Home > Perform Microsoft Teams Migrations > Required Permissions for Microsoft Teams Migration > Destination Permissions for Teams
Export to PDFDestination Permissions for Teams
To connect to the destination, you can choose to only use a service account authentication, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account authentication and a Fly app profile or the combination of a service account authentication and a custom app profile.
Refer to the following sections to view the permissions required by the authentication methods.
Fly App Profile Permissions
With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.
Refer to Fly App Profile Permissions about how to create a Fly app profile and the required permissions of the Fly app profile.
*Note: With the authentication method of the Fly app profile only, if the destination is a multi-geo tenant, and the destination Teams need to be created in a defined location, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the Fly app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignments.
*Note: With the authentication method of the Fly app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.
Custom App Profile Permissions
With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.
*Note: With the authentication method of the app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.
Refer to the following procedures to create a custom app profile:
-
Prepare a certificate in Microsoft Entra ID. Refer to for more information.
You can ignore this step if you have a certificate.
-
Create a custom Azure app in Microsoft Entra ID. Refer to for more information.
-
.
-
in AvePoint Online Services.
*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.
Refer to the following tables to add API permissions required by Microsoft Teams Migration to the custom Azure app.
Required by Commercial Tenants
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant.) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Microsoft Graph | Directory.ReadWrite.All (Read and write directory data) | Application | Only required if the destination tenant is a multi-geo tenant and the destination Teams need to be created in a defined location. Alternatively, you can assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the custom app. You can refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment. |
| Microsoft Graph | Domain.Read.All (Read domains) | Application | Read domains. |
| Microsoft Graph | RoleManagement.Read.Directory (Read all directory RBAC settings) | Application | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Migrate Microsoft 365 Groups and Group data. |
| Microsoft Graph | Sites.ReadWrite.All(Read and write items in all site collections) | Application | Migrate channel folders and files of team sites and private/shared channels’ site collections. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information on Microsoft 365 user profiles. |
| Microsoft Graph | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Microsoft Graph | ChannelMember.ReadWrite.All | ||
| (Add and remove members from all channels) | Application | Migrate private/shared channel members. | |
| Microsoft Graph | Teamwork.Migrate.All | ||
| (Create chat and channel messages with anyone’s identity and with any timestamp) | Application | Create Teams and channels, and migrate channel messages with any message sender and timestamp. | |
| Microsoft Graph | TeamworkTag.ReadWrite.All | ||
| (Read and write tags in Teams) | Application | Migrate tags. | |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Application | Migrate team members. |
| Microsoft Graph | Channel.Create(Create channels) | Application | Create channels. |
| Microsoft Graph | ChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels) | Application | Migrate channel settings. |
| Microsoft Graph | Team.Create(Create teams) | Application | Create Teams. |
| Microsoft Graph | TeamSettings.ReadWrite.All(Read and change all teams’ settings) | Application | Migrate Team settings. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteForTeam.All(Manage Teams apps for all teams) | Application | Migrate Team apps. |
| Microsoft Graph | TeamsTab.ReadWriteForTeam.All(Allow the Teams app to manage all tabs for all teams) | Application | Migrate Team tabs. |
| Microsoft Graph | Schedule.ReadWrite.All(Read and write all schedule items) | Application | Migrate Teams Shifts app data. |
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Only required by tenant discovery. |
