#Permissions for Destination SharePoint Online / OneDrive

To connect to the destination, you can choose to only use a service account, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account and a Fly app profile or the combination of a service account and a custom app profile.

Refer to the following sections to view the permissions required by the authentication methods.

#Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and required permissions of the Fly app profile.

#Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

1. Refer to the following procedures to create a custom app profile:

   Prepare a certificate in Microsoft Entra ID. Refer to for more information.

   You can ignore this step if you have a certificate.

2. Create a custom Azure app in Microsoft Entra ID. Refer to for more information.

3. .

4. in AvePoint Online Services.

*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

API Name	Permission Name	Description	Type	Purpose
Microsoft Graph	User.Read.All	Read all users	Application	Retrieve and migrate Microsoft 365 users.
Microsoft Graph	RoleManagement.Read.Directory	Read all directory RBAC settings	Application	Check Service Account available roles.
Microsoft Graph	Group.Read.All	Read all groups	Application	Retrieve the destination SharePoint group information and create groups.
Microsoft Graph	Files.Read.All	Read files in all site collections	Application	Retrieve the users’ OneDrive site URLs.
SharePoint	Sites.FullControl.All	Have full control of all site collections	Application	Migrate data to SharePoint.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [                 {                         "resourceAppId": "00000003-0000-0000-c000-000000000000",                         "resourceAccess": [                                 {                                         "id": "01d4889c-1287-42c6-ac1f-5d1e02578ef6",                                         "type": "Role"                                 },                                 {                                         "id": "5b567255-7703-4780-807c-7be8301ae99b",                                         "type": "Role"                                 },                                 {                                         "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",                                         "type": "Role"                                 },                                 {                                         "id": "df021288-bdef-4463-88db-98f22de89214",                                         "type": "Role"                                 }                         ]                 },                 {                         "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",                         "resourceAccess": [                                 {                                         "id": "678536fe-1083-478a-9c59-b99265e6b0d3",                                         "type": "Role"                                 }                         ]                 }         ],

#Service Account Permissions

The Tenant Owner and Service Administrators can also for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.

*Note: The service account can be a non-administrator user if you only use the service account for Fly.

*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations.

If you only use the service account for the destination, make sure the service account meets the following requirements:

*Note: If you also configure an app profile for the destination, Fly will use the app profile to connect to the destination. Therefore, there are no permission requirements for the service account. However, the service account will be automatically added as the Site Collection Administrator of destination site collections to ensure a successful job in case of any throttling.

#Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

*Note: The permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.

*Note: If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.

*Note: If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

To use the Fly delegated app profile with required permissions, refer to Fly Delegated App Profile Permissions.

To use a custom delegated app profile with required permissions, refer to the following steps:

1. After registering an app in Microsoft Entra ID, add the permissions in the table below to the app.

API	Permission	Type	Purpose
Microsoft Graph	User.Read.All(Read user profiles)	Delegated	Retrieve and migrate Microsoft 365 users.
Microsoft Graph	RoleManagement.Read.Directory(Read directory RBAC settings)	Delegated	Retrieve and migrate Microsoft 365 users.
Microsoft Graph	Files.Read.All(Read files in all site collections)	Delegated	Retrieve the users’ OneDrive site URLs.
Microsoft Graph	Group.Read.All(Read all groups)	Delegated	Retrieve source site related group owner and member.
SharePoint/Office 365 SharePoint Online	AllSites.FullControl (Have full control of all site collections)	Delegated	Retrieve settings and permissions of SharePoint Online site collections.
SharePoint/Office 365 SharePoint Online	User.Read.All(Read user profiles)	Delegated	Migrate OneDrive sites.

"requiredResourceAccess": [

{

"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",

"resourceAccess": [

{

"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",

"type": "Scope"

},

{

"id": "0cea5a30-f6f8-42b5-87a0-84cc26822e02",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "df85f4d6-205c-4ac5-a5ea-6bf408dba283",

"type": "Scope"

},

{

"id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",

"type": "Scope"

},

{

"id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",

"type": "Scope"

},

{

"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",

"type": "Scope"

}

]

}

],

1. Click Authentication in the left navigation of the app.

2. Click Add a platform.

3. Select Web in the Configure platforms panel.

4. In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.

5. Select the Access tokens and ID tokens checkboxes in the Implicit grant and hybrid flows field.

   

6. Click Configure.

7. Click Save.

8. Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to .

   *Note: When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.