AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Perform OneDrive Migrations > Required Permissions for OneDrive Migration > Permissions for Destination OneDrive > Service Account Permissions

    Export to PDF

    Service Account Permissions

    The Tenant Owner and Service Administrators can also for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.

    *Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

    If you use both the app profile and service account authentications for the destination, there are no permission requirements for the service account.

    If you only use the service account authentication for the destination, make sure the service account meets the following requirements:

    - **Site Collection Administrator** > ***Note**: If Fly detects that the service account is not the **Site Collection Administrator**, but the service account has the **SharePoint Administrator** or **Global Administrator** role, Fly will automatically add the service account as the **Site Collection Administrator** of the site collection. - **SharePoint Administrator** is also required in the following cases: - To use the scan profile to scan OneDrive sites in AvePoint Online Services, the service account must be the **SharePoint** **Administrator**. - To create new OneDrive sites in the destination during the migration, the destination service account must be the **SharePoint** **Administrator**. - To manage sensitivity labels of sites during the migration, the destination service account must be the **SharePoint Administrator**. > ***Note**: If the **SharePoint Administrator** cannot access the SharePoint admin center, the **Global Administrator** is required. - To manage Rights Management service (RMS) and sensitivity labels of the **Let user assign permissions when they apply the label** type of files during the migration, the service account must have the **super user** role. Refer to  for details. - Service account pool is no longer available in migrations. If you have used the service account pool for the source and/or destination OneDrive before, and you want to continue using the service account pool, you can select multiple service accounts when creating OneDrive connections, and make sure all selected service accounts have the roles mentioned above.