| Microsoft Graph | Tasks.ReadWrite.All(Read and write all users’ tasks and tasklists) | Application | Migrate planners and data in planners to the destination. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteAndConsentForTeam.All | Application | Manage installation and permission grants of Teams apps for all teams. |
| Microsoft Graph | ReportSettings.Read.All(Read all admin report settings) | Application | Retrieve the Reports setting of the Microsoft 365 admin center. |
| Azure Rights Management Services | Content.DelegatedWriter (Create protected content on behalf of a user) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Azure Rights Management Services | Content.Writer (Create protected content) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. |
| Office 365 Exchange Online | Full_access_as_app (Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All | ||
| (Read and write managed metadata) | Application | Retrieve and migrate Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All. |
For easy use, you can directly use the following commands to add required API permissions through Manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "f3a65bd4-b703-46df-8f7e-0174fea562aa",
"type": "Role"
},
{
"id": "35930dcf-aceb-4bd1-b99a-8ffed403c974",
"type": "Role"
},
{
"id": "243cded2-bd16-4fd6-a953-ff8177894c3d",
"type": "Role"
},
{
"id": "19dbc75e-c2e2-444c-a770-ec69d8559fc7",
"type": "Role"
},
{
"id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "19da66cb-0fb0-4390-b071-ebc76a349482",
"type": "Role"
},
{
"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
"type": "Role"
},
{
"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "b7760610-0545-4e8a-9ec3-cce9e63db01c",
"type": "Role"
},
{
"id": "9492366f-7969-46a4-8d15-ed1a20078fff",
"type": "Role"
},
{
"id": "44e666d1-d276-445b-a5fc-8815eeb81d55",
"type": "Role"
},
{
"id": "23fc2474-f741-46ce-8465-674744c5c361",
"type": "Role"
},
{
"id": "0121dc95-1b9f-4aed-8bac-58c5ac466691",
"type": "Role"
},
{
"id": "5dad17ba-f6cc-4954-a5a2-a0dcc95154f0",
"type": "Role"
},
{
"id": "bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f",
"type": "Role"
},
{
"id": "6163d4f4-fbf8-43da-a7b4-060fe85ed148",
"type": "Role"
},
{
"id": "dfb0dd15-61de-45b2-be36-d6a69fba3c79",
"type": "Role"
},
{
"id": "a3371ca5-911d-46d6-901c-42c8c7a937d8",
"type": "Role"
},
{
"id": "b0c13be0-8e20-4bc5-8c55-963c23a39ce9",
"type": "Role"
}
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
"type": "Role"
},
{
"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
"type": "Role"
},
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
}
],
Required by GCC High Tenants
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Microsoft Graph | Domain.Read.All(Read domains) | Application | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory(Read all directory RBAC settings) | Application | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Migrate Microsoft 365 Groups and Group data. |
| Microsoft Graph | Sites.ReadWrite.All(Read and write items in all site collections) | Application | Migrate channel folders and files of team sites and private/shared channels’ site collections. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | InformationProtectionPolicy.Read.All (Read all published labels and label policies for an organization) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Application | Migrate private/shared channel members. |
| Microsoft Graph | Teamwork.Migrate.All(Create chat and channel messages with anyone’s identity and with any timestamp) | Application | Create Teams and channels, and migrate channel messages with any message sender and timestamp. |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Application | Migrate team members. |
| Microsoft Graph | Channel.Create(Create channels) | Application | Create channels. |
| Microsoft Graph | ChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels) | Application | Migrate channel settings. |
| Microsoft Graph | Team.Create(Create teams) | Application | Create Teams. |
| Microsoft Graph | TeamSettings.ReadWrite.All(Read and change all teams’ settings) | Application | Migrate Team settings. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteForTeam.All(Manage Teams apps for all teams) | Application | Migrate Team apps. |
| Microsoft Graph | TeamsTab.ReadWriteForTeam.All(Allow the Teams app to manage all tabs for all teams) | Application | Migrate Team tabs. |
| Microsoft Graph | Reports.Read.All(Read all usage reports) | Application | Only required by tenant discovery. |
