Home > Perform Microsoft Entra ID Migrations > Required Permissions for Entra ID Migration > Permissions for Destination Entra ID
Export to PDFPermissions for Destination Entra ID
To connect to the destination, you can choose Fly app profile, or custom app profile as the authentication method.
Refer to the following sections to view the permissions required by the authentication methods.
Fly App for Entra ID Destination Permissions (Default app)
The Tenant Owner and Service Administrators can create a default app profile for Microsoft Entra ID in AvePoint Online Services.
Refer to the following steps to create a default app profile for Entra ID source and destination:
-
Click Create on the App management page.
-
On the Create app profile page, select a Microsoft 365 tenant where you want to create the app profile.
*Note: Make sure your selected tenant has been connected to AvePoint Online Services.
-
Click Fly, and click Next.
-
Click Modern mode.
-
Click Consent of Fly for Entra ID source and destination.
-
On the Microsoft 365 sign-in page, sign in with a Microsoft 365 Global Administrator account to consent to the app. The Microsoft 365 Global Administrator account is a requirement from Microsoft. Refer to the for more information.
On the Permissions requested page, review the permissions required for using Fly and click Accept to accept the permissions to ensure the AvePoint Online Services and Fly functionality works. (The required permissions are listed in the table below.)
-
Click Finish to create the app profile.
*Note: After the app profile is created, if you want to remove the Global Administrator role from the app profile, you can re-authorize the app profile and change to use the User consent method. Refer to for more information.
After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Refer to the following API permissions of the default app required by Entra ID migrations.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | Domain.Read.All(Read domains) | Application | Retrieve tenant domain. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Retrieve and migrate groups and group members. |
| Microsoft Graph | MailboxSettings.Read(Read user’s mail setting) | Application | Retrieve the mailbox settings information for all users. |
| Microsoft Graph | Organization.Read.All(Read subscribed skus) | Application | Retrieve information of license. |
| Microsoft Graph | RoleManagement.ReadWrite.Directory (Read and Write roles and Role assignments) | Application | Retrieve directory roles and migrate roles. |
| Microsoft Graph | User.ReadWrite.All(Read and write all users’ full profiles) | Application | Retrieve and migrate users. |
| Microsoft Graph | User.EnableDisableAccount.All(Unblock user sign-in) | Application | Enable and disable users' accounts. |
| Microsoft Graph | User-Phone.ReadWrite.All(Update Business phone and Mobile phone) | Application | Update business phones and mobile phone properties for all users. |
| Microsoft Graph | User-Mail.ReadWrite.All(Update Other emails) | Application | Update other mails property for all users. |
Custom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Refer to the following tables to add API permissions required by Entra ID Migration to the custom Azure app.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | Domain.Read.All(Read domains) | Application | Retrieve tenant domain. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Retrieve and migrate groups and group members. |
| Microsoft Graph | MailboxSettings.Read(Read user’s mail setting) | Application | Retrieve the mailbox settings information for all users. |
| Microsoft Graph | Organization.Read.All(Read subscribed skus) | Application | Retrieve information of license. |
| Microsoft Graph | RoleManagement.ReadWrite.Directory (Read and Write roles and Role assignments) | Application | Retrieve directory roles and migrate roles. |
| Microsoft Graph | User.ReadWrite.All(Read and write all users’ full profiles) | Application | Retrieve and migrate users. |
| Microsoft Graph | User.EnableDisableAccount.All(Unblock user sign-in) | Application | Enable and disable users' accounts. |
| Microsoft Graph | User-Phone.ReadWrite.All(Update Business phone and Mobile phone) | Application | Update business phones and mobile phone properties for all users. |
| Microsoft Graph | User-Mail.ReadWrite.All(Update Other emails) | Application | Update other mails property for all users. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [{
]