English

Home > Perform Microsoft Teams Migrations > Required Permissions for Microsoft Teams Migration > Destination Permissions for Teams

Export to PDF

Destination Permissions for Teams

To connect to the destination, you can choose to only use a service account authentication, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account authentication and a Fly app profile or the combination of a service account authentication and a custom app profile.

Refer to the following sections to view the permissions required by the authentication methods.

Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and the required permissions of the Fly app profile.

NOTE

With the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Teams need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignments.

NOTE

With the authentication method of the Fly app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.

Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

NOTE

With the authentication method of the app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.

Refer to the following procedures to create a custom app profile:

Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

You can ignore this step if you have a certificate.
Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.
Connect your tenant to AvePoint Online Services.
Create an App Profile for a Custom Azure App in AvePoint Online Services.

NOTE

After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

Refer to the following tables to add API permissions required by Microsoft Teams Migration to the custom Azure app.

Required by Commercial Tenants

API	Permission	Type	Purpose
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant.)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Microsoft Graph	Directory.ReadWrite.All (Read and write directory data)	Application	Only required if the destination tenant is a multi-geo tenant and the destination Teams need to be created in a defined location. Alternatively, you can assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the custom app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment.
Microsoft Graph	Domain.Read.All (Read domains)	Application	Read domains.
Microsoft Graph	EduRoster.ReadWrite.All (Read and write the organization's roster)	Application	Only required if you want to migrate education features. Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written.
Microsoft Graph	EduAssignments.ReadWrite.All (Create, read, update and delete all class assignments with grades)	Application	Only required if you want to migrate education features. Allows the app to create, read, update and delete all class assignments with grades for all users.
Microsoft Graph	EduCurricula.ReadWrite.All (Read and write all class modules and resources)	Application	Only required if you want to migrate education features. Allows the app to read and write all modules and resources.
Microsoft Graph	RoleManagement.Read.Directory (Read all directory RBAC settings)	Application	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application	Migrate Microsoft 365 Groups and Group data.
Microsoft Graph	Sites.ReadWrite.All (Read and write items in all site collections)	Application	Migrate channel folders and files of team sites and private/shared channels’ site collections.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Application	Retrieve information on Microsoft 365 user profiles.
Microsoft Graph	InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Microsoft Graph	ChannelMember.ReadWrite.All
(Add and remove members from all channels)	Application	Migrate private/shared channel members.
Microsoft Graph	Teamwork.Migrate.All
(Create chat and channel messages with anyone’s identity and with any timestamp)	Application	Create Teams and channels, and migrate channel messages with any message sender and timestamp.
Microsoft Graph	TeamworkTag.ReadWrite.All
(Read and write tags in Teams)	Application	Migrate tags.
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all teams)	Application	Migrate team members.
Microsoft Graph	Channel.Create (Create channels)	Application	Create channels.
Microsoft Graph	ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels)	Application	Migrate channel settings.
Microsoft Graph	Team.Create (Create teams)	Application	Create Teams.
Microsoft Graph	TeamSettings.ReadWrite.All (Read and change all teams’ settings)	Application	Migrate Team settings.
Microsoft Graph	TeamsAppInstallation.ReadWriteForTeam.All (Manage Teams apps for all teams)	Application	Migrate Team apps.
Microsoft Graph	TeamsTab.ReadWriteForTeam.All (Allow the Teams app to manage all tabs for all teams)	Application	Migrate Team tabs.
Microsoft Graph	Schedule.ReadWrite.All (Read and write all schedule items)	Application	Migrate Teams Shifts app data.
Microsoft Graph	Reports.Read.All (Read all usage reports)	Application	Only required by tenant discovery.
Microsoft Graph	Tasks.ReadWrite.All (Read and write all users’ tasks and tasklists)	Application	Migrate planners and data in planners to the destination.
Microsoft Graph	TeamsAppInstallation.ReadWriteAndConsentForTeam.All	Application	Manage installation and permission grants of Teams apps for all teams.
Microsoft Graph	ReportSettings.Read.All (Read all admin report settings)	Application	Retrieve the Reports setting of the Microsoft 365 admin center.
Azure Rights Management Services	Content.DelegatedWriter (Create protected content on behalf of a user)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Azure Rights Management Services	Content.Writer (Create protected content)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange As Application)	Application	Use Exchange PowerShell to retrieve mailbox permissions.
Office 365 Exchange Online	Full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Application	Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
SharePoint/Office 365 SharePoint Online	Sites.FullControl.All (Have full control of all site collections)	Application	Retrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All
(Read and write managed metadata)	Application	Retrieve and migrate Managed Metadata Service. *Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.

For easy use, you can directly use the following commands to add required API permissions through Manifest.