| Microsoft Graph | Tasks.ReadWrite.All(Read and write all users’ tasks and tasklists) | Application | Migrate planners and data in planners to the destination. |
| Microsoft Graph | ReportSettings.Read.All(Read all admin report settings) | Application | Retrieve the Reports setting of the Microsoft 365 admin center. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteAndConsentForTeam.All | Application | Manage installation and permission grants of Teams apps for all teams. |
| Microsoft Graph | TeamworkTag.ReadWrite.All(Read and write tags in Teams) | Application | Migrate tags. |
| Azure Rights Management Services | Content.DelegatedWriter (Create protected content on behalf of a user) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Azure Rights Management Services | Content.Writer (Create protected content) | Application | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Office 365 Exchange Online | Exchange.ManageAsApp (Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. |
| Office 365 Exchange Online | Full_access_as_app (Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All (Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All(Read and write managed metadata) | Application | Retrieve and migrate Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All. |
For easy use, you can directly use the following commands to add required API permissions through Manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": " a3371ca5-911d-46d6-901c-42c8c7a937d8",
"type": "Role"
},
{
"id": "f3a65bd4-b703-46df-8f7e-0174fea562aa",
"type": "Role"
},
{
"id": "35930dcf-aceb-4bd1-b99a-8ffed403c974",
"type": "Role"
},
{
"id": "243cded2-bd16-4fd6-a953-ff8177894c3d",
"type": "Role"
},
{
"id": "dbb9058a-0e50-45d7-ae91-66909b5d4664",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "19da66cb-0fb0-4390-b071-ebc76a349482",
"type": "Role"
},
{
"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
"type": "Role"
},
{
"id": "925396cc-885d-40f4-89e6-450b1f192955",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "9492366f-7969-46a4-8d15-ed1a20078fff",
"type": "Role"
},
{
"id": "c27188eb-10e6-47e2-8de2-ce88860916ac",
"type": "Role"
},
{
"id": "23fc2474-f741-46ce-8465-674744c5c361",
"type": "Role"
},
{
"id": "0121dc95-1b9f-4aed-8bac-58c5ac466691",
"type": "Role"
},
{
"id": "5dad17ba-f6cc-4954-a5a2-a0dcc95154f0",
"type": "Role"
},
{
"id": "bdd80a03-d9bc-451d-b7c4-ce7c63fe3c8f",
"type": "Role"
},
{
"id": "6163d4f4-fbf8-43da-a7b4-060fe85ed148",
"type": "Role"
},
{
"id": "b0c13be0-8e20-4bc5-8c55-963c23a39ce9",
"type": "Role"
},
{
"id": "dfb0dd15-61de-45b2-be36-d6a69fba3c79",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "d13f921c-7f21-4c08-bade-db9d048bd0da",
"type": "Role"
},
{
"id": "006e763d-a822-41fc-8df5-8d3d7fe20022",
"type": "Role"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
"type": "Role"
},
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
}
]
}
],
Required by 21Vianet Tenants
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | Domain.Read.All(Read domains) | Application | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory(Read all directory RBAC settings) | Application | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Application | Migrate Microsoft 365 Groups and Group data. |
| Microsoft Graph | Sites.ReadWrite.All(Read and write items in all site collections) | Application | Migrate channel folders and files of team sites and private/shared channels’ site collections. |
| Microsoft Graph | User.Read.All (Read all users’ full profiles) | Application | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Application | Migrate private/shared channel members. |
| Microsoft Graph | Teamwork.Migrate.All(Create chat and channel messages with anyone’s identity and with any timestamp) | Application | Create Teams and channels, and migrate channel messages with any message sender and timestamp. |
| Microsoft Graph | TeamworkTag.ReadWrite.All(Read and write tags in Teams) | Application | Migrate tags. |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Application | Migrate team members. |
| Microsoft Graph | Channel.Create(Create channels) | Application | Create channels. |
| Microsoft Graph | ChannelSettings.ReadWrite.All(Read and write the names, descriptions, and settings of all channels) | Application | Migrate channel settings. |
| Microsoft Graph | Team.Create(Create teams) | Application | Create Teams. |
| Microsoft Graph | TeamSettings.ReadWrite.All(Read and change all teams’ settings) | Application | Migrate Team settings. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteForTeam.All(Manage Teams apps for all teams) | Application | Migrate Team apps. |
