Home > Perform Microsoft Teams Chat Migrations > Required Permissions for Microsoft Teams Chat Migration > Permissions for Destination Teams Chats
Export to PDFPermissions for Destination Teams Chats
To connect to the destination, you need to use a delegated app profile as the authentication method. If you want to migrate chat files in Teams Chat Migration, you can also simultaneously use a Fly app profile or custom app profile to reduce throttling.
Refer to the following sections to view the permissions required by the authentication methods.
Delegated App Profile Permissions
Fly supports the default or custom delegated app profile for the destination.
*Note: If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.
*Note: If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.
Additionally, if you only use the delegated app profile to connect to the destination, the consent user of the delegated app profile must meet the following requirements:
What permissions are required if I also use an app profile?
If you use both the delegated app profile and app profile authentications for destination Teams chats, the consent user of the delegated app profile must meet the following requirements:
Custom Delegated App Profile
To use a custom delegated app profile with required permissions, refer to the following steps:
- After registering an app in Microsoft Entra ID, add the permissions in the table below to the app.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | User.Read.All(Read all users' full profiles) | Delegated | Retrieve and migrate Microsoft 365 users. |
| Microsoft Graph | TeamsTab.Create(Create tabs in Microsoft Teams) | Delegated | Migrate the tab. |
| Microsoft Graph | TeamsTab.Read.All(Read tabs in Microsoft Teams.) | Delegated | Retrieve and migrate Team tabs. |
| Microsoft Graph | Chat.ReadWrite(Read and write user chat messages) | Delegated | |
| Migrate chat members/chat messages. | |||
| Microsoft Graph | Files.ReadWrite(Have full access to user files) | Delegated | Migrate chat files. |
| Microsoft Graph | TeamsTab.ReadWriteSelfForChat(Allow the Teams app to manage only its own tabs in chats) | Delegated | Update tabs in destination chats. |
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read(Read all unified policies a user has access to) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | user_impersonation(Create and access protected content for users) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| SharePoint/Office 365 SharePoint Online | AllSites.FullControl(Have full control of all site collections) | Delegated | Retrieve settings and permissions of OneDrive sites. |
| SharePoint/Office 365 SharePoint Online | User.Read.All(Read user profiles) | Delegated | Migrate OneDrive sites. |
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
"type": "Scope"
},
{
"id": "0cea5a30-f6f8-42b5-87a0-84cc26822e02",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "9ff7295e-131b-4d94-90e1-69fde507ac11",
"type": "Scope"
},
{
"id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
"type": "Scope"
},
{
"id": "a9ff19c2-f369-4a95-9a25-ba9d460efc8e",
"type": "Scope"
},
{
"id": "59dacb05-e88d-4c13-a684-59f1afc8cc98",
"type": "Scope"
},
{
"id": "0c219d04-3abf-47f7-912d-5cca239e90e6",
"type": "Scope"
},
{
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
"type": "Scope"
}
]
}
],
-
Click Authentication in the left navigation of the app.
-
Click Add a platform.
-
Select Web in the Configure platforms panel.
-
In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.
-
Select the Access tokens and ID tokens checkboxes in the Implicit grant and hybrid flows field.
-
Click Configure.
-
Click Save.
-
Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to .
*Note: When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.
Fly App Profile Permissions
With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.
Refer to Fly App Profile Permissions about how to create a Fly app profile and the required permissions of the Fly app profile.
Custom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can also create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Refer to the following tables to add API permissions required by Microsoft Teams Chat Migration to the custom Azure app.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant.) | Application | Only required if you want to manage the sensitivity labels of files. |
| Microsoft Graph | Files.Read.All (Read files in all site collections) | Application | Retrieve and migrate OneDrive files. |
| Microsoft Graph | Chat.Create(Create Chat) | Application | Create chats. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of chat user profiles. |
| Microsoft Graph | Chat.ReadWrite.All(Read and write all chat messages) | Application | Retrieve and migrate chat members/chat messages. |
| Microsoft Graph | TeamsTab.Create(Create tabs in Microsoft Teams) | Application | Create tabs in destination chats. |
| Microsoft Graph | TeamsTab.Read.All(Read tabs in Microsoft Teams) | Application | Retrieve tabs in destination chats. |
| Microsoft Graph | TeamsTab.ReadWriteSelfForChat.All(Allow the Teams app to manage only its own tabs for all chats) | Application | Update tabs in destination chats. |
| SharePoint | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve settings and permissions of OneDrive sites. |
| SharePoint | User.Read.All(Read user profiles) | Application | Retrieve SharePoint user profile service. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.DelegatedWriter (Create protected content on behalf of a user) | Application | Only required if you want to manage the sensitivity labels of files. |
| Azure Rights Management Services*Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services. | Content.Writer (Create protected content) | Application | Only required if you want to manage the sensitivity labels of files. |
For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.
"requiredResourceAccess": [
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
"type": "Role"
},
{
"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "d9c48af6-9ad9-47ad-82c3-63757137b9af",
"type": "Role"
},
{
"id": "294ce7c9-31ba-490a-ad7d-97a7d075e4ed",
"type": "Role"
},
{
"id": "01d4889c-1287-42c6-ac1f-5d1e02578ef6",
"type": "Role"
},
{
"id": "49981c42-fd7b-4530-be03-e77b21aed25e",
"type": "Role"
},
{
"id": "46890524-499a-4bb2-ad64-1476b4f3e1cf",
"type": "Role"
},
{
"id": "9f62e4a2-a2d6-4350-b28b-d244728c4f86",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
}
],