#Permissions for Destination SharePoint Online

To connect to the destination, you can choose to only use a service account/delegated app profile, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account/delegated app profile and a Fly app profile, or the combination of a service account/delegated app profile and a custom app profile.

Refer to the following sections to view the permissions required by the authentication methods.

#Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and required permissions of the Fly app profile.

To migrate Power Apps for lists in SharePoint Online migrations, an app profile for Power Platform is required. Refer to the Fly App for Power Platform Permissions (Default app) section in Permissions for Destination Power Platform for required permissions.

#Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

1. Prepare a certificate in Microsoft Entra ID. Refer to for more information.

   You can ignore this step if you have a certificate.

2. Create a custom Azure app in Microsoft Entra ID. Refer to for more information.

3. *Note: If the destination is a multi-geo tenant, and the destination Microsoft 365 Groups need to be created in a defined location, you need to assign the SharePoint administrator role to the custom Azure app. Refer to the How to Assign the SharePoint Administrator role to an App? section below for instructions.

4. .

5. in AvePoint Online Services.

*Note: After you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token if there are permissions updated.

API	Permission	Type	Purpose
Microsoft Graph	User.Read.All(Read user profiles)	Application	Retrieve and migrate Microsoft 365 users.
Microsoft Graph	RoleManagement.Read.Directory(Read all directory RBAC settings)	Application	Retrieve Microsoft global groups and check required roles of the service account.
Microsoft Graph	Files.Read.All(Read files in all site collections)	Application	Retrieve channel folders in destination team sites.
Microsoft Graph	Directory.ReadWrite.All(Read and write directory data)	Application	Only required if you want to create site collections related to Microsoft 365 Groups in multi-geo tenants.
Microsoft Graph	Group.ReadWrite.All
(Read and write all groups)	Application	Retrieve and migrate Microsoft 365 Groups and Group members. *Note: The permission is required in the following situations when running SharePoint Online migrations:● Create Microsoft 365 groups and add group members when migrating source team sites related to Microsoft 365 Groups.● Map source SharePoint Groups (Owners/Members/Visitors) to destination Microsoft 365 Groups and add users to the Microsoft 365 Groups as owners or members when migrating team sites without Microsoft 365 Groups to team sites related to Microsoft 365 Groups. If you want to use Microsoft 365 Groups Migration to migrate the Microsoft 365 Groups to which the team sites belong, you can remove this permission.
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant)	Application	Only required if you want to manage sensitivity labels of files/sites.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.DelegatedWriter (Create protected content on behalf of a user)	Application	Only required if you want to manage sensitivity labels of files/sites.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.Writer (Create protected content)	Application	Only required if you want to manage sensitivity labels of files/sites.
SharePoint/Office 365 SharePoint Online	Sites.FullControl.All (Have full control of all site collections)	Application	Retrieve settings and permissions of SharePoint Online site collections.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All(Read and write managed metadata)	Application	Retrieve and migrate to Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

        {

            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",

            "resourceAccess": [

                {

                    "id": "678536fe-1083-478a-9c59-b99265e6b0d3",

                    "type": "Role"

                },

                {

                    "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "00000012-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "006e763d-a822-41fc-8df5-8d3d7fe20022",

                    "type": "Role"

                },

                {

                    "id": "d13f921c-7f21-4c08-bade-db9d048bd0da",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "00000003-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "19dbc75e-c2e2-444c-a770-ec69d8559fc7",

                    "type": "Role"

                },

                {

                    "id": "01d4889c-1287-42c6-ac1f-5d1e02578ef6",

                    "type": "Role"

                },

                {

                    "id": "62a82d76-70ea-41e2-9197-370581804d09",

                    "type": "Role"

                },

                {

                    "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",

                    "type": "Role"

                },

                {

                    "id": "df021288-bdef-4463-88db-98f22de89214",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

            "resourceAccess": [

                {

                    "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",

                    "type": "Role"

                }

            ]

        }

    ],

*Note: The permissions listed above are required to migrate all site collections in your tenant. If you only need to migrate specific site collections, change to use another custom app with different set of permissions. Refer to the following instructions:

