Home > Aviator > Aviator for Microsoft Teams > Permissions Required by Destination Teams > Custom App Profile Permissions
Export to PDFCustom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Refer to the following tables to add API permissions required to the custom Azure app.
*Note: √ refers to the permission is required to copy or merge the data type.
| API | Permission | Type | Purpose | Team | Channel | Planner |
|---|---|---|---|---|---|---|
| Microsoft Graph | Directory.Read.All(Read directory data) | Application | Retrieve the Microsoft 365 tenant information, including the tenant domain and the service account licenses for migration. *Note: If the destination is a multi-geo tenant, and the destination Teams need to be created in a defined location, you need to change this permission to Directory.ReadWrite.All. Alternatively, you can assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the custom app. You can refer to How to How to Assign the Exchange Administrator Role to an App? for examples of role assignment. | √ | √ | √ |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Migrate Microsoft 365 Groups and group data. | √ | √ | √ |
| Microsoft Graph | Sites.ReadWrite.All(Read and write items in all site collections) | Application | Migrate channel folders and files of team sites and private/shared channels’ site collections. | √ | √ | √ |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of Microsoft 365 user profiles. | √ | √ | √ |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Application | Migrate private/shared channel members. | √ | √ | |
| Microsoft Graph | Teamwork.Migrate.All(Create chat and channel messages with anyone’s identity and with any timestamp) | Application | Create Teams and channels, and migrate channel messages with any message sender and timestamp. | √ | ||
| Microsoft Graph | TeamworkTag.ReadWrite.All(Read and write tags in Teams) | Application | Migrate tags. | √ | ||
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Application | Migrate team members. | √ | √ | |
| Microsoft Graph | Channel.Create(Create channels) | Application | Create channels. | √ | √ | |
| Microsoft Graph | ChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels) | Application | Migrate channel settings. | √ | √ | |
| Microsoft Graph | Team.Create(Create teams) | Application | Create Teams. | √ | ||
| Microsoft Graph | TeamSettings.ReadWrite.All(Read and change all teams’ settings) | Application | Migrate team settings. | √ | ||
| Microsoft Graph | TeamsAppInstallation.ReadWriteForTeam.All(Manage Teams apps for all teams) | Application | Migrate team apps. | √ | ||
| Microsoft Graph | TeamsTab.ReadWriteForTeam.All(Allow the Teams app to manage all tabs for all teams) | Application | Migrate team tabs. | √ | √ | |
| Microsoft Graph | Schedule.ReadWrite.All(Read and write all schedule items) | Application | Migrate Teams Shifts app data.*Note: If the destination is a GCC High or 21Vianet tenant, this permission is not required. | √ | ||
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Only required by tenant discovery.*Note: If the destination is a 21Vianet tenant, this permission is not required. | √ | √ | |
| Microsoft Graph | Tasks.ReadWrite.All(Read and write all users’ tasks and tasklists) | Application | Migrate planners and data in planners to the destination.*Note: If the destination is a 21Vianet tenant, this permission is not required. | √ | √ | |
| Microsoft Graph | ReportSettings.Read.All(Read all admin report settings) | Application | Retrieve the Reports setting of the Microsoft 365 admin center.*Note: If the destination is a 21Vianet tenant, this permission is not required. | √ | √ | |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. | √ | ||
| Office 365 Exchange Online | Full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes.*Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. | √ | ||
| SharePoint / Office 365 SharePoint Online | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. | √ | √ | √ |
| SharePoint / Office 365 SharePoint Online | TermStore.ReadWrite.All(Read and write managed metadata) | Application | Retrieve and migrate Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All. | √ | √ | |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.DelegatedWriter(Create protected content on behalf of a user) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. | √ | √ | |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.Writer(Create protected content) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. | √ | √ | |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read(Read all unified policies of the tenant) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. | √ | √ |
On this page