*Note: This permission is not required by 21Vianet tenants. |
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. |
| Office 365 Exchange Online | Full_access_as_app (Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All | Application | Retrieve and migrate Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.DelegatedWriter (Create protected content on behalf of a user) | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.Writer (Create protected content) | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "19da66cb-0fb0-4390-b071-ebc76a349482",
"type": "Role"
},
{
"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
"type": "Role"
},
{
"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "332a536c-c7ef-4017-ab91-336970924f0d",
"type": "Role"
},
{
"id": "44e666d1-d276-445b-a5fc-8815eeb81d55",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
"type": "Role"
},
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
"type": "Role"
},
{
"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
"type": "Role"
}
]
}
],