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "f3a65bd4-b703-46df-8f7e-0174fea562aa",
        "type": "Role"
      },
      {
        "id": "35930dcf-aceb-4bd1-b99a-8ffed403c974",
        "type": "Role"
      },
      {
        "id": "243cded2-bd16-4fd6-a953-ff8177894c3d",
        "type": "Role"
      },
      {
        "id": "19dbc75e-c2e2-444c-a770-ec69d8559fc7",
        "type": "Role"
      },
      {
        "id": "0d22204b-6cad-4dd0-8362-3e3f2ae699d9",
        "type": "Role"
      },
      {
        "id": "6a0c2318-d59d-4c7d-bf2e-5f3902dc2593",
        "type": "Role"
      },
      {
        "id": "d1808e82-ce13-47af-ae0d-f9b254e6d58a",
        "type": "Role"
      },
      {
        "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
        "type": "Role"
      },
      {
        "id": "62a82d76-70ea-41e2-9197-370581804d09",
        "type": "Role"
      },
      {
        "id": "19da66cb-0fb0-4390-b071-ebc76a349482",
        "type": "Role"
      },
      {
        "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
        "type": "Role"
      },
      {
        "id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
        "type": "Role"
      },
      {
        "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
        "type": "Role"
      },
      {
        "id": "b7760610-0545-4e8a-9ec3-cce9e63db01c",
        "type": "Role"
      },
      {
        "id": "9492366f-7969-46a4-8d15-ed1a20078fff",
        "type": "Role"
      },
      {
        "id": "44e666d1-d276-445b-a5fc-8815eeb81d55",
        "type": "Role"
      },
      {
        "id": "23fc2474-f741-46ce-8465-674744c5c361",
        "type": "Role"
      },
      {
        "id": "0121dc95-1b9f-4aed-8bac-58c5ac466691",
        "type": "Role"
      },
      {
        "id": "5dad17ba-f6cc-4954-a5a2-a0dcc95154f0",
        "type": "Role"
      },
      {
        "id": "bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f",
        "type": "Role"
      },
      {
        "id": "6163d4f4-fbf8-43da-a7b4-060fe85ed148",
        "type": "Role"
      },
      {
        "id": "dfb0dd15-61de-45b2-be36-d6a69fba3c79",
        "type": "Role"
      },
      {
        "id": "a3371ca5-911d-46d6-901c-42c8c7a937d8",
        "type": "Role"
      },
      {
        "id": "b0c13be0-8e20-4bc5-8c55-963c23a39ce9",
        "type": "Role"
      },
      {
        "id": "df021288-bdef-4463-88db-98f22de89214",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000012-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
        "type": "Role"
      },
      {
        "id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
        "type": "Role"
      },
      {
        "id": "678536fe-1083-478a-9c59-b99265e6b0d3",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
        "type": "Role"
      },
      {
        "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
    "resourceAccess": [
      {
        "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
        "type": "Role"
      }
    ]
  }
],

Required by GCC High Tenants

API	Permission	Type	Purpose
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Microsoft Graph	Domain.Read.All (Read domains)	Application	Retrieve domains.
Microsoft Graph	EduRoster.ReadWrite.All (Read and write the organization's roster)	Application	Only required if you want to migrate education features. Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written.
Microsoft Graph	EduAssignments.ReadWrite.All (Create, read, update and delete all class assignments with grades)	Application	Only required if you want to migrate education features. Allows the app to create, read, update and delete all class assignments with grades for all users.
Microsoft Graph	EduCurricula.ReadWrite.All (Read and write all class modules and resources)	Application	Only required if you want to migrate education features. Allows the app to read and write all modules and resources.
Microsoft Graph	RoleManagement.Read.Directory (Read all directory RBAC settings)	Application	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application	Migrate Microsoft 365 Groups and Group data.
Microsoft Graph	Sites.ReadWrite.All (Read and write items in all site collections)	Application	Migrate channel folders and files of team sites and private/shared channels’ site collections.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Application	Retrieve information of Microsoft 365 user profiles.
Microsoft Graph	InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Microsoft Graph	ChannelMember.ReadWrite.All (Add and remove members from all channels)	Application	Migrate private/shared channel members.
Microsoft Graph	Teamwork.Migrate.All (Create chat and channel messages with anyone’s identity and with any timestamp)	Application	Create Teams and channels, and migrate channel messages with any message sender and timestamp.
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all teams)	Application	Migrate team members.
Microsoft Graph	Channel.Create (Create channels)	Application	Create channels.
Microsoft Graph	ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels)	Application	Migrate channel settings.
Microsoft Graph	Team.Create (Create teams)	Application	Create Teams.
Microsoft Graph	TeamSettings.ReadWrite.All (Read and change all teams’ settings)	Application	Migrate Team settings.
Microsoft Graph	TeamsAppInstallation.ReadWriteForTeam.All (Manage Teams apps for all teams)	Application	Migrate Team apps.
Microsoft Graph	TeamsTab.ReadWriteForTeam.All (Allow the Teams app to manage all tabs for all teams)	Application	Migrate Team tabs.
Microsoft Graph	Reports.Read.All (Read all usage reports)	Application	Only required by tenant discovery.
Microsoft Graph	Tasks.ReadWrite.All (Read and write all users’ tasks and tasklists)	Application	Migrate planners and data in planners to the destination.
Microsoft Graph	ReportSettings.Read.All (Read all admin report settings)	Application	Retrieve the Reports setting of the Microsoft 365 admin center.
Microsoft Graph	TeamsAppInstallation.ReadWriteAndConsentForTeam.All	Application	Manage installation and permission grants of Teams apps for all teams.
Microsoft Graph	TeamworkTag.ReadWrite.All (Read and write tags in Teams)	Application	Migrate tags.
Azure Rights Management Services	Content.DelegatedWriter (Create protected content on behalf of a user)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Azure Rights Management Services	Content.Writer (Create protected content)	Application	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange As Application)	Application	Use Exchange PowerShell to retrieve mailbox permissions.
Office 365 Exchange Online	Full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Application	Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
SharePoint/Office 365 SharePoint Online	Sites.FullControl.All (Have full control of all site collections)	Application	Retrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All (Read and write managed metadata)	Application	Retrieve and migrate Managed Metadata Service. *Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.