1. Add the following permissions to your app to be used.

API	Permission	Type	Purpose
Microsoft Graph	User.Read.All(Read user profiles)	Application	Retrieve and migrate Microsoft 365 users.
Microsoft Graph	Files.Read.All(Read files in all site collections)	Application	Retrieve channel folders in destination team sites.
Microsoft Graph	RoleManagement.Read.Directory(Read all directory RBAC settings)	Application	Retrieve Microsoft global groups and check required roles of the service account.
Microsoft Graph	Sites.Selected(Access selected site collections)	Application	Retrieve and migrate data of specified site collections.
Microsoft Graph	Group.ReadWrite.All
(Read and write all groups)	Application	Retrieve and migrate Microsoft 365 Groups and Group members. *Note: The permission is required in the following situations when running SharePoint Online migrations:● Create Microsoft 365 groups and add group members when migrating source team sites related to Microsoft 365 Groups.● Map source SharePoint Groups (Owners/Members/Visitors) to destination Microsoft 365 Groups and add users to the Microsoft 365 Groups as owners or members when migrating team sites without Microsoft 365 Groups to team sites related to Microsoft 365 Groups. If you want to use Microsoft 365 Groups Migration to migrate the Microsoft 365 Groups to which the team sites belong, you can remove this permission.
Microsoft Information Protection Sync Service	UnifiedPolicy.Tenant.Read (Read all unified policies of the tenant.)	Application	Only required if you want to manage sensitivity labels of files/sites.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.DelegatedWriter (Create protected content on behalf of a user)	Application	Only required if you want to manage sensitivity labels of files/sites.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	Content.Writer (Create protected content)	Application	Only required if you want to manage sensitivity labels of files/sites.
SharePoint/Office 365 SharePoint Online	Sites.Selected(Access selected site collections)	Application	Retrieve and migrate data of specified site collections.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All(Read and write managed metadata)	Application	Retrieve and migrate to Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.

"requiredResourceAccess": [

        {

            "resourceAppId": "00000003-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "01d4889c-1287-42c6-ac1f-5d1e02578ef6",

                    "type": "Role"

                },

                {

                    "id": "62a82d76-70ea-41e2-9197-370581804d09",

                    "type": "Role"

                },

                {

                    "id": "483bed4a-2ad3-4361-a73b-c83ccdbdc53c",

                    "type": "Role"

                },

                {

                    "id": "883ea226-0bf2-4a8f-9f9d-92c9162a727d",

                    "type": "Role"

                },

                {

                    "id": "df021288-bdef-4463-88db-98f22de89214",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",

            "resourceAccess": [

                {

                    "id": "c8e3537c-ec53-43b9-bed3-b2bd3617ae97",

                    "type": "Role"

                },

                {

                    "id": "20d37865-089c-4dee-8c41-6967602d4ac8",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "00000012-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "006e763d-a822-41fc-8df5-8d3d7fe20022",

                    "type": "Role"

                },

                {

                    "id": "d13f921c-7f21-4c08-bade-db9d048bd0da",

                    "type": "Role"

                }

            ]

        },

        {

            "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

            "resourceAccess": [

                {

                    "id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",

                    "type": "Role"

                }

            ]

        }

    ],

2. in your environment.

3. Access the and download the RegisterAzureADAppForGrantFullControl.ps1, GrantFullControlForSiteCollection.ps1 and SiteCollectionUrls.csv files to a custom folder on a machine with a network connection.

4. In the custom folder, open the RegisterAzureADAppForGrantFullControl.ps1 file with Notepad, and configure the following parameters based on your needs. Then, save the file.

   • Tenant – The name of your tenant. For example, mytenant.onmicrosoft.com.

   • AzureEnvironment – The Azure environment for authentication.

   • ApplicationName – (Optional) The name of the Azure AD app to be created. By default, the name will be PnP PowerShell For Grant Full Control.

5. Open Windows PowerShell and enter the following commands in the Windows PowerShell window:

   . "file path"

   Replace file path with the full path of the RegisterAzureADAppForGrantFullControl.ps1 file in the extracted folder, and press Enter on the keyboard.

6. Enter a password for the app certificate, and press Enter on the keyboard.

7. Sign in with a user in your tenant to create the app.

   *Note: While registering the Azure AD app, the Permissions requested page will appear. Sign in using the Global Administrator account and click Accept to continue the registration.

