AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

Home > Perform Microsoft 365 Groups Migrations > Required Permissions for Microsoft 365 Groups Migration > Source Permissions When Destination is Google Groups

Export to PDF

Source Permissions When Destination is Google Groups

Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and the required permissions of the Fly app profile.

Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

  1. Prepare a certificate in Microsoft Entra ID. Refer to for more information.

    You can ignore this step if you have a certificate.

  2. Create a custom Azure app in Microsoft Entra ID. Refer to for more information.

  3. .

  4. in AvePoint Online Services.

Note that after you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required by Microsoft 365 Groups to Google Groups Migration to the custom Azure app.

APIPermissionTypePurpose
Microsoft Information Protection Sync ServiceUnifiedPolicy.Tenant.Read(Read all unified policies of the tenant.)ApplicationOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft GraphDomain.Read.AllApplicationRetrieve tenant domain.
Microsoft GraphRoleManagement.Read.DirectoryApplicationRetrieve directory roles.
Microsoft GraphGroup.Read.All(Read all groups)ApplicationRetrieve Microsoft 365 Groups and Group members.
Microsoft GraphGroup.ReadWrite.All(Read and write all groups)ApplicationOnly required if you use both the app profile and the service account in the source connection and the source service account is not the Group owner, to automatically ensure the service account as the Group owner.
Microsoft GraphSites.Read.All(Read items in all site collections)ApplicationRetrieve files of team sites.
Microsoft GraphUser.Read.All(Read all users’ full profiles)ApplicationRetrieve information of Microsoft 365 user profiles.
Microsoft GraphInformationProtectionPolicy.Read.All(Read all published labels and label policies for an organization.)ApplicationOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft GraphReports.Read.All(Read all usage reports)ApplicationOnly required by tenant discovery.
Microsoft GraphReportSettings.Read.All(Read all admin report settings)ApplicationRetrieve the Reports setting of the Microsoft 365 admin center.
Azure Rights Management ServicesNote that for 21Vianet tenants, the API name is Microsoft Rights Management Service.Content.SuperUser(Read all protected content for this tenant)ApplicationOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Office 365 Exchange OnlineFull_access_as_app(Use Exchange Web Services with full access to all mailboxes)ApplicationRetrieve items from all mailboxes.Note that if you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
SharePoint/Office 365 SharePoint OnlineSites.FullControl.All(Have full control of all site collections)ApplicationRetrieve settings and permissions of team sites.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

        {

            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",

            "resourceAccess": [

                {

                    "id": "678536fe-1083-478a-9c59-b99265e6b0d3",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",

            "resourceAccess": [

                {

                    "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "00000012-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "00000003-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",

                    "type": "Role"

                },

                {

                    "id": "5b567255-7703-4780-807c-7be8301ae99b",

                    "type": "Role"

                },

                {

                    "id": "62a82d76-70ea-41e2-9197-370581804d09",

                    "type": "Role"

                },

                {

                    "id": "19da66cb-0fb0-4390-b071-ebc76a349482",

                    "type": "Role"

                },

                {

                    "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",

                    "type": "Role"

                },

                {

                    "id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",

                    "type": "Role"

                },

                {

                    "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",

                    "type": "Role"

                },

                {

                    "id": "332a536c-c7ef-4017-ab91-336970924f0d",

                    "type": "Role"

                },

                {

                    "id": "df021288-bdef-4463-88db-98f22de89214",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

            "resourceAccess": [

                {

                    "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",

                    "type": "Role"

                }

            ]

        }

    ],

Service Account Permissions

If you only use service account authentication for source Groups, the service account must meet the following requirements:

Note that users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

- Licenses for Exchange Online Note that to assign the licenses to the service account, go to the Microsoft 365 admin center > **Users** > **Active users**, and select **Exchange Online** under the **Licenses and apps** tab of the service account. - Group owner of source Groups You can manually add the service account as the group owner. For easy use, if you grant **Groups** **Administrator** or **Global** **Administrator** for the service account, Fly can automatically add the service account as the group owner. After the migration, you can remove the service account from the group owner using PowerShell or block the service account directly. To remove the account, refer to [Remove the Service Account](#missing-link) for details. To block the account, go to Microsoft 365 Admin Center > **Users** and click the display name of the user. Click the Block this user (![Icon: Block this user icon.](/en/fly-user-guide/perform-microsoft-365-groups-migrations/required-permissions-for-microsoft-365-groups-migration/images/image188.png "Icon: Block this user icon.")) icon, select **Block the user from signing in**, and save the changes. - If the service account is **SharePoint Administrator** or **Global Administrator**, during the full migration job, the service account will be automatically added as **Site Collection Administrator** of the team sites of source Groups. After the migration, you can remove the service account from the team sites. - Service account pool is no longer available in migrations. If you have used the service account pool for the source before, and you want to continue using the service account pool, you can select multiple service accounts when creating Groups connections, and make sure all selected service accounts meet the requirements mentioned above.

