Home > Aviator > Aviator for Microsoft 365 Groups > Permissions Required by Source Microsoft 365 Groups > Delegated App Profile Permissions
Export to PDFDelegated App Profile Permissions
Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.
*Note: The license and permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.
*Note: If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.
*Note: If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.
To use the Fly delegated app profile with required permissions, refer to Fly Delegated App Profile Permissions.
To use a custom delegated app profile with required permissions, refer to the following steps:
-
After registering an app in Microsoft Entra ID, add the required permissions to the app. The sections below show the required permissions of a custom app.
-
Click Authentication in the left navigation of the app.
-
Click Add a platform.
-
Select Web in the Configure platforms panel.
-
In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.
-
Select the Access tokens and ID tokens checkboxes in the Implicit grant and hybrid flows field.
-
Click Configure.
-
Click Save.
-
Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to .
*Note: When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.
Custom Delegated App Profile for Copy Group
Make sure the custom delegated app has the following permissions.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Microsoft Graph | Directory.Read.All(Read directory data) | Delegated | Only required if the source is multi-geo tenant. |
| Microsoft Graph | Domain.Read.All | Delegated | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory | Delegated | Retrieve directory roles. |
| Microsoft Graph | Group.Read.All | Delegated | Retrieve Microsoft 365 Groups and group members. |
| Microsoft Graph | Group.ReadWrite.All | Delegated | Required if the consent user is not the group owner of source Groups. Meanwhile, the consent user must have the Groups Administrator role. This can automatically add the consent user as the group owner.If the consent user is already the group owner, you can change this permission to Group.Read.All. |
| Microsoft Graph | Sites.Read.All | Delegated | Retrieve files of team sites. |
| Microsoft Graph | User.Read.All | Delegated | Retrieve information of Microsoft 365 user profiles. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | user_impersonation | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Office 365 Exchange Online | EWS.AccessAsUser.All | Delegated | Use Exchange Web Services with full access to user data via impersonation. |
| Office 365 Exchange Online | Exchange.Manage | Delegated | Retrieve mailbox permissions. |
| SharePoint/Office 365 SharePoint Online | AllSites.FullControl | Delegated | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.Read.All | Delegated | Retrieve Managed Metadata Service data. |
For easy use, you can directly use the following commands to add required API permissions through Manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "a468ea40-458c-4cc2-80c4-51781af71e41",
"type": "Scope"
},
{
"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
"type": "Scope"
},
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "06da0dbc-49e2-44d2-8312-53f166ab848a",
"type": "Scope"
},
{
"id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",
"type": "Scope"
},
{
"id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
"type": "Scope"
},
{
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"type": "Scope"
},
{
"id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
"type": "Scope"
},
{
"id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
"type": "Scope"
},
{
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
}
],
Custom Delegated App Profile for Merge Group
Make sure the custom delegated app has the following permissions.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Microsoft Graph | Domain.Read.All | Delegated | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory | Delegated | Retrieve directory roles. |
| Microsoft Graph | Group.Read.All | Delegated | Retrieve Microsoft 365 Groups and group members. |
| Microsoft Graph | Group.ReadWrite.All | Delegated | Required if the consent user is not the group owner of source Groups. Meanwhile, the consent user must have the Groups Administrator role. This can automatically add the consent user as the group owner.If the consent user is already the group owner, you can change this permission to Group.Read.All. |
| Microsoft Graph | Sites.Read.All | Delegated | Retrieve files of team sites. |
| Microsoft Graph | User.Read.All | Delegated | Retrieve information of Microsoft 365 user profiles. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | user_impersonation | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Groups. |
| Office 365 Exchange Online | EWS.AccessAsUser.All | Delegated | Use Exchange Web Services with full access to user data via impersonation. |
| Office 365 Exchange Online | Exchange.Manage | Delegated | Retrieve mailbox permissions. |
| SharePoint/Office 365 SharePoint Online | AllSites.FullControl | Delegated | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.Read.All | Delegated | Retrieve Managed Metadata Service data. |
For easy use, you can directly use the following commands to add required API permissions through Manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "a468ea40-458c-4cc2-80c4-51781af71e41",
"type": "Scope"
},
{
"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
"type": "Scope"
},
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",
"type": "Scope"
},
{
"id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
"type": "Scope"
},
{
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"type": "Scope"
},
{
"id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
"type": "Scope"
},
{
"id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
"type": "Scope"
},
{
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
}
],