| Microsoft Graph | TeamsTab.ReadWriteForTeam.All(Allow the Teams app to manage all tabs for all teams) | Application | Migrate Team tabs. |
| Office 365 Exchange Online | Exchange.ManageAsApp(Manage Exchange As Application) | Application | Use Exchange PowerShell to retrieve mailbox permissions. |
| Office 365 Exchange Online | Full_access_as_app(Use Exchange Web Services with full access to all mailboxes) | Application | Retrieve items from all mailboxes. *Note: If you do not want to add this permission to the app, you can create an RBAC assignment for the app to only access to specified mailboxes. Refer to the option 3 in the How to Migrate Mailboxes without the ApplicationImpersonation Role? section for details. |
| SharePoint/Office 365 SharePoint Online | Sites.FullControl.All(Have full control of all site collections) | Application | Retrieve settings and permissions of team sites. |
| SharePoint/Office 365 SharePoint Online | TermStore.ReadWrite.All(Read and write managed metadata) | Application | Retrieve and migrate Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All. |
For easy use, you can directly use the following commands to add required API permissions through Manifest:
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "8ec18291-78b7-4fa1-aaa7-0a5d10d00579",
"type": "Role"
},
{
"id": "8c07be71-1e68-4c34-9ddc-a9dcdb316eb7",
"type": "Role"
},
{
"id": "2da62ce8-5a78-495e-9e9c-369817e4c130",
"type": "Role"
},
{
"id": "b8b3793a-307b-47a7-8f35-2168c3bdbce3",
"type": "Role"
},
{
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"type": "Role"
},
{
"id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",
"type": "Role"
},
{
"id": "e6a20c00-0962-428c-b0b8-bf53df771ac7",
"type": "Role"
},
{
"id": "d18bc5b2-cc48-476b-9623-15bc9b2d3ea6",
"type": "Role"
},
{
"id": "86259e93-a26b-4320-813f-00dcf11b9997",
"type": "Role"
},
{
"id": "a7c89ead-d188-443d-8f10-e28dc093b303",
"type": "Role"
},
{
"id": "4c57df52-0e14-43e0-9301-b05870243e1b",
"type": "Role"
},
{
"id": "ab53b2e5-a78e-4617-9194-5e730eb33730",
"type": "Role"
},
{
"id": "9752a293-c45f-4bee-9a9a-5f728c80c276",
"type": "Role"
},
{
"id": "392dfd33-fd79-41a3-8b29-0ce91d4a20d2",
"type": "Role"
},
{
"id": "df021288-bdef-4463-88db-98f22de89214",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
},
{
"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
"type": "Role"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "678536fe-1083-478a-9c59-b99265e6b0d3",
"type": "Role"
},
{
"id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",
"type": "Role"
}
]
}
],
Service Account Permissions
If you only use service account authentication for destination Teams, the service account must meet the following requirements:
*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.
Additionally, Microsoft has updated API permissions for Microsoft Teams migration. Once the old permissions are deprecated, we recommend you use a delegated app profile to migrate conversations and other Teams data.
What permissions are required if I also use an app profile?
If you use both service account and app profile authentications for destination Teams, the service account must meet the following requirements:
*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.
Delegated App Profile Permissions
Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.
*Note: The license and permission requirements for the consent user are the same as those for the service account. For details, refer to Service Account Permissions.
*Note: If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.
*Note: With the authentication method of the app profile only, if you want to migrate Planner task comments, the consent user must have the license for Exchange Online.
*Note: If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.
The steps of creating a default or custom delegated app profile for the destination are the same as the steps in Delegated App Profile Permissions for the source.
For Fly delegated app profile permissions, refer to the table in Fly Delegated App Profile Permissions.
For custom delegated app profile permissions of different tenants, refer to the sections below.
*Note: If you use the custom delegated app profile to create Teams in a specific location of the destination multi-geo tenant, you need to assign the Microsoft 365 Global Administrator, SharePoint Administrator, or Exchange Administrator role to the app. Refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment.
