Home > Aviator > Aviator for SharePoint Online > Permissions Required by Source SharePoint Online > Custom App Profile Permissions
Export to PDFCustom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your Aviator job to refresh the token if there are permissions updated.
Refer to the following tables to add API permissions required by Aviator for SharePoint Online to the custom Azure app.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | User.Read.All(Read all users' full profiles) | Application | Retrieve and migrate Microsoft 365 users. |
| Microsoft Graph | RoleManagement.Read.Directory(Read all directory RBAC settings) | Application | Retrieve and migrate Microsoft global groups. |
| Microsoft Graph | Group.Read.All(Read all groups) | Application | Retrieve owners, members, and more details of Microsoft 365 Groups related to source site collections. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve settings and permissions of SharePoint Online site collections. |
| SharePoint/Office 365 SharePoint Online | TermStore.Read.All(Read managed metadata) | Application | Retrieve from Managed Metadata Service. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.SuperUser(Read all protected content for this tenant) | Application | Only required if you want to manage sensitivity labels of files/sites. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read(Read all unified policies of the tenant.) | Application | Only required if you want to manage sensitivity labels of files/sites. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
},
{
"id": "2a8d57a5-4090-4a41-bf1c-3c621d2ccad3",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "5b567255-7703-4780-807c-7be8301ae99b",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
}
],