Home > Aviator > Aviator for Microsoft Teams > Permissions Required by Source Teams > Delegated App Profile Permissions
Export to PDFDelegated App Profile Permissions
Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.
*Note: The license and permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.
*Note: If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, jobs using the delegated app profile will fail.
*Note: If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.
To use the Fly delegated app profile with required permissions, refer to Fly Delegated App Profile Permissions.
To use a custom delegated app profile with required permissions, refer to the following steps:
-
After registering an app in Microsoft Entra ID, add the required permissions in the table below to the app.
*Note: √ refers to the permission is required to copy or merge the data type.
| API | Permission | Type | Purpose | Team | Channel | Planner |
|---|---|---|---|---|---|---|
| Microsoft Graph | Directory.Read.All(Read directory data) | Delegated | Only required if the source is multi-geo tenant. | √ | ||
| Microsoft Graph | Domain.Read.All(Read domains) | Delegated | Retrieve domains. | √ | √ | √ |
| Microsoft Graph | RoleManagement.Read.Directory(Read directory RBAC settings) | Delegated | Retrieve directory roles. | √ | √ | |
| Microsoft Graph | Group.Read.All(Read directory data) | Delegated | Retrieve Microsoft 365 Groups and group members. | √ | √ | √ |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Delegated | Only required if the source consent user is not the team owner to automatically add the consent user as the team owner. | |||
| √ | ||||||
| Microsoft Graph | Sites.Read.All(Read items in all site collections) | Delegated | Retrieve channel folders and files of team sites and private channels’ site collections. | √ | √ | √ |
| Microsoft Graph | User.Read.All(Read all users’ full profiles) | Delegated | Retrieve information of Microsoft 365 user profiles. | √ | √ | √ |
| Microsoft Graph | ChannelMember.Read.All(Read the members of all channels) | Delegated | Retrieve private/shared channel members. | √ | √ | |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Delegated | Only required if the source consent user is not the private/shared channel owner to automatically add the consent user as the channel owner. | √ | √ | |
| Microsoft Graph | ChannelMessage.Read.All(Read all channel messages) | Delegated | Retrieve all channel messages. | √ | √ | |
| Microsoft Graph | TeamworkTag.Read(Allows the app to read tags in Teams without a signed-in user) | Delegated | Retrieve tags. | √ | ||
| Office 365 Exchange Online | EWS.AccessAsUser.All(Access mailboxes as the signed-in user via Exchange Web Services) | Delegated | Access mailboxes as the signed-in user via Exchange Web Services | √ | ||
| Office 365 Exchange Online | Exchange.Manage(Manage Exchange configuration) | Delegated | Use Exchange PowerShell to retrieve mailbox permissions. | √ | ||
| SharePoint / Office 365 SharePoint Online | ||||||
| AllSites.FullControl(Have full control of all site collections) | Delegated | Retrieve settings and permissions of team sites. | ||||
| (Have full control of all site collections) | √ | √ | √ | |||
| SharePoint / Office 365 SharePoint Online | ||||||
| TermStore.Read.All(Read managed metadata) | Delegated | Retrieve and migrate Managed Metadata Service. | √ | √ | ||
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read(Read all unified policies a user has access to) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. | √ | √ | |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | user_impersonation(Create and access protected content for users) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. | √ | √ |
-
Click Authentication in the left navigation of the app.
-
Click Add a platform.
-
Select Web in the Configure platforms panel.
-
In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.
-
Select the Access tokens and ID tokens checkboxes in the Implicit grant and hybrid flows field.
-
Click Configure.
-
Click Save.
-
Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to .
*Note: When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.