For easy use, you can directly use the following commands to add required API permissions through Manifest.

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": " a3371ca5-911d-46d6-901c-42c8c7a937d8",
        "type": "Role"
      },
      {
        "id": "f3a65bd4-b703-46df-8f7e-0174fea562aa",
        "type": "Role"
      },
      {
        "id": "35930dcf-aceb-4bd1-b99a-8ffed403c974",
        "type": "Role"
      },
      {
        "id": "0d22204b-6cad-4dd0-8362-3e3f2ae699d9",
        "type": "Role"
      },
      {
        "id": "6a0c2318-d59d-4c7d-bf2e-5f3902dc2593",
        "type": "Role"
      },
      {
        "id": "d1808e82-ce13-47af-ae0d-f9b254e6d58a",
        "type": "Role"
      }
      {
        "id": "243cded2-bd16-4fd6-a953-ff8177894c3d",
        "type": "Role"
      },
      {
        "id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
        "type": "Role"
      },
      {
        "id": "62a82d76-70ea-41e2-9197-370581804d09",
        "type": "Role"
      },
      {
        "id": "19da66cb-0fb0-4390-b071-ebc76a349482",
        "type": "Role"
      },
      {
        "id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
        "type": "Role"
      },
      {
        "id": "925396cc-885d-40f4-89e6-450b1f192955",
        "type": "Role"
      },
      {
        "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
        "type": "Role"
      },
      {
        "id": "9492366f-7969-46a4-8d15-ed1a20078fff",
        "type": "Role"
      },
      {
        "id": "c27188eb-10e6-47e2-8de2-ce88860916ac",
        "type": "Role"
      },
      {
        "id": "23fc2474-f741-46ce-8465-674744c5c361",
        "type": "Role"
      },
      {
        "id": "0121dc95-1b9f-4aed-8bac-58c5ac466691",
        "type": "Role"
      },
      {
        "id": "5dad17ba-f6cc-4954-a5a2-a0dcc95154f0",
        "type": "Role"
      },
      {
        "id": "bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f",
        "type": "Role"
      },
      {
        "id": "6163d4f4-fbf8-43da-a7b4-060fe85ed148",
        "type": "Role"
      },
      {
        "id": "b0c13be0-8e20-4bc5-8c55-963c23a39ce9",
        "type": "Role"
      },
      {
        "id": "dfb0dd15-61de-45b2-be36-d6a69fba3c79",
        "type": "Role"
      },
      {
        "id": "df021288-bdef-4463-88db-98f22de89214",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000012-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
        "type": "Role"
      },
      {
        "id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
    "resourceAccess": [
      {
        "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
        "type": "Role"
      },
      {
        "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
        "type": "Role"
      }
    ]
  },
  {
    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
        "type": "Role"
      },
      {
        "id": "678536fe-1083-478a-9c59-b99265e6b0d3",
        "type": "Role"
      }
    ]
  }
],

