English

Home > Perform Power Platform Migrations > Required Permissions for Power Platform Migration > Permissions for Destination Power Platform

Export to PDF

Permissions for Destination Power Platform

To import data to the destination environment, you can choose to use a combination of service account and app profile, or use an app profile only as the authentication method.

- The service account is used to connect to the destination environment.

- The app profile is used to map the source parameters to the corresponding destination parameters automatically. You can use a default app with automatically-added permissions or use a custom delegated app with less permissions.

*Note: If the tenant has enabled a conditional access policy or if the service account has Multi-Factor Authentication (MFA) enabled, you can change to only use the Fly App for Power Platform or a custom delegated app profile for authentication and the consent user can have the MFA enabled.

Refer to the following sections to view the permissions required by the authentication methods.

Fly App for Power Platform Permissions (Default app)

The Tenant Owner and Service Administrators can create a default app profile for Power Platform in AvePoint Online Services.

Refer to the following steps to create a default app profile for Power Platform:

Click Create on the App management page.
On the Create app profile page, select a Microsoft 365 tenant where you want to create the app profile.

*Note: Make sure your selected tenant has been connected to AvePoint Online Services.
Click Fly, and click Next.
Click Modern mode.
Click Consent of Fly for Power Platform.
On the Microsoft 365 sign-in page, sign in with a Microsoft 365 Global Administrator account to consent to the app. The Microsoft 365 Global Administrator account is a requirement from Microsoft. Refer to the for more information.

You can also use a Privileged Role Administrator account to consent to the app, but ensure it has the Power Platform Administrator role. Refer to How to Assign the Exchange Administrator Role to an App? for examples of role assignment.

On the Permissions requested page, review the permissions required for using Fly and click Accept to accept the permissions to ensure the AvePoint Online Services and Fly functionality works. (The required permissions are listed in the table below.)
Click Finish to create the app profile.

*Note: After the app profile is created, if you want to remove the Global Administrator role from the app profile, you can re-authorize the app profile and change to use the User consent method. Refer to for more information.

After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated

Refer to the following API permissions of the default app required by Power Platform migrations.

API	Permission	Type	Purpose
SharePoint/Office 365 SharePoint Online	Sites.Read.All(Read items in all site collections)	Application	Retrieve source trigger parameters.
Microsoft Graph	TeamSettings.Read.All(Read all teams’ settings)	Application	Retrieve Team settings.
Microsoft Graph	TeamworkTag.Read.All(Read tags in Teams)	Application	Retrieve team tags.(You can ignore this if your tenant is for Microsoft 365 Government High environment since the environment does not support Team tags.)
Microsoft Graph	ChannelSettings.Read.All(Read the names, descriptions, and settings of all channels)	Application	Retrieve channel settings.
Microsoft Graph	Sites.Read.All(Read items in all site collections)	Application	Retrieve the SharePoint site and list information.
Microsoft Graph	Group.Read.All(Read all groups)	Application	Retrieve Group information.
Microsoft Graph	Contacts.Read(Read contacts in all mailboxes)	Application	Retrieve user’s contact folder information.
Microsoft Graph	Mail.Read(Read mail in all mailboxes)	Application	Retrieve user’s mail folder information.
Microsoft Graph	Calendars.Read(Read calendars in all mailboxes)	Application	Retrieve user’s calendar information.
Microsoft Graph	Directory.Read.All	Application	Retrieve your organization’s Microsoft Entra data.Use this permission to get user list (user ID+UPN) to find the user information in apps and flows.
Microsoft Graph	Place.Read.All(Read all company places)	Application	Retrieve the room list parameter.
Commercial environment: PowerApps ServiceGCC environment: PowerApps Service – GCCGCC High environment: PowerApps Service – GCC L4	User(Access the PowerApps Service API)	Delegated	Read/Create/Update Power Platform environments, apps, and cloud flows.
Power Automate	Flows.Manage.All(Allow the application to manage flows)	Delegated	Read/Create/Update flows.
Dataverse	user_impersonation(Access Common Data Service as organization users)	Delegated	Read/Create/Update Power Automate desktop flows and business process flows.
Microsoft Forms	Forms.Read.All(View forms)	Application	Map forms and generate a Forms ID mapping.