   The table below lists the required permissions by the app.

API	Permission	Type
Microsoft Graph	Sites.FullControl.All(Have full control of all site collections)	Application
Microsoft Graph	User.Read.All(Read all users’ full profiles)	Application
SharePoint/Office 365 SharePoint Online	Sites.FullControl(Have full control of all site collections)	Application
SharePoint/Office 365 SharePoint Online	User.Read.All(Read user profiles)	Application

8. A Register Azure AD App_(TimeStamp).log file will be generated in the same directory as the script. You can view the execution details in the file.

9. In the custom folder, open the SiteCollectionUrls.csv file, and enter the URL of the site collections to be migrated as below.

   

10. In the custom folder, open the GrantFullControlForSiteCollection.ps1 file with Notepad.

11. Configure the following parameters with required information.

    • $appId = ' ' – Enter the client ID of your custom app.

    • $appName = ' ' – Enter the display name of your custom app.

    • $AzureEnvironment = ' ' – Enter the Azure environment for authentication.

    • $certPath = 'PnP PowerShell For Grant Full Control AppCertificate Path(.pfx)' – Enter the full path of the generated app certificate.

    • $connection = Connect-PnPOnline

      • Url – Enter the SharePoint admin center URL of your tenant.

        *Note: Your custom app may not have permissions to the SharePoint admin center URL. To avoid verifying the tenant domain while adding the connection in Fly, you can add the IsCheckAdminUrl=false string to the Customized features section in the migration policy.

      • ClientId – Enter the client ID of the PnP PowerShell For Grant Full Control app.

      • Tenant – Enter the ID of your tenant.

12. Open Windows PowerShell and enter the following commands in the Windows PowerShell window:

    . "file path"

    Replace file path with the full path of the GrantFullControlForSiteCollection.ps1 file in the extracted folder, and press Enter on the keyboard.

    

13. Enter the certificate key of your custom app, and press Enter on the keyboard.

14. Enter the certificate password of the PnP PowerShell For Grant Full Control app, and press Enter on the keyboard.

How to Assign the SharePoint Administrator role to an App?

To assign the SharePoint administrator role to an app, refer to the following steps:

1. Log in to Microsoft Entra admin center (or Azure portal) and navigate to Microsoft Entra ID.

2. Click Roles & admins (or Roles and administrators) in the left pane, and click SharePoint Administrator.

3. 

   On the Assignments page, click Add assignments. The Add assignments panel appears.

   Enter the app name in the search box to search for the app to which you want to assign the role.

   

4. Select the app, and click Add to assign the role. Note that the assigned role will take effect in about 30 minutes.

If your Microsoft interface is updated and different from the above screenshots, refer to the following steps to assign the SharePoint administrator role to an app:

1. Log in to Microsoft Entra admin center (or Azure portal) and navigate to Microsoft Entra ID.

2. Click Roles & admins (or Roles and administrators) in the left pane, and click SharePoint Administrator.

3. 

4. On the Assignment page, click Add assignments. The Add assignments page appears.

5. Click No member selected in the Selected member(s) section. The Select a member panel appears and enter the app name in the search box to search for the app to which you want to assign the role.

6. 

7. Click the app, and click Select to select the app.

8. Click Next.

9. Select Active in the Assignment type section and enter the justification in the Enter justification text box.

10. 

11. Click Assign to assign the role. Note that the assigned role will take effect in about 30 minutes.

#Service Account Permissions

The Tenant Owner and Service Administrators can also for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.

*Note: Users with Multi-Factor Authentication (MFA) enabled cannot be used as the service account to perform migrations. You can use a delegated app profile instead.

If you use both the app profile and service account authentications for the destination, there are no permission requirements for the service account.

If you only use the service account authentication for the destination, make sure the service account meets the following requirements:

To migrate Power Apps that are used to customized list forms in lists, also make sure the service account meets the following requirements:

To remove the service account from the site collections, refer to the following steps:

1. Click to download the Remove-SharePointOnlineUser.zip file. Then, extract the file.

2. In the extracted folder, configure the site collection URLs from which you want to remove the service account in the sites.csv file.

