#Permissions for Source Exchange Online

To connect to the source, you can choose to only use a service account, Fly app profile, or custom app profile as the authentication method. You can also use the combination of a service account and a Fly app profile, or the combination of a service account and a custom app profile.

Refer to the following sections to view the permissions required by the authentication methods.

• Fly App Profile Permissions

• Custom App Profile Permissions

• Service Account Permissions

• Delegated App Profile Permissions

#Fly App Profile Permissions

With the Tenant Owner or Service Administrator role, you can create a Fly app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using the Fly app.

Refer to Fly App Profile Permissions about how to create a Fly app profile and required permissions of the Fly app profile.

Note the following:

• If you want to perform Exchange Online tenant discovery or Exchange Online migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox).

• You need to assign the Exchange Administrator role to the AvePoint Fly app in the following situations. Refer to How to Assign the Exchange Administrator Role to an App? for instructions.

  • To migrate distribution lists, dynamic distribution lists, or mail-enabled security groups.

  • To migrate shared calendar permissions.

  • To enable email forwarding.

  • To migrate mailbox permissions.

  If you do not want to assign the Exchange administrator role to the app, you can add custom roles to the app to ensure the availability of above functions. Refer to How to Add Custom Roles to an App? for details.

#Custom App Profile Permissions

With the Tenant Owner and Service Administrator role, you can create a custom app profile in AvePoint Online Services > Management > App management to connect to the Microsoft 365 tenant using a custom Azure app.

Refer to the following procedures to create a custom app profile:

1. Prepare a certificate in Microsoft Entra ID. Refer to Prepare a Certificate for the Custom Azure App for more information.

   You can ignore this step if you have a certificate.

2. Create a custom Azure app in Microsoft Entra ID. Refer to Create Custom Azure Applications for more information.

3. Connect your tenant to AvePoint Online Services.

4. Create an App Profile for a Custom Azure App in AvePoint Online Services.

#Migration to Exchange Online

Refer to the following tables to add API permissions required by Exchange Online to Exchange Online migrations.

Note the following:

• If you want to perform Exchange Online tenant discovery or Exchange Online to Exchange Online migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox).

• You need to assign the Exchange Administrator role to the custom app in the following situations. Refer to How to Assign the Exchange Administrator Role to an App? for instructions.

  • To migrate distribution lists, dynamic distribution lists, or mail-enabled security groups.

  • To migrate shared calendar permissions.

  • To enable email forwarding.

  • To migrate mailbox permissions.

  If you do not want to assign the Exchange Administrator role to the app, you can add custom roles to the app to ensure the availability of above functions. Refer to How to Add Custom Roles to an App? for details.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
	{
		"resourceAppId": "00000003-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "df021288-bdef-4463-88db-98f22de89214",  //Required when using either the Graph API or EWS for migration.
				"type": "Role"
			},
			{
				"id": "b8bb2037-6e08-44ac-a4ea-4674e010e2a4",  //Required when using either the Graph API or EWS for migration.
				"type": "Role"
			},
			{
				"id": "810c84a8-4a9e-49e6-bf7d-12d183f40d01", //Required when using the Graph API instead of EWS for migration.
				"type": "Role"
			},
			{
				"id": "99280d24-a782-4793-93cc-0888549957f6", //Required when using the Graph API instead of EWS for migration.
				"type": "Role"
			},
			{
				"id": "76577085-e73d-4f1d-b26a-85fb33892327", //Required when using the Graph API instead of EWS for migration.
				"type": "Role"
			},
			{
				"id": "7d9f353d-a7bd-4fbb-822a-26d5dd39a3ce", //Required when using the Graph API instead of EWS for migration.
				"type": "Role"
			},
			{
				"id": "40f97065-369a-49f4-947c-6a255697ae91", //Required when using the Graph API instead of EWS for migration.
				"type": "Role"
			},
			{
				"id": "5b567255-7703-4780-807c-7be8301ae99b", //Required when using the EWS for migration.
				"type": "Role"
			},
			{
				"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",  //Required when using the EWS for migration.
				"type": "Role"
			},
			{
				"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",  //Required when using the EWS for migration.
				"type": "Role"
			},
			{
				"id": "b8bb2037-6e08-44ac-a4ea-4674e010e2a4",  //Required when using either the Graph API or EWS for migration.
				"type": "Role"
			},
			{
				"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",  //Required when using the EWS for migration.
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
		"resourceAccess": [
			{
				"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",  //Required when using the EWS for migration.
				"type": "Role"
			},
			{
				"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",  //Required when using either the Graph API or EWS for migration.
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
		"resourceAccess": [
			{
				"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64", //Required when using either the Graph API or EWS for migration.
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "00000012-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0", //Required when using either the Graph API or EWS for migration.
				"type": "Role"
			}
		]
	}
],

#Migration to Gmail

Refer to the following tables to add API permissions required by Exchange Online to Gmail migrations.

