English

Home > Aviator > Aviator for OneDrive > Permissions Required by Destination OneDrive

Permissions Required by Destination OneDrive

To connect to the destination, you can choose to only use a Fly app profile or custom app profile as the authentication method. You can also use the combination of a service account and a Fly app profile, the combination of a service account and a custom app profile, the combination of a Fly app profile and a (custom) delegated app profile, or the combination of a custom app profile and a (custom) delegated app profile.

Refer to the following sections to view the permissions required by the authentication methods.

Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and required permissions of the Fly app profile.

Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

You can ignore this step if you have a certificate.
Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.
Connect your tenant to AvePoint Online Services.
Create an App Profile for a Custom Azure App in AvePoint Online Services.

NOTE

After you re-authorize the app profile, you need to wait about one hour before using the app profile for your Aviator job to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required by Aviator for OneDrive to the custom Azure app.

API	Permission	Type	Purpose
Microsoft Graph	User.Read.All (Read all users' full profiles)	Application	Retrieve and migrate Microsoft 365 users.
Microsoft Graph	RoleManagement.Read.Directory (Read all directory RBAC settings)	Application	Retrieve and migrate Microsoft global groups.
Microsoft Graph	Group.Read.All (Read all groups)	Application	Retrieve and migrate Microsoft 365 Groups.
Microsoft Graph	Files.Read.All (Read files in all site collections)	Application	Retrieve the users’ OneDrive site URLs.
SharePoint/Office 365 SharePoint Online	Sites.FullControl.All (Have full control of all site collections)	Application	Retrieve settings and permissions of OneDrive sites.
SharePoint/Office 365 SharePoint Online	User.Read.All (Read user profiles)	Application	Retrieve SharePoint user profile service.
Azure Rights Management Services For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.DelegatedWriter (Create protected content on behalf of a user)	Application	Only required if you want to manage sensitivity labels of files/sites.
Azure Rights Management Services For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.Writer (Create protected content)	Application	Only required if you want to manage sensitivity labels of files/sites.
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant.)	Application	Only required if you want to manage sensitivity labels of files/sites.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
	{
		"resourceAppId": "00000012-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
				"type": "Role"
			},
			{
				"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
		"resourceAccess": [
			{
				"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
				"type": "Role"
			},
			{
				"id": "df021288-bdef-4463-88db-98f22de89214",
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "00000003-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "01d4889c-1287-42c6-ac1f-5d1e02578ef6",
				"type": "Role"
			},
			{
				"id": "5b567255-7703-4780-807c-7be8301ae99b",
				"type": "Role"
			},
			{
				"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
				"type": "Role"
			},
			{
				"id": "df021288-bdef-4463-88db-98f22de89214",
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
		"resourceAccess": [
			{
				"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
				"type": "Role"
			}
		]
	}
],

Service Account Permissions

The Tenant Owner and Service Administrators can also create a service account profile for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.

NOTE

Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform Aviator jobs.

If you use both the app profile and service account authentications for the destination, there are no permission requirements for the service account.

If you only use the service account authentication for the destination, make sure the service account meets the following requirements:

Site Collection Administrator

NOTE
If Fly detects that the service account is not the Site Collection Administrator, but the service account has the SharePoint Administrator or Global Administrator role, Fly will automatically add the service account as the Site Collection Administrator of the site collection.
SharePoint Administrator is also required in the following cases:
- To use the scan profile to scan OneDrive sites in AvePoint Online Services, the service account must be the SharePoint Administrator.
- To create new OneDrive sites in the destination during the Aviator job, the destination service account must be the SharePoint Administrator.
NOTE
If the SharePoint Administrator cannot access the SharePoint admin center, the Global Administrator is required.

Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

Note the following:

The license and permission requirements for the consent user are the same as those for the service account. Refer to Service Account Permissions for details.
If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.
If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

The steps of creating a default or custom delegated app profile for the destination are the same as the steps in Delegated App Profile Permissions for the source.

For Fly delegated app profile permissions, refer to the table in Fly Delegated App Profile Permissions.

For custom delegated app profile permissions, refer to the table below.

API	Permission	Type	Purpose
Microsoft Graph	User.Read.All (Read user profiles)	Delegated	Retrieve the information of Microsoft 365 user profiles.
Microsoft Graph	RoleManagement.Read.Directory (Read directory RBAC settings)	Delegated	Retrieve and migrate Microsoft global groups.
Microsoft Graph	Files.Read.All (Read files in all site collections)	Delegated	Retrieve the users’ OneDrive site URLs.
Microsoft Graph	Group.Read.All (Read all groups)	Delegated	Retrieve and migrate Microsoft 365 Groups.
SharePoint	AllSites.FullControl Have full control of all site collections	Delegated	Retrieve settings and permissions of OneDrive sites.
SharePoint	User.Read.All (Read user profiles)	Delegated	Migrate OneDrive sites.
Azure Rights Management Services For 21Vianet tenants, the API name is Microsoft Rights Management Services.	user_impersonation (Create and access protected content for users)	Delegated	Only required if you want to manage sensitivity labels of files/sites.
Microsoft Information Protection Sync Service	UnifiedPolicy.User.Read (Read all unified policies of the tenant)	Delegated	Only required if you want to manage sensitivity labels of files/sites.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
	        {
            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
            "resourceAccess": [
                {
                    "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
                    "type": "Scope"
                },
                {
                    "id": "0cea5a30-f6f8-42b5-87a0-84cc26822e02",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000012-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
            "resourceAccess": [
                {
                    "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
                    "type": "Scope"
                }
            ]
        },
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "df85f4d6-205c-4ac5-a5ea-6bf408dba283",
                    "type": "Scope"
                },
                {
                    "id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
                    "type": "Scope"
                },
                {
                    "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
                    "type": "Scope"
                },
                {
                    "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
                    "type": "Scope"
                }
            ]
        }
    ],

On this page

Required Permissions for Exchange Online Migration

Required Permissions for Microsoft 365 Groups Migration

Required Permissions for Microsoft Teams Migration

Required Permissions for Microsoft Teams Chat Migration

Required Permissions for OneDrive Migration

Required Permissions for Power Platform Migration

Required Permissions for SharePoint Online Migration

Required Permissions for Google Drive Migration

Create a Connection

Aviator for Microsoft Teams

Aviator for Microsoft 365 Groups

Aviator for SharePoint Online

Aviator for OneDrive

Configurations for Customized Features

Fly App Profile Permissions

Permissions Required by Destination OneDrive

Fly App Profile Permissions

Custom App Profile Permissions

Service Account Permissions

Delegated App Profile Permissions

#Permissions Required by Destination OneDrive

#Fly App Profile Permissions

#Custom App Profile Permissions

#Service Account Permissions

#Delegated App Profile Permissions

Permissions Required by Destination OneDrive

Fly App Profile Permissions

Custom App Profile Permissions

Service Account Permissions

Delegated App Profile Permissions