Home > Aviator > Aviator for Microsoft 365 Groups > Permissions Required by Source Microsoft 365 Groups > Custom App Profile Permissions
Export to PDFCustom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Permissions Required by Copy Group
Refer to the following tables to add API permissions required to the custom Azure app for Aviator copy Group jobs.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | Directory.Read.All(Read directory data) | Application | Only required if the source is a multi-geo tenant. |
| Microsoft Graph | Domain.Read.All | Application | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory | Application | Retrieve directory roles. |
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Retrieve Microsoft 365 Groups and Group members. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Only required if you use both the app profile and the service account in the source connection and the source service account is not the Group owner, to automatically ensure the service account as the Group owner. |
| Microsoft Graph | InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization) | Application | Only required if you want to manage sensitivity labels of files/emails/Teams/Groups/sites. |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Retrieve files of team sites. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Only required by tenant discovery.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | ReportSettings.Read.All(Read all admin report settings) | Application | Retrieve the Reports setting of the Microsoft 365 admin center.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | Tasks.Read.All(Read all users’ tasks and tasklist) | Application | Retrieve planners and data in planners.*Note: This permission is not required by 21Vianet tenants. |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. |
| Office 365 Exchange Online | Full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All (Read and write managed metadata) | Application | Retrieve and migrate Managed Metadata Service.*Note: The TermStore.ReadWrite.All permission is required to migrate the term set used in the Managed Navigation. If you do not need to migrate the term set used in the Managed Navigation, you can replace the permission with TermStore.Read.All. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.SuperUser(Read all unified policies of the tenant) | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read(Read all protected content for this tenant) | Application | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"type": "Role"
},
{
"id": "5b567255-7703-4780-807c-7be8301ae99b",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "19da66cb-0fb0-4390-b071-ebc76a349482",
"type": "Role"
},
{
"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
"type": "Role"
},
{
"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "332a536c-c7ef-4017-ab91-336970924f0d",
"type": "Role"
},
{
"id": "f10e1f91-74ed-437f-a6fd-d6ae88e26c1f",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
"type": "Role"
},
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
}
],
Permissions Required by Merge Group
Refer to the following tables to add API permissions required to the custom Azure app for Aviator merge Group jobs.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | Domain.Read.All | Application | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory | Application | Retrieve directory roles. |
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Retrieve Microsoft 365 Groups and Group members. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Only required if you use both the app profile and the service account in the source connection and the source service account is not the Group owner, to automatically ensure the service account as the Group owner. |
| Microsoft Graph | InformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization) | Application | Only required if you want to manage sensitivity labels of files/emails/Teams/Groups/sites. |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Retrieve files of team sites. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Only required by tenant discovery.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | ReportSettings.Read.All(Read all admin report settings) | Application | Retrieve the Reports setting of the Microsoft 365 admin center.*Note: This permission is not required by 21Vianet tenants. |
| Microsoft Graph | Tasks.Read.All(Read all users’ tasks and tasklist) | Application | Retrieve planners and data in planners.*Note: This permission is not required by 21Vianet tenants. |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. |
| Office 365 Exchange Online | Full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All (Read and write managed metadata) | Application | Retrieve and migrate Managed Metadata Service.*Note: The TermStore.ReadWrite.All permission is required to migrate the term set used in the Managed Navigation. If you do not need to migrate the term set used in the Managed Navigation, you can replace the permission with TermStore.Read.All. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.SuperUser(Read all unified policies of the tenant.) | Application | Only required if you want to manage the sensitivity labels of files/emails. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read(Read all protected content for this tenant) | Application | Only required if you want to manage the sensitivity labels of files/emails. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"type": "Role"
},
{
"id": "5b567255-7703-4780-807c-7be8301ae99b",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "19da66cb-0fb0-4390-b071-ebc76a349482",
"type": "Role"
},
{
"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
"type": "Role"
},
{
"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "332a536c-c7ef-4017-ab91-336970924f0d",
"type": "Role"
},
{
"id": "f10e1f91-74ed-437f-a6fd-d6ae88e26c1f",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
"type": "Role"
},
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
}
],