Service Account Permissions

The Tenant Owner and Service Administrators can in AvePoint Online Services.

*Note: The service account can be a non-administrator user if you only use the service account for Fly.

*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations.

Make sure the service account meets the following requirements:

- Has a license for Microsoft Power Apps or Microsoft Power Automate

	> ***Note**: To assign the licenses to the service account, go to the Microsoft 365 admin center > **Users** > **Active users**, and select **Power Apps** **for Office 365** and **Power Automate** **for Office 365** under the **Licenses and apps** tab of the service account.

- Must be the System Administrator of the corresponding environment

	> ***Note**: To add the **System Administrator** role to the service account, complete the following steps:

	1. Go to the Microsoft 365 admin center> **All admin** **centers**.

	2. Click **Dynamics 365 Apps** to access the Power Platform admin center. 

	3. Under the **Environments** tab, select the target environment, and click **Settings** on the ribbon.

		> ***Note**: The **Settings** action will be unavailable if you do not add the Dataverse to your environment. Make sure you have added the Dataverse.

	4. Click the **Users +** **permissions** section, and click **Users**.

	5. Click the service account, click **Manage roles**, and select **System Administrator** for the service account.

Custom Delegated App Profile Permissions

Fly allows you to use the custom delegated app profile to connect to your destination.

*Note: The license and permission requirements for the consent user are the same as those for the service account.

*Note: If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.

*Note: If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

To use a custom delegated app profile with required permissions, refer to the following steps:

After registering an app in Microsoft Entra ID, add the required permissions to the app. The section below shows the required permissions of a custom app.

API	Permission	Type	Purpose
SharePoint/Office 365 SharePoint Online	Sites.Read.All(Read items in all site collections)	Application	Retrieve source trigger parameters.
Microsoft Graph	TeamSettings.Read.All(Read all teams’ settings)	Application	Retrieve Team settings.
Microsoft Graph	TeamworkTag.Read.All(Read tags in Teams)	Application	Retrieve team tags.(You can ignore this if your tenant is for Microsoft 365 Government High environment since the environment does not support Team tags.)
Microsoft Graph	ChannelSettings.Read.All(Read the names, descriptions, and settings of all channels)	Application	Retrieve channel settings.
Microsoft Graph	Sites.Read.All(Read items in all site collections)	Application	Retrieve the SharePoint site and list information.
Microsoft Graph	Group.Read.All(Read all groups)	Application	Retrieve Group information.
Microsoft Graph	Contacts.Read(Read contacts in all mailboxes)	Application	Retrieve user’s contact folder information.
Microsoft Graph	Mail.Read(Read mail in all mailboxes)	Application	Retrieve user’s mail folder information.
Microsoft Graph	Calendars.Read(Read calendars in all mailboxes)	Application	Retrieve user’s calendar information.
Microsoft Graph	Directory.Read.All	Application	Retrieve your organization’s Microsoft Entra data.
Use this permission to get user list (user ID+UPN) to find the user information in apps and flows.
Microsoft Graph	Place.Read.All(Read all company places)	Application	Retrieve the room list parameter.
Microsoft Graph	User.Read	Delegated	Authorize to AOS.
Commercial environment: PowerApps ServiceGCC environment: PowerApps Service – GCCGCC High environment: PowerApps Service – GCC L4	User(Access the PowerApps Service API)	Delegated	Retrieve information of Power Platform environments, apps, and cloud flows.
Power Automate	Flows.Manage.All(Allow the application to manage flows)	Delegated	Retrieve and manage flows.
Dataverse	user_impersonation(Access Common Data Service as organization users)	Delegated	Retrieve information of Power Automate desktop flows and business process flows.
Microsoft Forms	Forms.Read.All(View forms)	Application	Map forms and generate a Forms ID mapping.