Custom Delegated App Profile (Commercial Tenants)
Make sure the custom delegated app profile has the following permissions.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read(Read all unified policies a user has access to) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Azure Rights Management Services | user_impersonation(Create and access protected content for users) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| SharePoint | AllSites.FullControl(Have full control of all site collections) | Delegated | Retrieve settings and permissions of team sites. |
| SharePoint | TermStore.ReadWrite.All(Read managed metadata) | Delegated | Retrieve and migrate Managed Metadata Service. |
| Office 365 Exchange Online | EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services) | Delegated | Access mailboxes as the signed-in user via Exchange Web Services. |
| Office 365 Exchange Online | Exchange.Manage(Manage Exchange configuration) | Delegated | Use Exchange PowerShell to retrieve mailbox permissions. |
| Microsoft Graph | Directory.ReadWrite.All | Delegated | Only required if the destination is a multi-geo tenant and the destination Teams need to be created in a defined location. |
| Microsoft Graph | Domain.Read.All(Read domains) | Delegated | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory(Read directory RBAC settings) | Delegated | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Delegated | Migrate Microsoft 365 Groups and group data. |
| Microsoft Graph | Sites.Read.All(Read items in all site collections) | Delegated | Retrieve channel folders and files of team sites and private channels’ site collections. |
| Microsoft Graph | Files.ReadWrite(Have full access to user files and files shared with user) | Delegated | Migrate channel folders and files of team sites and private/shared channels’ site collections. |
| Microsoft Graph | User.Read.All(Read all users’ full profiles) | Delegated | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Delegated | Migrate private/shared channel members. |
| Microsoft Graph | TeamworkTag.ReadWrite(Read and write tags in Teams) | Delegated | Migrate tags. |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Delegated | Migrate team members. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteAndConsentForTeam | Delegated | Manage installed Teams apps in teams. |
For easy use, you can directly use the following commands to add required API permissions through Manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "0c3e411a-ce45-4cd1-8f30-f99a3efa7b11",
"type": "Scope"
},
{
"id": "c5366453-9fb0-48a5-a156-24f0c49a4b84",
"type": "Scope"
},
{
"id": "0b5d694c-a244-4bde-86e6-eb5cd07730fe",
"type": "Scope"
},
{
"id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
"type": "Scope"
},
{
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"type": "Scope"
},
{
"id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
"type": "Scope"
},
{
"id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
"type": "Scope"
},
{
"id": "4a06efd2-f825-4e34-813e-82a57b03d1ee",
"type": "Scope"
},
{
"id": "539dabd7-b5b6-4117-b164-d60cd15a8671",
"type": "Scope"
},
{
"id": "946349d5-2a9d-4535-abc0-7beeacaedd1d",
"type": "Scope"
},
{
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
"type": "Scope"
},
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "59a198b5-0420-45a8-ae59-6da1cb640505",
"type": "Scope"
},
{
"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
}
],
Custom Delegated App Profile (GCC High Tenants)
Make sure the custom delegated app profile has the following permissions.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read(Read all unified policies a user has access to) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Azure Rights Management Services | user_impersonation(Create and access protected content for users) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| SharePoint | AllSites.FullControl(Have full control of all site collections) | Delegated | Retrieve settings and permissions of team sites. |
| SharePoint | TermStore.ReadWrite.All(Read managed metadata) | Delegated | Retrieve and migrate Managed Metadata Service. |
| Office 365 Exchange Online | EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services) | Delegated | Access mailboxes as the signed-in user via Exchange Web Services |
| Office 365 Exchange Online | Exchange.Manage(Manage Exchange configuration) | Delegated | Use Exchange PowerShell to retrieve mailbox permissions. |
| Microsoft Graph | Domain.Read.All(Read domains) | Delegated | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory(Read directory RBAC settings) | Delegated | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Delegated | Migrate Microsoft 365 Groups and Group data. |
| Microsoft Graph | Sites.Read.All(Read items in all site collections) | Delegated | Retrieve channel folders and files of team sites and private channels’ site collections. |
| Microsoft Graph | Files.ReadWrite(Read directory RBAC settings) | Delegated | Migrate channel folders and files of team sites and private/shared channels’ site collections. |