Required by 21Vianet Tenants

API	Permission	Type	Purpose
Microsoft Graph	Domain.Read.All (Read domains)	Application	Retrieve domains.
Microsoft Graph	EduRoster.ReadWrite.All (Read and write the organization's roster)	Application	Only required if you want to migrate education features. Allows the app to read and write the structure of schools and classes in the organization's roster and education-specific information about all users to be read and written.
Microsoft Graph	EduAssignments.ReadWrite.All (Create, read, update and delete all class assignments with grades)	Application	Only required if you want to migrate education features. Allows the app to create, read, update and delete all class assignments with grades for all users.
Microsoft Graph	EduCurricula.ReadWrite.All (Read and write all class modules and resources)	Application	Only required if you want to migrate education features. Allows the app to read and write all modules and resources.
Microsoft Graph	RoleManagement.Read.Directory (Read all directory RBAC settings)	Application	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Application	Migrate Microsoft 365 Groups and Group data.
Microsoft Graph	Sites.ReadWrite.All (Read and write items in all site collections)	Application	Migrate channel folders and files of team sites and private/shared channels’ site collections.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Application	Retrieve information of Microsoft 365 user profiles.
Microsoft Graph	ChannelMember.ReadWrite.All (Add and remove members from all channels)	Application	Migrate private/shared channel members.
Microsoft Graph	Teamwork.Migrate.All (Create chat and channel messages with anyone’s identity and with any timestamp)	Application	Create Teams and channels, and migrate channel messages with any message sender and timestamp.
Microsoft Graph	TeamworkTag.ReadWrite.All (Read and write tags in Teams)	Application	Migrate tags.
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all teams)	Application	Migrate team members.
Microsoft Graph	Channel.Create (Create channels)	Application	Create channels.
Microsoft Graph	ChannelSettings.ReadWrite.All (Read and write the names, descriptions, and settings of all channels)	Application	Migrate channel settings.
Microsoft Graph	Team.Create (Create teams)	Application	Create Teams.
Microsoft Graph	TeamSettings.ReadWrite.All (Read and change all teams’ settings)	Application	Migrate Team settings.
Microsoft Graph	TeamsAppInstallation.ReadWriteForTeam.All (Manage Teams apps for all teams)	Application	Migrate Team apps.
Microsoft Graph	TeamsTab.ReadWriteForTeam.All (Allow the Teams app to manage all tabs for all teams)	Application	Migrate Team tabs.
Office 365 Exchange Online	Exchange.ManageAsApp (Manage Exchange As Application)	Application	Use Exchange PowerShell to retrieve mailbox permissions.
Office 365 Exchange Online	Full_access_as_app (Use Exchange Web Services with full access to all mailboxes)	Application	Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details.
SharePoint/Office 365 SharePoint Online	Sites.FullControl.All (Have full control of all site collections)	Application	Retrieve settings and permissions of team sites.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All (Read and write managed metadata)	Application	Retrieve and migrate Managed Metadata Service. *Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.

For easy use, you can directly use the following commands to add required API permissions through Manifest:

"requiredResourceAccess": [
 {
   "resourceAppId": "00000003-0000-0000-c000-000000000000",
   "resourceAccess": [
     {
       "id": "8ec18291-78b7-4fa1-aaa7-0a5d10d00579",
       "type": "Role"
     },
     {
       "id": "8c07be71-1e68-4c34-9ddc-a9dcdb316eb7",
       "type": "Role"
     },
     {
       "id": "2da62ce8-5a78-495e-9e9c-369817e4c130",
       "type": "Role"
     },
     {
       "id": "b8b3793a-307b-47a7-8f35-2168c3bdbce3",
       "type": "Role"
     },
     {
       "id": "62a82d76-70ea-41e2-9197-370581804d09",
       "type": "Role"
     },
     {
       "id": "0d22204b-6cad-4dd0-8362-3e3f2ae699d9",
       "type": "Role"
     },
     {
       "id": "6a0c2318-d59d-4c7d-bf2e-5f3902dc2593",
       "type": "Role"
     },
     {
       "id": "d1808e82-ce13-47af-ae0d-f9b254e6d58a",
       "type": "Role"
     },
     {
       "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
       "type": "Role"
     },
     {
       "id": "e6a20c00-0962-428c-b0b8-bf53df771ac7",
       "type": "Role"
     },
     {
       "id": "d18bc5b2-cc48-476b-9623-15bc9b2d3ea6",
       "type": "Role"
     },
     {
       "id": "86259e93-a26b-4320-813f-00dcf11b9997",
       "type": "Role"
     },
     {
       "id": "a7c89ead-d188-443d-8f10-e28dc093b303",
       "type": "Role"
     },
     {
       "id": "4c57df52-0e14-43e0-9301-b05870243e1b",
       "type": "Role"
     },
     {
       "id": "ab53b2e5-a78e-4617-9194-5e730eb33730",
       "type": "Role"
     },
     {
       "id": "9752a293-c45f-4bee-9a9a-5f728c80c276",
       "type": "Role"
     },
     {
       "id": "392dfd33-fd79-41a3-8b29-0ce91d4a20d2",
       "type": "Role"
     },
     {
       "id": "df021288-bdef-4463-88db-98f22de89214",
       "type": "Role"
     }
   ]
 },
 {
   "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
   "resourceAccess": [
     {
       "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
       "type": "Role"
     },
     {
       "id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
       "type": "Role"
     }
   ]
 },
 {
   "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
   "resourceAccess": [
     {
       "id": "678536fe-1083-478a-9c59-b99265e6b0d3",
       "type": "Role"
     },
     {
       "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
       "type": "Role"
     }
   ]
 }
]

Service Account Permissions

If you only use service account authentication for destination Teams, the service account must meet the following requirements:

NOTE

Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

Additionally, Microsoft has updated API permissions for Microsoft Teams migration. Once the old permissions are deprecated, we recommend you use a delegated app profile to migrate conversations and other Teams data.

