AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Perform Exchange Online Public Folder Migrations > Required Permissions for Exchange Online Public Folder Migration

Export to PDF

Required Permissions for Exchange Online Public Folder Migration

Fly supports the service account profile and app profile authentication methods to connect to your Microsoft 365 tenants.

Permissions for Source Exchange Online Public Folder

To connect to the source, you can choose to only use a service account, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account and a Fly app profile, or the combination of a service account and a custom app profile.

Refer to the following sections to view the permissions required by the authentication methods.

Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Make sure the consent user has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox) and the Custom > Read items permission to the top-level folder and its subfolders.

Refer to Fly App Profile Permissions about how to create a Fly app profile and required permissions of the Fly app profile.

Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Make sure the consent user has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox) and the Custom > Read items permission to the top-level folder and its subfolders.

Refer to the following procedures to create a custom app profile:

  1. Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

    You can ignore this step if you have a certificate.

  2. Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.

  3. Connect your tenant to AvePoint Online Services.

  4. Create an App Profile for a Custom Azure App in AvePoint Online Services.

*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required Exchange Online Public Folder migrations.

APIPermissionTypePurpose
Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.Content.SuperUser(Read all protected content for this tenant)ApplicationOnly required if you want to manage sensitivity labels of emails.
Microsoft Information Protection Sync ServiceUnifiedPolicy.Tenant.Read(Read all unified policies of the tenant)ApplicationOnly required if you want to manage sensitivity labels of emails.
Office 365 Exchange Onlinefull_access_as_app(Use Exchange Web Services with full access to all mailboxes)ApplicationRetrieve and migrate items from all mailboxes.
Microsoft GraphOnlineMeetings.ReadWrite.All(Read and create online meetings)ApplicationMake sure the replaced meeting links in the destination are available to all attendees.
Microsoft GraphUser.Read.All(Read all users’ full profiles)ApplicationRetrieve mailbox types to replace meeting links.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "b8bb2037-6e08-44ac-a4ea-4674e010e2a4",

"type": "Role"

},

{

"id": "df021288-bdef-4463-88db-98f22de89214",

"type": "Role"

}

]

},

{

"resourceAppId": "00000012-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0",

"type": "Role"

}

]

},

{

"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

"resourceAccess": [

{

"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",

"type": "Role"

}

]

},

{

"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",

"resourceAccess": [

{

"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",

"type": "Role"

}

]

}

],

Service Account Permissions

The Tenant Owner and Service Administrators can also create a service account profile for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.

*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

Make sure the source service account has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox) and the Custom > Read items permission to the top-level folder and its subfolders. It also meets the following requirements.

*Note: To make sure the source service account has a mailbox, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online under the Licenses and apps tab of the service account.

Required PermissionNote
Super user role of the organizationRefer to Assign service account as super user for details. Required if you want to manage sensitivity labels.

Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

To use a delegated app profile, note the following:

- The license and permission requirements for the consent user are the same as those for the service account. Refer to [Service Account Permissions](#missing-link) for details. - If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail. - If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated. - Exchange PowerShell is unavailable when you only use a delegated app for a 21Vianet tenant.

To use the Fly delegated app profile with required permissions, refer to Fly Delegated App Profile Permissions.

To use a custom delegated app profile with required permissions, refer to the following steps:

  1. After registering an app in Microsoft Entra ID, add the required permissions to the app. The sections below show the required permissions of a custom app.

  2. Click Authentication in the left navigation of the app.

  3. Click Add a platform.

  4. Select Web in the Configure platforms panel.

  5. In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.

  6. Configure Web panel.

  7. Click Configure.

  8. Select the Access tokens and ID tokens checkboxes on the Authentication page.

    Access tokens and ID tokens checkboxes.

  9. Click Save.

  10. Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to Consent to a Custom Azure App with Delegated Permissions.

    *Note: When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.

For custom delegated app profile permissions, refer to the table below.

APIPermissionsTypePurpose
Office 365 Exchange OnlineEWS.AccessAsUser.All(Access mailboxes as the signed-in user via Exchange Web Services)DelegatedRetrieve and migrate items from all public folders.
Microsoft GraphUser.Read.All(Read all users' full profiles)DelegatedRetrieve user profiles.
Microsoft Information Protection Sync ServiceUnifiedPolicy.User.Read(Read all unified policies a user has access to)DelegatedOnly required if you want to manage sensitivity labels of emails.
Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.user_impersonation(Create and access protected content for users)DelegatedOnly required if you want to manage sensitivity labels of emails.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

{

"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

"resourceAccess": [

{

"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000012-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",

"resourceAccess": [

{

"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",

"type": "Scope"

}

]

}

],

Permissions for Destination Exchange Online

To connect to the destination, you can choose to only use a service account, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account and a Fly app profile, or the combination of a service account and a custom app profile.

Refer to the following sections to view the permissions required by the authentication methods.

Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and required permissions of the Fly app profile.

Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

  1. Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

    You can ignore this step if you have a certificate.

  2. Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.

  3. Connect your tenant to AvePoint Online Services.

  4. Create an App Profile for a Custom Azure App in AvePoint Online Services.

*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required by Exchange Online Public Folder migrations.

