AvePoint Learn
Request article
Contact support
Request article
Contact support
English

Home > Perform Microsoft 365 Groups Migrations > Required Permissions for Microsoft 365 Groups Migration > Destination Permissions for Microsoft 365 Groups

Export to PDF

Destination Permissions for Microsoft 365 Groups

Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and the required permissions of the Fly app profile.

NOTE

With the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Groups need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment.

NOTE

With the authentication method of the Fly app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.

Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

NOTE

With the authentication method of the app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.

Refer to the following procedures to create a custom app profile:

  1. Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

    You can ignore this step if you have a certificate.

  2. Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.

  3. Connect your tenant to AvePoint Online Services.

  4. Create an App Profile for a Custom Azure App in AvePoint Online Services.

NOTE

After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required by Microsoft 365 Groups Migration to the custom Azure app.

APIPermissionTypePurpose
Microsoft Information Protection Sync ServiceUnifiedPolicy.Tenant.Read
(Read all unified policies of the tenant.)		ApplicationOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft GraphDirectory.ReadWrite.All
(Read and write directory data)		ApplicationOnly required if the destination is multi-geo tenant with the following situations:
The authentication uses the custom app profile only.
The destination Groups need to be created in a defined location.
Microsoft GraphDomain.Read.AllApplicationRetrieve tenant domain.
Microsoft GraphRoleManagement.Read.DirectoryApplicationRetrieve directory roles.
Microsoft GraphGroup.ReadWrite.AllApplicationRetrieve and migrate Microsoft 365 Groups and group members.
Microsoft GraphSites.Read.All
(Read items in all site collections)		ApplicationRetrieve team sites.
Microsoft GraphUser.Read.All
(Read all users’ full profiles)		ApplicationRetrieve information of Microsoft 365 user profiles.
Microsoft GraphInformationProtectionPolicy.Read.All
(Read all published labels and label policies for an organization.)		ApplicationOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft GraphReports.Read.All
(Read all usage reports)		ApplicationOnly required by tenant discovery.
Microsoft GraphTasks.ReadWrite.All
(Read and write all users’ tasks and tasklists)		ApplicationMigrate planners and data in planners to the destination.
Microsoft GraphRoleManagement.ReadWrite.DirectoryApplicationOnly required when the destination group can be assigned Microsoft Entra roles.
Ensure the consent user of the app profile can be added as the group owner.
Microsoft GraphReportSettings.Read.All
(Read all admin report settings)		ApplicationRetrieve the Reports setting of the Microsoft 365 admin center.
Azure Rights Management Services
*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.		Content.DelegatedWriter
(Create protected content on behalf of a user)		ApplicationOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Azure Rights Management Services
*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.		Content.Writer
(Create protected content)		ApplicationOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Office 365 Exchange OnlineExchange.ManageAsApp
(Manage Exchange As Application)		ApplicationUse Exchange PowerShell to retrieve mailbox permissions.
Office 365 Exchange OnlineFull_access_as_app
(Use Exchange Web Services with full access to all mailboxes)		ApplicationRetrieve items from all mailboxes.
*Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
SharePoint/Office 365 SharePoint Online
Sites.FullControl.All
(Have full control of all site collections)		ApplicationRetrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online
TermStore.ReadWrite.AllApplicationRetrieve and migrate Managed Metadata Service.
*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
        "type": "Role"
      },
      {
        "id": "62a82d76-70ea-41e2-9197-370581804d09",
        "type": "Role"
      },
      {
        "id": "19da66cb-0fb0-4390-b071-ebc76a349482",
        "type": "Role"
      },
      {
        "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
        "type": "Role"
      },
      {
        "id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
        "type": "Role"
      },
      {
        "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
        "type": "Role"
      },
      {
        "id": "332a536c-c7ef-4017-ab91-336970924f0d",
        "type": "Role"
      },
      {
        "id": "44e666d1-d276-445b-a5fc-8815eeb81d55",
        "type": "Role"
      },
      {
        "id": "9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8",
        "type": "Role"
      },
      {
        "id": "df021288-bdef-4463-88db-98f22de89214",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
        "type": "Role"
      },
      {
        "id": "678536fe-1083-478a-9c59-b99265e6b0d3",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
        "type": "Role"
      },
      {
        "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
    "resourceAccess": [
      {
        "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000012-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
        "type": "Role"
      },
      {
        "id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
        "type": "Role"
      }
    ]
  }
],

Service Account Permissions

If you only use service account authentication for destination Groups, the service account must meet the following requirements:

NOTE

Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

  • Licenses for Exchange Online

    NOTE

    To assign the licenses to the service account, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online under the Licenses and apps tab of the service account.

  • If the destination is a Multi-Geo tenant, make sure the destination service account is the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator.

  • Group owner of destination Groups

    You can manually add the service account as the group owner. For easy use, if you grant Groups Administrator or Global Administrator for the service account, Fly can automatically add the service account as the group owner.