Licenses for Exchange Online and Microsoft Teams

NOTE
To assign the licenses to the service account, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online and Microsoft Teams under the Licenses and apps tab of the service account.
If the destination is Microsoft 365 Multi-Geo tenant, the destination service account must be Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator.
If the source and destination are both Microsoft Education tenants, and you want to migrate source Class Teams, make sure the destination service account has a Faculty license, can create a Class Team, and can see the Class Materials folder under the Files tab before the migration.

NOTE
If the destination Team does not have any admin roles, we recommend you run the migration job 12 hours after the actions above are finished. Otherwise, the migration of conversations as messages will fail.
Team owner of destination Teams, and channel owner of destination private/shared channels

You can manually add the service account as the team/channel owner. For easy use, if you grant Teams Administrator or Global Administrator for the service account, Fly can automatically add the service account as the team/channel owner as well as the owner and member of the Microsoft 365 Group associated with the Team.

NOTE
If your destination Teams/channels do not exist before the migration and need Fly to create during the migration, the service account only needs to be a Microsoft 365 user. Fly will automatically add the service account as the Team/channel owner.

After the migration, you can remove the service account from the group owner using PowerShell or block the service account directly. To remove the account, refer to Remove the Service Account for details. To block the account, go to Microsoft 365 Admin Center > Users and click the display name of the user. Click the Block this user icon, select Block the user from signing in, and save the changes.
If the service account is SharePoint Administrator or Global Administrator, during the full migration job, the service account will be automatically added as Site Collection Administrator of the team sites of destination Teams/private channels/shared channels. After the migration, you can remove the service account from the team sites.
If you want to migrate channel tabs and your destination connection only has the service account configured, the destination service account must be the Teams Administrator.
If the number of tasks to be migrated across source Teams in the same tenant exceeds 1500, we recommend that you use multiple service accounts for the destination to ensure that all source tasks can be migrated to the destination.
Service account pool is no longer available in migrations. If you have used the service account pool for the destination before, and you want to continue using the service account pool, you can select multiple service accounts when creating Teams connections, and make sure all selected service accounts meet the requirements mentioned above.

What permissions are required if I also use an app profile?

If you use both service account and app profile authentications for destination Teams, the service account must meet the following requirements:

NOTE

Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

Licenses for Exchange Online and Microsoft Teams

NOTE
To assign the licenses to the service account, go to the Microsoft 365 admin center > Users > Active users, and select Exchange Online and Microsoft Teams under the Licenses and apps tab of the service account.
If the destination is Microsoft 365 Multi-Geo tenant, the destination service account must be Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator.
If the source and destination are both Microsoft Education tenants, and you want to migrate source Class Teams, make sure the destination service account can create a Class Team and can see the Class Materials folder under the Files tab before the migration.

NOTE
If the destination Team does not have any admin roles, we recommend you run the migration job 12 hours after the actions above are finished. Otherwise, the migration of conversations as messages will fail.
Normally, when migrating to Teams and private/shared channels, the service account needs to be the corresponding team owner and channel owner.

With the app profile in the connection, you do not need to manually add the team owner and channel owner. Fly will automatically add the service account as the team/channel owner as well as the owner and member of the Microsoft 365 Group associated with the Team.

After the migration, you can block the service account directly. To block the account, go to Microsoft 365 Admin Center > Users and click the display name of the user. Click the Block this user icon, select Block the user from signing in, and save the changes.
During the full migration job, the service account will be automatically added as Site Collection Administrator of the team sites of destination Teams/private channels/shared channels. After the migration, you can remove the service account from the team sites.
Service account pool is no longer available in migrations. If you have used the service account pool for the destination before, and you want to continue using the service account pool, you can select multiple service accounts when creating Teams connections, and make sure all selected service accounts meet the requirements mentioned above.

Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

NOTE

The license and permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.

NOTE

If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.

NOTE

With the authentication method of the app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.

NOTE

If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

The steps of creating a default or custom delegated app profile for the destination are the same as the steps in Delegated App Profile Permissions for the source.

For Fly delegated app profile permissions, refer to the table in Fly Delegated App Profile Permissions.