For easy use, you can directly use the following commands to add required API permissions through **Manifest** for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

{

"resourceAppId": "c9a559d2-7aab-4f13-a6ed-e7e9c52aec87",

"resourceAccess": [

{

"id": "5dadf886-6063-4169-a7a7-88a2a9f8f7cd",

"type": "Role"

}

]

},

{

"resourceAppId": "00000003-0000-0ff1-ce00-000000000000",

"resourceAccess": [

{

"id": "d13f72ca-a275-4b96-b789-48ebcc4da984",

"type": "Role"

}

]

},

{

"resourceAppId": "7df0a125-d3be-4c96-aa54-591f83ff541c",

"resourceAccess": [

{

"id": "30b2d850-00c3-4802-b7ae-ece9af9de5c6",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000007-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "78ce3f0f-a1ce-49c2-8cde-64b5c0896db4",

"type": "Scope"

}

]

},

{

"resourceAppId": "475226c6-020e-4fb2-8a90-7a972cbfc1d4",

"resourceAccess": [

{

"id": "0eb56b90-a7b5-43b5-9402-8137a8083e90",

"type": "Scope"

}

]

},

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{

"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",

"type": "Scope"

},

{

"id": "798ee544-9d2d-430c-a058-570e29e34338",

"type": "Role"

},

{

"id": "c97b873f-f59f-49aa-8a0e-52b32d762124",

"type": "Role"

},

{

"id": "089fe4d0-434a-44c5-8827-41ba8a0b17f5",

"type": "Role"

},

{

"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",

"type": "Role"

},

{

"id": "5b567255-7703-4780-807c-7be8301ae99b",

"type": "Role"

},

{

"id": "810c84a8-4a9e-49e6-bf7d-12d183f40d01",

"type": "Role"

},

{

"id": "913b9306-0ce1-42b8-9137-6a7df690a760",

"type": "Role"

},

{

"id": "332a536c-c7ef-4017-ab91-336970924f0d",

"type": "Role"

},

{

"id": "242607bd-1d2c-432c-82eb-bdb27baa23ab",

"type": "Role"

},

{

"id": "b74fd6c4-4bde-488e-9695-eeb100e4907f",

"type": "Role"

}

]

}

],

Click Authentication in the left navigation of the app.
Click Add a platform.
Select Web in the Configure platforms panel.
In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.
Click Configure.
Select the Access tokens and ID tokens checkboxes on the Authentication page.
Click Save.
Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to .

*Note: When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.

On this page

Required Permissions for Exchange Online Migration

Required Permissions for Exchange On-Premises Migration

Required Permissions for Microsoft 365 Groups Migration

Required Permissions for Microsoft Teams Migration

Required Permissions for Microsoft Teams Chat Migration

Required Permissions for OneDrive Migration

Permissions for Destination OneDrive

Required Permissions for Power Platform Migration

Required Permissions for SharePoint Online Migration

Required Permissions for Gmail Migration

Required Permissions for Google Drive Migration

Required Permissions for Entra ID Migration

Aviator for Microsoft Teams

Permissions Required by Source Teams

Permissions Required by Destination Teams

Aviator for Microsoft 365 Groups

Permissions Required by Source Microsoft 365 Groups

Permissions Required by Destination Microsoft 365 Groups

Aviator for SharePoint Online

Permissions Required by Source SharePoint Online

Permissions Required by Destination SharePoint Online

Aviator for OneDrive

Filter Policies

Configurations for Customized Features

Information about Managing Sensitivity Labels

Tools for Teams Chat Migration

Permissions for Destination Power Platform

Fly App for Power Platform Permissions (Default app)

Service Account Permissions

Custom Delegated App Profile Permissions

Permissions for Destination OneDrive

Permissions Required by Source Teams

Permissions Required by Destination Teams

Permissions Required by Source Microsoft 365 Groups

Permissions Required by Destination Microsoft 365 Groups

Permissions Required by Source SharePoint Online

Permissions Required by Destination SharePoint Online

#Permissions for Destination Power Platform

#Fly App for Power Platform Permissions (Default app)

#Service Account Permissions

#Custom Delegated App Profile Permissions

Permissions for Destination Power Platform

Fly App for Power Platform Permissions (Default app)

Service Account Permissions

Custom Delegated App Profile Permissions