#Permissions for Source Entra ID

To connect to the source, you can choose to only use Fly app profile, or custom app profile as the authentication method.

Refer to the following sections to view the permissions required by the authentication methods.

#Fly App for Entra ID Source Permissions (Default app)

The Tenant Owner and Service Administrators can create a default app profile for Entra ID Source in AvePoint Online Services.

Refer to the following steps to create a default app profile for Entra ID Source:

1. Click Create on the App management page.

2. On the Create app profile page, select a Microsoft 365 tenant where you want to create the app profile.

   *Note: Make sure your selected tenant has been connected to AvePoint Online Services.

3. Click Fly, and click Next.

4. Click Modern mode.

5. Click Consent of Fly for Entra ID source.

6. On the Microsoft 365 sign-in page, sign in with a Microsoft 365 Global Administrator account to consent to the app. The Microsoft 365 Global Administrator account is a requirement from Microsoft. Refer to the for more information.

   On the Permissions requested page, review the permissions required for using Fly and click Accept to accept the permissions to ensure the AvePoint Online Services and Fly functionality works. (The required permissions are listed in the table below.)

7. Click Finish to create the app profile.

Refer to the following API permissions of the default app required by Entra ID migrations.

API	Permission	Type	Purpose
Microsoft Graph	Domain.Read.All(Read domains)	Application	Retrieve tenant domain.
Microsoft Graph	Group.Read.All (Read all groups)	Application	Retrieve groups and group members.
Microsoft Graph	MailboxSettings.Read(Read user’s mail setting)	Application	Retrieve the mailbox settings information for all users.
Microsoft Graph	Organization.Read.All(Read subscribed skus)	Application	Retrieve information of license.
Microsoft Graph	RoleManagement.Read.Directory(Read roles and Role assignments)	Application	Retrieve directory roles.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Application	Retrieve information of user profiles.

#Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

1. Prepare a certificate in Microsoft Entra ID. Refer to for more information.

   You can ignore this step if you have a certificate.

2. Create a custom Azure app in Microsoft Entra ID. Refer to for more information.

3. .

4. in AvePoint Online Services.

*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required by Entra ID Migration to the custom Azure app.

API	Permission	Type	Purpose
Microsoft Graph	Domain.Read.All(Read domains)	Application	Retrieve tenant domain.
Microsoft Graph	Group.Read.All (Read all groups)	Application	Retrieve groups and group members.
Microsoft Graph	MailboxSettings.Read(Read user’s mail setting)	Application	Retrieve the mailbox settings information for all users.
Microsoft Graph	Organization.Read.All(Read subscribed skus)	Application	Retrieve information of license.
Microsoft Graph	RoleManagement.Read.Directory(Read roles and Role assignments)	Application	Retrieve directory roles.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Application	Retrieve information of user profiles.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [{

]