For custom delegated app profile permissions of different tenants, refer to the sections below.

NOTE

If you use the custom delegated app profile to create Teams in a specific location of the destination multi-geo tenant, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the app. Refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment.

Custom Delegated App Profile (Commercial Tenants)

Make sure the custom delegated app profile has the following permissions.

API	Permission	Type	Purpose
Microsoft Information Protection Sync Service	UnifiedPolicy.User.Read (Read all unified policies a user has access to)	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Teams.

Azure Rights Management Services	user_impersonation (Create and access protected content for users)	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Teams.
SharePoint	AllSites.FullControl (Have full control of all site collections)	Delegated	Retrieve settings and permissions of team sites.
SharePoint	TermStore.ReadWrite.All (Read managed metadata)	Delegated	Retrieve and migrate Managed Metadata Service.
Office 365 Exchange Online	EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)	Delegated	Access mailboxes as the signed-in user via Exchange Web Services.
Office 365 Exchange Online	Exchange.Manage (Manage Exchange configuration)	Delegated	Use Exchange PowerShell to retrieve mailbox permissions.
Microsoft Graph	Directory.ReadWrite.All	Delegated	Only required if the destination is a multi-geo tenant and the destination Teams need to be created in a defined location.
Microsoft Graph	Domain.Read.All (Read domains)	Delegated	Retrieve domains.
Microsoft Graph	EduAssignments.ReadWrite (Read and write users' class assignments and their grades)	Delegated	Only required if you want to migrate education features. Allows the app to read and write assignments and their grades.
Microsoft Graph	EduCurricula.ReadWrite (Read and write the user's class modules and resources)	Delegated	Only required if you want to migrate education features. Allows the app to read and write user's modules and resources.
Microsoft Graph	RoleManagement.Read.Directory (Read directory RBAC settings)	Delegated	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Delegated	Migrate Microsoft 365 Groups and group data.
Microsoft Graph	Sites.Read.All (Read items in all site collections)	Delegated	Retrieve channel folders and files of team sites and private channels’ site collections.
Microsoft Graph	Files.ReadWrite (Have full access to user files and files shared with user)	Delegated	Migrate channel folders and files of team sites and private/shared channels’ site collections.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Delegated	Retrieve information of Microsoft 365 user profiles.
Microsoft Graph	ChannelMember.ReadWrite.All (Add and remove members from all channels)	Delegated	Migrate private/shared channel members.
Microsoft Graph	TeamworkTag.ReadWrite (Read and write tags in Teams)	Delegated	Migrate tags.
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all teams)	Delegated	Migrate team members.
Microsoft Graph	TeamsAppInstallation.ReadWriteAndConsentForTeam	Delegated	Manage installed Teams apps in teams.

For easy use, you can directly use the following commands to add required API permissions through Manifest.

"requiredResourceAccess": [
 {
   "resourceAppId": "00000003-0000-0000-c000-000000000000",
   "resourceAccess": [
     {
       "id": "0c3e411a-ce45-4cd1-8f30-f99a3efa7b11",
       "type": "Scope"
     },
     {
       "id": "c5366453-9fb0-48a5-a156-24f0c49a4b84",
       "type": "Scope"
     },
     {
       "id": "0b5d694c-a244-4bde-86e6-eb5cd07730fe",
       "type": "Scope"
     },
     {
       "id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
       "type": "Scope"
     },
     {
       "id": "2f233e90-164b-4501-8bce-31af2559a2d3",
       "type": "Scope"
     },
     {
       "id": "4793c53b-df34-44fd-8d26-d15c517732f5",
       "type": "Scope"
     },
     {
       "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
       "type": "Scope"
     },
     {
       "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
       "type": "Scope"
     },
     {
       "id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
       "type": "Scope"
     },
     {
       "id": "4a06efd2-f825-4e34-813e-82a57b03d1ee",
       "type": "Scope"
     },
     {
       "id": "539dabd7-b5b6-4117-b164-d60cd15a8671",
       "type": "Scope"
     },
     {
       "id": "946349d5-2a9d-4535-abc0-7beeacaedd1d",
       "type": "Scope"
     },
     {
       "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
       "type": "Scope"
     }
   ]
 },
 {
   "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
   "resourceAccess": [
     {
       "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
       "type": "Scope"
     },
     {
       "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
       "type": "Scope"
     }
   ]
 },
 {
   "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
   "resourceAccess": [
     {
       "id": "59a198b5-0420-45a8-ae59-6da1cb640505",
       "type": "Scope"
     },
     {
       "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
       "type": "Scope"
     }
   ]
 },
 {
   "resourceAppId": "00000012-0000-0000-c000-000000000000",
   "resourceAccess": [
     {
       "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
       "type": "Scope"
     }
   ]
 },
 {
   "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
   "resourceAccess": [
     {
       "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
       "type": "Scope"
     }
   ]
 }
]

Custom Delegated App Profile (GCC High Tenants)

Make sure the custom delegated app profile has the following permissions.

