AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Perform Device Migrations > Required Permissions for Device Migration

Export to PDF

Required Permissions for Device Migration

Before performing device migrations in Fly, prepare the following accounts for the migration:

  • Source user:

    • Administrator and domain admin account in source domain or Local administrator account to log on to the source device and install device agent.

    • A custom app with the Microsoft Graph > User.Read.All permission to rejoin to Microsoft Entra ID. To create a custom app, refer to Create a Custom App Profile for details.

  • Destination user: Administrator and domain admin account in destination domain to log on to the destination device and install AD destination agent.

  • User to cache credential: End user in destination domain with the Allow to Authenticate permission enabled for source device. After the device re-joins the domain, you can log on to the source device using this user account.

Fly App for Device Permissions (Default app)

The Tenant Owner and Service Administrators can create a default app profile for Device in AvePoint Online Services.

Refer to the following steps to create a default app profile for Device:

  1. Click Create on the App management page.

  2. On the Create app profile page, select a Microsoft 365 tenant where you want to create the app profile.

    NOTE

    Make sure your selected tenant has been connected to AvePoint Online Services.

  3. Click Fly, and click Next.

  4. Click Modern mode.

  5. Click Consent of Fly for Device.

  6. On the Microsoft 365 sign-in page, sign in with a Microsoft 365 Global Administrator account to consent to the app. The Microsoft 365 Global Administrator account is a requirement from Microsoft. Refer to the Microsoft article for more information.

    On the Permissions requested page, review the permissions required for using Fly and click Accept to accept the permissions to ensure the AvePoint Online Services and Fly functionality works. (The required permissions are listed in the table below.)

  7. Click Finish to create the app profile.

Refer to the following API permissions of the default app required by Entra ID migrations.

APIPermissionTypePurpose
Device Registration Serviceself_service_device_delete (Join device)DelegatedGenerate bulk token for Microsoft Entra ID device rejoin.
Microsoft GraphUser.Read.All(Read all users)ApplicationRetrieve users and groups.

Create a Custom App Profile

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

  1. Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

    You can ignore this step if you have a certificate.

  2. Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.

  3. Connect your tenant to AvePoint Online Services.

  4. Create an App Profile for a Custom Azure App in AvePoint Online Services.

NOTE

After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required by Device Migration to the custom Azure app.

APIPermissionTypePurpose
Microsoft GraphUser.Read.All(Read all users)ApplicationRetrieve users and groups.

Delegated App Profile Permissions

Fly allows you to use the custom delegated app profile to rejoin Microsoft Entra ID domain.

To use a custom delegated app profile with required permissions, refer to the following steps:

  1. After registering an app in Microsoft Entra ID, add the required permissions to the app. The sections below show the required permissions of a custom app.

  2. Click Authentication in the left navigation of the app.

  3. Click Add a platform.

  4. Select Web in the Configure platforms panel.

  5. In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.

    Configure Web panel.

  6. Click Configure.

  7. Select the Access tokens and ID tokens checkboxes on the Authentication page.

    Access tokens and ID tokens checkboxes.

  8. Click Save.

  9. Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to Consent to a Custom Azure App with Delegated Permissions.

    NOTE

    When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.

Custom Delegated App Profile Permissions When Rejoining to Microsoft Entra ID Domain

For custom delegated app profile permissions, refer to the table below.

APIPermissionTypePurpose
Device Registration Serviceself_service_device_delete (Join device)DelegatedGenerate bulk token for Microsoft Entra ID device rejoin.
Microsoft GraphUser.Read.All(Read all users)DelegatedRetrieve users and groups.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

`"requiredResourceAccess": [`

`        {`

`            "resourceAppId": "00000003-0000-0000-c000-000000000000",`

`            "resourceAccess": [`

`                {`

`                    "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",`

`                    "type": "Scope"`

`                }`

`            ]`

`        },`

`        {`

`            "resourceAppId": "01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9",`

`            "resourceAccess": [`

`                {`

`                    "id": "086327cd-9afe-4777-8341-b136a1866bb3",`

`                    "type": "Scope"`

`                }`

`            ]`

`        }`

`    ],`