Home > Perform Exchange Online Migrations > Required Permissions for Exchange Online Migration > Permissions for Destination Exchange Online
Export to PDFPermissions for Destination Exchange Online
To connect to the destination, you can choose to only use a service account, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account and a Fly app profile, or the combination of a service account and a custom app profile.
Refer to the following sections to view the permissions required by the authentication methods.
Fly App Profile Permissions
With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.
Refer to Fly App Profile Permissions about how to create a Fly app profile and required permissions of the Fly app profile.
*Note: If you want to perform Exchange Online tenant discovery or Exchange Online to Exchange Online migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox).
*Note: You need to assign the Exchange Administrator role to the AvePoint Fly app in the following situations. Refer to How to Assign the Exchange Administrator Role to an App? or instructions.
If you do not want to assign the Exchange administrator role to the app authorization user, you can add custom roles to the app to ensure the availability of above functions. Refer to How to Add Custom Roles to an App? for details.
Custom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Refer to the following tables to add API permissions required by Exchange Online migrations.
Note the following:
| API | Permission | Type | Purpose |
|---|---|---|---|
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.DelegatedWriter(Create protected content on behalf of a user) | Application | Only required if you want to manage sensitivity labels of emails.*Note: To perform Exchange Online tenant discovery or Exchange Online to Exchange Online migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox). In addition, manually assign the Exchange Administrator role to the custom Azure app to ensure that Exchange Online PowerShell is available. Refer to How to Assign the Exchange Administrator Role to an App? for instructions. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.Writer(Create protected content) | Application | Only required if you want to manage sensitivity labels of emails.*Note: To perform Exchange Online tenant discovery or Exchange Online to Exchange Online migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox). In addition, manually assign the Exchange Administrator role to the custom Azure app to ensure that Exchange Online PowerShell is available. Refer to How to Assign the Exchange Administrator Role to an App? for instructions. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read(Read all unified policies of the tenant) | Application | Only required if you want to manage sensitivity labels of emails. |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Use Exchange PowerShell to migrate mailbox permissions, distribution lists, and dynamic distribution lists. |
| Office 365 Exchange Online | full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve and migrate items from all mailboxes.*Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| Office 365 Exchange Online | Directory.Read.All (Read directory data) | Application | Only required if you want to run Exchange Online tenant discovery. |
| Office 365 Exchange Online | Group.ReadWrite.All(Read and write all groups) | Application | Retrieve and create Microsoft 365 Group mailboxes. |
| Office 365 Exchange Online | Reports.Read.All(Read all usage reports) | Application | Only required if you want to run Exchange Online tenant discovery. |
| Office 365 Exchange Online | ReportSettings.Read.All(Read all admin report settings) | Application | Only required if you want to run Exchange Online tenant discovery. |
| Office 365 Exchange Online | User.Read.All(Read all users’ full profiles) | Application | Retrieve mailbox types to replace meeting links. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
},
{
"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
"type": "Role"
},
{
"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
"type": "Role"
},
{
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
"type": "Role"
},
{
"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
"type": "Role"
}
]
}
],
Service Account Permissions
The Tenant Owner and Service Administrators can also for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.
*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.
Make sure the service account has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox) and also meets the following requirements:
*Note: To make sure the source service account has a mailbox, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online under the Licenses and apps tab of the service account.
| Required Permission | Note |
|---|---|
| Full Access permission to destination mailboxes in the migration | Microsoft has announced the retirement of the ApplicationImpersonation role in Exchange Online. Refer to Impact and Solutions for the Retirement of the ApplicationImpersonation Role in Exchange Online for details.If you do not migrate Group mailboxes in the migration, you can grant the Full Access permission without adding the ApplicationImpersonation role.If the destination resource/shared mailboxes are newly created in the migration, the Full Access permission will be automatically granted to the service account. |
| Distribution Groups role | Required if you want to migrate distribution lists or dynamic distribution lists. |
| Mail Recipients role | Retrieve mailboxes when migrating mailbox permissions, migrating mailbox aliases, etc. |
| Mail Recipient Creation role | Required if you want to create shared mailboxes, resource mailboxes, and dynamic distribution lists in the destination. |
| Security Group Creation and Membership role | Required if you want to create mail-enabled security groups in the destination. |
| Groups admin role in the admin centers | Required if you want to migrate distribution groups to existing Microsoft 365 Groups. |
What permissions are required if I also use an app profile?
If you use both service account and app profile authentications for the destination Exchange Online, some service account permissions will not be required. Make sure the service account has a mailbox and the following permissions:
*Note: To make sure the destination service account has a mailbox, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online under the Licenses and apps tab of the service account.
| Destination Service Account Permissions | Note |
|---|---|
| Distribution Groups role | Required if you want to migrate distribution lists or dynamic distribution lists. |
| Mail Recipients role | Retrieve mailboxes when migrating mailbox permissions, migrating mailbox aliases, etc. |
| Mail Recipient Creation role | Required if you want to create shared mailboxes, resource mailboxes, and dynamic distribution lists in the destination. |
| Security Group Creation and Membership role | Required if you want to create mail-enabled security groups in the destination. |
Delegated App Profile Permissions
Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.
To use a delegated app profile, note the following:
For custom delegated app profile permissions, refer to the table below.
| API | Permissions | Type | Purpose |
|---|---|---|---|
| Office 365 Exchange Online | EWS.AccessAsUser.All(Access mailboxes as the signed-in user via Exchange Web Services) | Delegated | Access specified user and import data |
| Office 365 Exchange Online | Exchange.Manage(Manage Exchange configuration) | Delegated | Use Exchange PowerShell to migrate mailbox permissions, distribution lists, and dynamic distribution lists. |
| Microsoft Graph | Domain.Read.All(Read domains) | Delegated | Create Microsoft 365 Group mailboxes. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Delegated | Retrieve and create Microsoft 365 Group mailboxes. |
| Microsoft Graph | InformationProtectionPolicy.Read(Read user sensitivity labels and label policies) | Delegated | Only required if you want to manage sensitivity labels of emails. |
| Microsoft Graph | User.Read.All(Read all users' full profiles) | Delegated | Retrieve mailbox types to replace meeting links. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read(Read all unified policies a user has access to) | Delegated | Only required if you want to manage sensitivity labels of emails. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | user_impersonation(Create and access protected content for users) | Delegated | Only required if you want to manage sensitivity labels of emails. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",
"type": "Scope"
},
{
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"type": "Scope"
},
{
"id": "4ad84827-5578-4e18-ad7a-86530b12f884",
"type": "Scope"
},
{
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
"type": "Scope"
},
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
}
]
}
],