API	Permission	Type	Purpose
Microsoft Information Protection Sync Service	UnifiedPolicy.User.Read (Read all unified policies a user has access to)	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Azure Rights Management Services	user_impersonation (Create and access protected content for users)	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Teams.
SharePoint	AllSites.FullControl (Have full control of all site collections)	Delegated	Retrieve settings and permissions of team sites.
SharePoint	TermStore.ReadWrite.All (Read managed metadata)	Delegated	Retrieve and migrate Managed Metadata Service.
Office 365 Exchange Online	EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)	Delegated	Access mailboxes as the signed-in user via Exchange Web Services
Office 365 Exchange Online	Exchange.Manage (Manage Exchange configuration)	Delegated	Use Exchange PowerShell to retrieve mailbox permissions.
Microsoft Graph	Domain.Read.All (Read domains)	Delegated	Retrieve domains.
Microsoft Graph	EduAssignments.ReadWrite (Read and write users' class assignments and their grades)	Delegated	Only required if you want to migrate education features. Allows the app to read and write assignments and their grades.
Microsoft Graph	EduCurricula.ReadWrite (Read and write the user's class modules and resources)	Delegated	Only required if you want to migrate education features. Allows the app to read and write user's modules and resources.
Microsoft Graph	RoleManagement.Read.Directory (Read directory RBAC settings)	Delegated	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Delegated	Migrate Microsoft 365 Groups and Group data.
Microsoft Graph	Sites.Read.All (Read items in all site collections)	Delegated	Retrieve channel folders and files of team sites and private channels’ site collections.
Microsoft Graph	Files.ReadWrite (Read directory RBAC settings)	Delegated	Migrate channel folders and files of team sites and private/shared channels’ site collections.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Delegated	Retrieve information of Microsoft 365 user profiles.
Microsoft Graph	ChannelMember.ReadWrite.All (Add and remove members from all channels)	Delegated	Migrate private/shared channel members.
Microsoft Graph	TeamworkTag.ReadWrite (Read and write tags in Teams)	Delegated	Migrate tags.
Microsoft Graph	TeamsAppInstallation.ReadWriteAndConsentForTeam	Delegated	Manage installed Teams apps in Teams.
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all teams)	Delegated	Migrate team members.

For easy use, you can directly use the following commands to add required API permissions through Manifest.

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
        "type": "Scope"
      },
      {
        "id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
        "type": "Scope"
      },
      {
        "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
        "type": "Scope"
      },
      {
        "id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
        "type": "Scope"
      },
      {
        "id": "2f233e90-164b-4501-8bce-31af2559a2d3",
        "type": "Scope"
      },
      {
        "id": "4793c53b-df34-44fd-8d26-d15c517732f5",
        "type": "Scope"
      },
      {
        "id": "0c3e411a-ce45-4cd1-8f30-f99a3efa7b11",
        "type": "Scope"
      },
      {
        "id": "d2813b3d-8ab2-4dac-a43d-3ac685f19416",
        "type": "Scope"
      },
      {
        "id": "4a06efd2-f825-4e34-813e-82a57b03d1ee",
        "type": "Scope"
      },
      {
        "id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",
        "type": "Scope"
      },
      {
        "id": "946349d5-2a9d-4535-abc0-7beeacaedd1d",
        "type": "Scope"
      },
      {
        "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000012-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
    "resourceAccess": [
      {
        "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
        "type": "Scope"
      },
      {
        "id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
        "type": "Scope"
      },
      {
        "id": "59a198b5-0420-45a8-ae59-6da1cb640505",
        "type": "Scope"
      }
    ]
  }
]

Custom Delegated App Profile (21Vianet Tenants)

Make sure the custom delegated app profile has the following permissions.