| Microsoft Graph | User.Read.All(Read all users’ full profiles) | Delegated | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Delegated | Migrate private/shared channel members. |
| Microsoft Graph | TeamworkTag.ReadWrite(Read and write tags in Teams) | Delegated | Migrate tags. |
| Microsoft Graph | TeamsAppInstallation.ReadWriteAndConsentForTeam | Delegated | Manage installed Teams apps in Teams. |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Delegated | Migrate team members. |
For easy use, you can directly use the following commands to add required API permissions through Manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"type": "Scope"
},
{
"id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
"type": "Scope"
},
{
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"type": "Scope"
},
{
"id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
"type": "Scope"
},
{
"id": "0c3e411a-ce45-4cd1-8f30-f99a3efa7b11",
"type": "Scope"
},
{
"id": "d2813b3d-8ab2-4dac-a43d-3ac685f19416",
"type": "Scope"
},
{
"id": "4a06efd2-f825-4e34-813e-82a57b03d1ee",
"type": "Scope"
},
{
"id": "2f9ee017-59c1-4f1d-9472-bd5529a7b311",
"type": "Scope"
},
{
"id": "946349d5-2a9d-4535-abc0-7beeacaedd1d",
"type": "Scope"
},
{
"id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000012-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
"type": "Scope"
},
{
"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
"type": "Scope"
},
{
"id": "59a198b5-0420-45a8-ae59-6da1cb640505",
"type": "Scope"
}
]
}
],
Custom Delegated App Profile (21Vianet Tenants)
Make sure the custom delegated app profile has the following permissions.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Information Protection Sync Service | UnifiedPolicy.User.Read(Read all unified policies a user has access to) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| Microsoft Rights Management Services | user_impersonation(Create and access protected content for users) | Delegated | Only required if you want to manage the sensitivity labels of files/emails/Teams. |
| SharePoint | AllSites.FullControl(Have full control of all site collections) | Delegated | Retrieve settings and permissions of team sites. |
| SharePoint | TermStore.ReadWrite.All(Read managed metadata) | Delegated | Retrieve and migrate Managed Metadata Service. |
| Office 365 Exchange Online | EWS.AccessAsUser.All (Access mailboxes as the signed-in user via Exchange Web Services) | Delegated | Access mailboxes as the signed-in user via Exchange Web Services |
| Microsoft Graph | Domain.Read.All(Read domains) | Delegated | Retrieve domains. |
| Microsoft Graph | RoleManagement.Read.Directory(Read directory RBAC settings) | Delegated | Retrieve directory roles. |
| Microsoft Graph | Group.ReadWrite.All(Read and write all groups) | Delegated | Migrate Microsoft 365 Groups and Group data. |
| Microsoft Graph | Sites.Read.All(Read items in all site collections) | Delegated | Retrieve channel folders and files of team sites and private channels’ site collections. |
| Microsoft Graph | Files.ReadWrite(Have full access to user files and files shared with user) | Delegated | Migrate channel folders and files of team sites and private/shared channels’ site collections. |
| Microsoft Graph | User.Read.All(Read all users’ full profiles) | Delegated | Retrieve information of Microsoft 365 user profiles. |
| Microsoft Graph | ChannelMember.ReadWrite.All(Add and remove members from all channels) | Delegated | Migrate private/shared channel members. |
| Microsoft Graph | TeamworkTag.ReadWrite(Read and write tags in Teams) | Delegated | Migrate tags. |
| Microsoft Graph | TeamMember.ReadWrite.All(Add and remove members from all teams) | Delegated | Migrate team members. |
For easy use, you can directly use the following commands to add required API permissions through Manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "59a198b5-0420-45a8-ae59-6da1cb640505",
"type": "Scope"
},
{
"id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "522c3758-e3ef-4482-af45-40e5d9aabd1e",
"type": "Scope"
}
]
},
{
"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
"resourceAccess": [
{
"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
"type": "Scope"
}
]
},
{
"resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
"resourceAccess": [
{
"id": "41094075-9dad-400e-a0bd-54e686782033",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "84160c94-5d27-49e7-a742-2b941e4f2987",
"type": "Scope"
},
{
"id": "3eef517f-e083-4ef1-92d2-089c3265351d",
"type": "Scope"
},
{
"id": "5c28f0bf-8a70-41f1-8ab2-9032436ddb65",
"type": "Scope"
},
{
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"type": "Scope"
},
{
"id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",
"type": "Scope"
},
{
"id": "205e70e5-aba6-4c52-a976-6d2d46c48043",
"type": "Scope"
},
{
"id": "3f626c00-b3fc-4dee-9371-503d58fbfc0d",
"type": "Scope"
},
{
"id": "ce73714b-d1cf-47c3-8a27-eab4b818a7c5",
"type": "Scope"
},
{
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"type": "Scope"
}
]
}
],