    NOTE

    If your destination Groups do not exist before the migration and need Fly to create during the migration, the service account only needs to be a Microsoft 365 user. Fly will automatically add the service account as the Group owner.

    After the migration, you can remove the service account from the group owner using PowerShell or block the service account directly. To remove the account, refer to Remove the Service Account for details. To block the service account, go to Microsoft 365 Admin Center > Users and click the display name of the user. Click the Block this user icon, select Block the user from signing in, and save the changes.

  • If the service account is SharePoint Administrator or Global Administrator, during the full migration job, the service account will be automatically added as Site Collection Administrator of the team sites of destination Groups. After the migration, you can remove the service account from the team sites.

  • Service account pool is no longer available in migrations. If you have used the service account pool for the destination before, and you want to continue using the service account pool, you can select multiple service accounts when creating Groups connections, and make sure all selected service accounts meet the requirements mentioned above.

What permissions are required if I also use an app profile?

If you use both service account and app profile authentications for destination Groups, the service account must meet the following requirements:

NOTE

Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

  • Licenses for Exchange Online

    NOTE

    To assign the licenses to the service account, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online under the Licenses and apps tab of the service account.

  • If the destination is a Multi-Geo tenant, make sure the destination service account is the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator.

  • Normally, when migrating to Groups, the service account needs to be the corresponding group owner.

    With the app profile in the connection, you do not need to manually add the group owner. Fly will automatically add the service account as the group owner.

    After the migration, you can block the service account directly. To block the service account, go to Microsoft 365 Admin Center > Users and click the display name of the user. Click the Block this user icon, select Block the user from signing in, and save the changes.

  • During the full migration job, the service account will be automatically added as Site Collection Administrator of the team sites of destination Groups. After the migration, you can remove the service account from the team sites.

  • Service account pool is no longer available in migrations. If you have used the service account pool for the destination before, and you want to continue using the service account pool, you can select multiple service accounts when creating Groups connections, and make sure all selected service accounts meet the requirements mentioned above.

Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

NOTE

The license and permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.

NOTE

If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.

NOTE

With the authentication method of the app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.

NOTE

If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

The steps of creating a default or custom delegated app profile for the destination are the same as the steps in Delegated App Profile Permissions for the source.

For Fly delegated app profile permissions, refer to the table in Fly Delegated App Profile Permissions.

For custom delegated app profile permissions, refer to the table below.

NOTE

If you use the custom delegated app profile to create Groups in a specific location of the destination multi-geo tenant, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the app. Refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment.

APIPermissionTypePurpose
Microsoft Information Protection Sync ServiceUnifiedPolicy.User.ReadDelegatedOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft GraphDirectory.ReadWrite.AllDelegatedOnly required if the destination is a multi-geo tenant, and the destination Groups need to be created in a defined location.
Microsoft GraphDomain.Read.AllDelegatedRetrieve tenant domain.
Microsoft GraphRoleManagement.Read.DirectoryDelegatedRetrieve Microsoft global groups.
Microsoft GraphGroup.ReadWrite.AllDelegatedRetrieve and migrate Microsoft 365 Groups and group members.
Microsoft GraphSites.Read.AllDelegatedRetrieve site collections.
Microsoft GraphRoleManagement.ReadWrite.DirectoryDelegatedOnly required when the destination group can be assigned Microsoft Entra roles.
Ensure the consent user of the app profile can be added as the group owner.
Microsoft GraphUser.Read.AllDelegatedRetrieve information of Microsoft 365 user profiles.
Azure Rights Management Services
*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.		user_impersonationDelegatedOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Office 365 Exchange OnlineEWS.AccessAsUser.AllDelegatedUse Exchange Web Services with full access to user data via impersonation.
Office 365 Exchange OnlineExchange.ManageDelegatedRetrieve mailbox permissions.
SharePoint/Office 365 SharePoint OnlineAllSites.FullControlDelegatedRetrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint OnlineTermStore.ReadWrite.AllDelegatedRetrieve and migrate Managed Metadata Service.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "59a198b5-0420-45a8-ae59-6da1cb640505",
        "type": "Scope"
      },
      {
        "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
        "type": "Scope"
      },
      {
        "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000012-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "c5366453-9fb0-48a5-a156-24f0c49a4b84",
        "type": "Scope"
      },
      {
        "id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",
        "type": "Scope"
      },
      {
        "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
        "type": "Scope"
      },
      {
        "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
        "type": "Scope"
      },
      {
        "id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
        "type": "Scope"
      },
      {
        "id": "d01b97e9-cbc0-49fe-810a-750afd5527a3",
        "type": "Scope"
      },
      {
        "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
    "resourceAccess": [
      {
        "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
        "type": "Scope"
      }
    ]
  }
],