API	Permission	Type	Purpose
Microsoft Information Protection Sync Service	UnifiedPolicy.User.Read (Read all unified policies a user has access to)	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Teams.
Microsoft Rights Management Services	user_impersonation (Create and access protected content for users)	Delegated	Only required if you want to manage the sensitivity labels of files/emails/Teams.
SharePoint	AllSites.FullControl (Have full control of all site collections)	Delegated	Retrieve settings and permissions of team sites.
SharePoint	TermStore.ReadWrite.All (Read managed metadata)	Delegated	Retrieve and migrate Managed Metadata Service.
Office 365 Exchange Online	EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services)	Delegated	Access mailboxes as the signed-in user via Exchange Web Services
Microsoft Graph	Domain.Read.All (Read domains)	Delegated	Retrieve domains.
Microsoft Graph	EduAssignments.ReadWrite (Read and write users' class assignments and their grades)	Delegated	Only required if you want to migrate education features. Allows the app to read and write assignments and their grades.
Microsoft Graph	EduCurricula.ReadWrite (Read and write the user's class modules and resources)	Delegated	Only required if you want to migrate education features. Allows the app to read and write user's modules and resources.
Microsoft Graph	RoleManagement.Read.Directory (Read directory RBAC settings)	Delegated	Retrieve directory roles.
Microsoft Graph	Group.ReadWrite.All (Read and write all groups)	Delegated	Migrate Microsoft 365 Groups and Group data.
Microsoft Graph	Sites.Read.All (Read items in all site collections)	Delegated	Retrieve channel folders and files of team sites and private channels’ site collections.
Microsoft Graph	Files.ReadWrite (Have full access to user files and files shared with user)	Delegated	Migrate channel folders and files of team sites and private/shared channels’ site collections.
Microsoft Graph	User.Read.All (Read all users’ full profiles)	Delegated	Retrieve information of Microsoft 365 user profiles.
Microsoft Graph	ChannelMember.ReadWrite.All (Add and remove members from all channels)	Delegated	Migrate private/shared channel members.
Microsoft Graph	TeamworkTag.ReadWrite (Read and write tags in Teams)	Delegated	Migrate tags.
Microsoft Graph	TeamMember.ReadWrite.All (Add and remove members from all teams)	Delegated	Migrate team members.

For easy use, you can directly use the following commands to add required API permissions through Manifest.

"requiredResourceAccess": [
  {
    "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "59a198b5-0420-45a8-ae59-6da1cb640505",
        "type": "Scope"
      },
      {
        "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
    "resourceAccess": [
      {
        "id": "522c3758-e3ef-4482-af45-40e5d9aabd1e",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
    "resourceAccess": [
      {
        "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
    "resourceAccess": [
      {
        "id": "41094075-9dad-400e-a0bd-54e686782033",
        "type": "Scope"
      }
    ]
  },
  {
    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
      {
        "id": "84160c94-5d27-49e7-a742-2b941e4f2987",
        "type": "Scope"
      },
      {
        "id": "3eef517f-e083-4ef1-92d2-089c3265351d",
        "type": "Scope"
      },
      {
        "id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
        "type": "Scope"
      },
      {
        "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
        "type": "Scope"
      },
      {
        "id": "2f233e90-164b-4501-8bce-31af2559a2d3",
        "type": "Scope"
      },
      {
        "id": "4793c53b-df34-44fd-8d26-d15c517732f5",
        "type": "Scope"
      },
      {
        "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
        "type": "Scope"
      },
      {
        "id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
        "type": "Scope"
      },
      {
        "id": "3f626c00-b3fc-4dee-9371-503d58fbfc0d",
        "type": "Scope"
      },
      {
        "id": "ce73714b-d1cf-47c3-8a27-eab4b818a7c5",
        "type": "Scope"
      },
      {
        "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
        "type": "Scope"
      }
    ]
  }
]

On this page

Required Permissions for Exchange Online Migration

Required Permissions for Microsoft 365 Groups Migration

Required Permissions for Microsoft Teams Migration

Required Permissions for Microsoft Teams Chat Migration

Required Permissions for OneDrive Migration

Required Permissions for Power Platform Migration

Required Permissions for SharePoint Online Migration

Required Permissions for Google Drive Migration

Create a Connection

Aviator for Microsoft Teams

Aviator for Microsoft 365 Groups

Aviator for SharePoint Online

Aviator for OneDrive

Configurations for Customized Features

Fly App Profile Permissions

Destination Permissions for Teams

Fly App Profile Permissions

Custom App Profile Permissions

Required by Commercial Tenants

Required by GCC High Tenants

Required by 21Vianet Tenants

Service Account Permissions

Delegated App Profile Permissions

Custom Delegated App Profile (Commercial Tenants)

Custom Delegated App Profile (GCC High Tenants)

Custom Delegated App Profile (21Vianet Tenants)

#Destination Permissions for Teams

#Fly App Profile Permissions

#Custom App Profile Permissions

#Required by Commercial Tenants

#Required by GCC High Tenants

#Required by 21Vianet Tenants

#Service Account Permissions

#Delegated App Profile Permissions

#Custom Delegated App Profile (Commercial Tenants)

#Custom Delegated App Profile (GCC High Tenants)

#Custom Delegated App Profile (21Vianet Tenants)

Destination Permissions for Teams

Fly App Profile Permissions

Custom App Profile Permissions

Required by Commercial Tenants

Required by GCC High Tenants

Required by 21Vianet Tenants

Service Account Permissions

Delegated App Profile Permissions

Custom Delegated App Profile (Commercial Tenants)

Custom Delegated App Profile (GCC High Tenants)

Custom Delegated App Profile (21Vianet Tenants)