What permissions are required if I also use an app profile?

If you use both service account and app profile authentications for source Groups, the service account must meet the following requirements:

Note that users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

- Licenses for Exchange Online Note that to assign the licenses to the service account, go to the Microsoft 365 admin center > **Users** > **Active users**, and select **Exchange Online** under the **Licenses and apps** tab of the service account. - Group owner of source Groups. You can manually add the service account as the group owner. For easy use, if you provide both a service account and app profile using the default Fly app or custom app with required permissions, Fly can automatically add the service account as the group owner. After the migration, you can block the service account directly. To block the account, go to Microsoft 365 Admin Center > **Users** and click the display name of the user. Click the Block this user (![Icon: Block this user icon.](/en/fly-user-guide/perform-microsoft-365-groups-migrations/required-permissions-for-microsoft-365-groups-migration/images/image189.png "Icon: Block this user icon.")) icon, select **Block the user from signing in**, and save the changes. - During the full migration job, the service account will be automatically added as **Site Collection Administrator** of the team sites of source Groups. After the migration, you can remove the service account from the team sites. - Service account pool is no longer available in migrations. If you have used the service account pool for the source before, and you want to continue using the service account pool, you can select multiple service accounts when creating Groups connections, and make sure all selected service accounts meet the requirements mentioned above.

Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

Note that the license and permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.

Note that if the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.

Note that if you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

To use the Fly delegated app profile with required permissions, refer to Fly Delegated App Profile Permissions.

To use a custom delegated app profile with required permissions, refer to the following steps:

  1. After registering an app in Microsoft Entra ID, add the permissions in the table below to the app.
APIPermissionTypePurpose
Microsoft Information Protection Sync ServiceUnifiedPolicy.User.ReadDelegatedOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Microsoft GraphDomain.Read.AllDelegatedRetrieve tenant domain.
Microsoft GraphRoleManagement.Read.DirectoryDelegatedRetrieve directory roles.
Microsoft GraphGroup.Read.AllDelegatedRetrieve Microsoft 365 Groups and group members.
Microsoft GraphGroup.ReadWrite.AllDelegatedRequired if you only use the delegated app profile and the consent user is not the group owner of source Groups. Meanwhile, the consent user must have the Groups Administrator role. This can automatically add the consent user as the group owner.If the consent user is already the group owner, you can change this permission to Group.Read.All.
Microsoft GraphSites.Read.AllDelegatedRetrieve files of team sites.
Microsoft GraphUser.Read.AllDelegatedRetrieve information of Microsoft 365 user profiles.
Azure Rights Management ServicesNote that for 21Vianet tenants, the API name is Microsoft Rights Management Services.user_impersonationDelegatedOnly required if you want to manage the sensitivity labels of files/emails/Groups.
Office 365 Exchange OnlineEWS.AccessAsUser.AllDelegatedUse Exchange Web Services with full access to user data via impersonation.
SharePoint/Office 365 SharePoint OnlineAllSites.FullControlDelegatedRetrieve settings and permissions of team sites.

  2. For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

        {

            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",

            "resourceAccess": [

                {

                    "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",

                    "type": "Scope"

                }

            ]

        },

        {

            "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",

            "resourceAccess": [

                {

                    "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",

                    "type": "Scope"

                }

            ]

        },

        {

            "resourceAppId": "00000012-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",

                    "type": "Scope"

                }

            ]

        },

        {

            "resourceAppId": "00000003-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",

                    "type": "Scope"

                },

                {

                    "id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",

                    "type": "Scope"

                },

                {

                    "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",

                    "type": "Scope"

                },

                {

                    "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",

                    "type": "Scope"

                },

                {

                    "id": "205e70e5-aba6-4c52-a976-6d2d46c48043",

                    "type": "Scope"

                },

                {

                    "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",

                    "type": "Scope"

                }

            ]

        },

        {

            "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

            "resourceAccess": [

                {

                    "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",

                    "type": "Scope"

                }

            ]

        }

    ],

  1. Click Authentication in the left navigation of the app.

  2. Click Add a platform.

  3. Select Web in the Configure platforms panel.

  4. In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.

  5. Select the Access tokens and ID tokens checkboxes in the Implicit grant and hybrid flows field.

    The Configure Web panel.

  6. Click Configure.

  7. Click Save.

  8. Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to .

  9. Note that when consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.