APIPermissionTypePurpose
Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.Content.DelegatedWriter(Create protected content on behalf of a user)ApplicationOnly required if you want to manage sensitivity labels of emails.*Note: To perform Exchange Online tenant discovery or Exchange Online to Exchange Online migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox). In addition, manually assign the Exchange Administrator role to the custom Azure app to ensure that Exchange Online PowerShell is available. Refer to How to Assign the Exchange Administrator Role to an App? for instructions.
Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.Content.Writer(Create protected content)ApplicationOnly required if you want to manage sensitivity labels of emails.*Note: To perform Exchange Online tenant discovery or Exchange Online to Exchange Online migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox). In addition, manually assign the Exchange Administrator role to the custom Azure app to ensure that Exchange Online PowerShell is available. Refer to How to Assign the Exchange Administrator Role to an App? for instructions.
Microsoft Information Protection Sync ServiceUnifiedPolicy.Tenant.Read(Read all unified policies of the tenant)ApplicationOnly required if you want to manage sensitivity labels of emails.
Office 365 Exchange OnlineExchange.ManageAsApp(Manage Exchange As Application)ApplicationUse Exchange PowerShell to retrieve mailbox type.
Office 365 Exchange Onlinefull_access_as_app(Use Exchange Web Services with full access to all mailboxes)ApplicationRetrieve and migrate items from all mailboxes.*Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
Microsoft GraphDirectory.Read.All (Read directory data)ApplicationOnly required if you want to run Exchange Online tenant discovery.
Microsoft GraphReports.Read.All(Read all usage reports)ApplicationOnly required if you want to run Exchange Online tenant discovery.
Microsoft GraphReportSettings.Read.All(Read all admin report settings)ApplicationOnly required if you want to run Exchange Online tenant discovery.
Microsoft GraphUser.Read.All(Read all users’ full profiles)ApplicationRetrieve mailbox types to replace meeting links.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "df021288-bdef-4463-88db-98f22de89214",

"type": "Role"

},

{

"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",

"type": "Role"

},

{

"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",

"type": "Role"

},

{

"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",

"type": "Role"

}

]

},

{

"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",

"resourceAccess": [

{

"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",

"type": "Role"

},

{

"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",

"type": "Role"

}

]

},

{

"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

"resourceAccess": [

{

"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",

"type": "Role"

}

]

},

{

"resourceAppId": "00000012-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",

"type": "Role"

},

{

"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",

"type": "Role"

}

]

}

],

Service Account Permissions

The Tenant Owner and Service Administrators can also create a service account profile for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.

*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

Make sure the service account has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox) and also meets the following requirements:

*Note: To make sure the source service account has a mailbox, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online under the Licenses and apps tab of the service account.

Required PermissionNote
Full Access permission to destination mailboxes in the migrationMicrosoft has announced the retirement of the ApplicationImpersonation role in Exchange Online. Refer to Impact and Solutions for the Retirement of the ApplicationImpersonation Role in Exchange Online for details.If you do not migrate Group mailboxes in the migration, you can grant the Full Access permission without adding the ApplicationImpersonation role.If the destination resource/shared mailboxes are newly created in the migration, the Full Access permission will be automatically granted to the service account.
Mail Recipient Creation roleRequired if you want to create shared mailboxes.

What permissions are required if I also use an app profile?

If you use both service account and app profile authentications for the destination Exchange Online, some service account permissions will not be required. Make sure the service account has a mailbox and the following permissions:

*Note: To make sure the destination service account has a mailbox, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online under the Licenses and apps tab of the service account.

Destination Service Account PermissionsNote
Mail Recipient Creation roleRequired if you want to create shared mailboxes.

Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

To use a delegated app profile, note the following:

- The license and permission requirements for the consent user are the same as those for the service account. Refer to [Service Account Permissions](#missing-link) for details. - If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail. - If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated. - Exchange PowerShell is unavailable when you only use a delegated app for a 21Vianet tenant. The steps of creating a default or custom delegated app profile for the destination are the same as the steps in [Delegated App Profile Permissions](#missing-link) for the source. For Fly delegated app profile permissions, refer to the table in [Fly Delegated App Profile Permissions](#missing-link).

For custom delegated app profile permissions, refer to the table below.

APIPermissionsTypePurpose
Office 365 Exchange OnlineEWS.AccessAsUser.All(Access mailboxes as the signed-in user via Exchange Web Services)DelegatedAccess specified user and import data
Office 365 Exchange OnlineExchange.Manage(Manage Exchange configuration)DelegatedUse Exchange PowerShell to retrieve mailbox type.
Microsoft GraphInformationProtectionPolicy.Read(Read user sensitivity labels and label policies)DelegatedOnly required if you want to manage sensitivity labels of emails.
Microsoft GraphUser.Read.All(Read all users' full profiles)DelegatedRetrieve mailbox types to replace meeting links.
Microsoft Information Protection Sync ServiceUnifiedPolicy.User.Read(Read all unified policies a user has access to)DelegatedOnly required if you want to manage sensitivity labels of emails.
Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.user_impersonation(Create and access protected content for users)DelegatedOnly required if you want to manage sensitivity labels of emails.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "4ad84827-5578-4e18-ad7a-86530b12f884",

"type": "Scope"

},

{

"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000012-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",

"type": "Scope"

}

]

},

{

"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

"resourceAccess": [

{

"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",

"resourceAccess": [

{

"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",

"type": "Scope"

},

{

"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",

"type": "Scope"

}

]

}

],