3. Install the SharePoint Online Management Shell on the Windows Server that can connect to your SharePoint Online. You can click the to download the SharePoint Online Management Shell.

4. Open Windows PowerShell and enter the following commands in the Windows PowerShell window:

   . "file path"

   Replace file path with the full path of the Remove-SharePointOnlineUser.ps1 file in the extracted folder, and press Enter on the keyboard.

   

5. Enter the following commands, and press Enter on the keyboard:

Remove-SharePointOnlineUser -LoginName "" -AdministrationCenterUrl "" -Path ""

#Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

*Note: The license and permission requirements for the consent user are the same as those for the service account.

API	Permission	Type	Purpose
Microsoft Graph	User.Read.All(Read user profiles)	Delegated	Retrieve and migrate Microsoft 365 users.
Microsoft Graph	Files.Read.All(Read files in all site collections)	Delegated	Retrieve channel folders in destination team sites.
Microsoft Graph	Directory.ReadWrite.All(Read and write directory data)	Delegated	Only required if you want to create site collections related to Microsoft 365 Groups in multi-geo tenants.
Microsoft Graph	Group.ReadWrite.All(Read and write all groups)	Delegated	Retrieve and migrate Microsoft 365 Groups and Group members. *Note: The permission is required in the following situations when running SharePoint Online migrations:● Create Microsoft 365 groups and add group members when migrating source team sites related to Microsoft 365 Groups.● Map source SharePoint Groups (Owners/Members/Visitors) to destination Microsoft 365 Groups and add users to the Microsoft 365 Groups as owners or members when migrating team sites without Microsoft 365 Groups to team sites related to Microsoft 365 Groups. If you want to use Microsoft 365 Groups Migration to migrate the Microsoft 365 Groups to which the team sites belong, you can remove this permission.
Microsoft Graph	RoleManagement.Read.Directory(Read all directory RBAC settings)	Delegated	Retrieve Microsoft global groups and check required roles of the service account.
Microsoft Information Protection Sync Service	UnifiedPolicy.User.Read (Read all unified policies a user has access to)	Delegated	Only required if you want to manage sensitivity labels of files/sites.
Azure Rights Management Services *Note: For 21Vianet tenants, the API name is Microsoft Rights Management Services.	user_impersonation (Create and access protected content for users)	Delegated	Only required if you want to manage sensitivity labels of files/sites.
SharePoint/Office 365 SharePoint Online	AllSites.FullControl(Have full control of all site collections)	Delegated	Migrate SharePoint Online site collections.
SharePoint/Office 365 SharePoint Online	TermStore.ReadWrite.All(Read and write managed metadata)	Delegated	Retrieve and migrate to Managed Metadata Service.*Note: If the term groups/term sets/terms with the same name and level (global or local level) as the source ones exist in the destination, you can change this permission to TermStore.Read.All.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [

        {

            "resourceAppId": "00000003-0000-0ff1-ce00-000000000000",

            "resourceAccess": [

                {

                    "id": "59a198b5-0420-45a8-ae59-6da1cb640505",

                    "type": "Scope"

                },

                {

                    "id": "56680e0d-d2a3-4ae1-80d8-3c4f2100e3d0",

                    "type": "Scope"

                }

            ]

        },

        {

            "resourceAppId": "00000003-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "c5366453-9fb0-48a5-a156-24f0c49a4b84",

                    "type": "Scope"

                },

                {

                    "id": "df85f4d6-205c-4ac5-a5ea-6bf408dba283",

                    "type": "Scope"

                },

                {

                    "id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",

                    "type": "Scope"

                },

                {

                    "id": "741c54c3-0c1e-44a1-818b-3f97ab4e8c83",

                    "type": "Scope"

                },

                {

                    "id": "a154be20-db9c-4678-8ab7-66f6cc099a59",

                    "type": "Scope"

                }

            ]

        },

        {

            "resourceAppId": "00000012-0000-0000-c000-000000000000",

            "resourceAccess": [

                {

                    "id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",

                    "type": "Scope"

                }

            ]

        },

        {

            "resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",

            "resourceAccess": [

                {

                    "id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",

                    "type": "Scope"

                }

            ]

        }

],