Note the following:

• If you want to perform Exchange Online tenant discovery or Exchange Online to Gmail migrations, make sure the account that authorizes the app has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox).

• To migrate mailbox permissions, you need to assign the Exchange Administrator role to the custom app. Refer to How to Assign the Exchange Administrator Role to an App? for instructions.

  If you do not want to assign the Exchange Administrator role to the app, you can add custom roles to the app to ensure the availability of the function. Refer to How to Add Custom Roles to an App? for details.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
	{
		"resourceAppId": "00000003-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "5b567255-7703-4780-807c-7be8301ae99b",
				"type": "Role"
			},
			{
				"id": "df021288-bdef-4463-88db-98f22de89214",
				"type": "Role"
			},
			{
				"id": "230c1aed-a721-4c5d-9cb4-a90514e508ef",
				"type": "Role"
			},
			{
				"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
				"type": "Role"
			},
			{
				"id": "ee353f83-55ef-4b78-82da-555bfa2b4b95",
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
		"resourceAccess": [
			{
				"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
				"type": "Role"
			},
			{
				"id": "dc50a0fb-09a3-484d-be87-e023b12c6440",
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
		"resourceAccess": [
			{
				"id": "8b2071cd-015a-4025-8052-1c0dba2d3f64",
				"type": "Role"
			}
		]
	},
	{
		"resourceAppId": "00000012-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "7347eb49-7a1a-43c5-8eac-a5cd1d1c7cf0",
				"type": "Role"
			}
		]
	}
],

#Service Account Permissions

The Tenant Owner and Service Administrators can also create a service account profile for Microsoft 365 to connect AvePoint Online Services to your Microsoft 365 tenant.

Make sure the service account has a mailbox (either by assigning the Exchange license or using PowerShell to create a mailbox) and also meets the following requirements:

#Migration to Exchange Online

Refer to the following tables for the permissions required by Exchange Online to Exchange Online migrations.

What permissions are required if I also use an app profile?

If you use both service account and app profile authentications for the source Exchange Online, some service account permissions will not be required. Make sure the service account has a mailbox and the following permissions:

#Migration to Gmail

Refer to the following tables to for the permissions required by Exchange Online to Gmail migrations.

What permissions are required if I also use an app profile?

If you use both service account and app profile authentications for the source Exchange Online, some service account permissions will not be required. Make sure the service account has a mailbox and the following permissions:

#Delegated App Profile Permissions

Fly allows you to use the Fly delegated app profile or custom delegated app profile to connect to your workspace.

To use a delegated app profile, note the following:

• The license and permission requirements for the consent user are the same as those for the service account. Refer to Service Account Permissions for details.

• If the consent user of the delegated app profile has Multi-Factor Authentication (MFA) enabled, you must authorize or re-authorize the delegated app profile after MFA is enabled. Otherwise, the migration jobs using the delegated app profile will fail.

• If you re-authorize the app profile, you need to wait about one hour before using the app profile for your migration to refresh the token when there are permissions updated.

• Exchange PowerShell is unavailable when you only use a delegated app for a 21Vianet tenant.

To use the Fly delegated app profile with required permissions, refer to Fly Delegated App Profile Permissions.

To use a custom delegated app profile with required permissions, refer to the following steps:

1. After registering an app in Microsoft Entra ID, add the required permissions to the app. The sections below show the required permissions of a custom app.

2. Click Authentication in the left navigation of the app.

3. Click Add a platform.

4. Select Web in the Configure platforms panel.

5. In the Configure Web panel, enter the AvePoint Online Services URL: https://www.avepointonlineservices.com for your commercial environment or https://usgov.avepointonlineservices.com for your U.S. Government environment in the Redirect URIs field.

   

6. Click Configure.

7. Select the Access tokens and ID tokens checkboxes on the Authentication page.

   

8. Click Save.

9. Create an app profile for the app using the Custom mode in AvePoint Online Services by referring to Consent to a Custom Azure App with Delegated Permissions.

   NOTE

   When consenting to the app, if you have granted the admin consent and allowed public client flows for the permissions, you can choose to use the Global Administrator consent or the User consent method. If not, you can only use the Global Administrator consent method.

#Custom Delegated App Profile Permissions when Migrating to Exchange Online

Make sure the custom delegated app profile has the following permissions.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
	{
		"resourceAppId": "00000012-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
				"type": "Scope"
			}
		]
	},
	{
		"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
		"resourceAccess": [
			{
				"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
				"type": "Scope"
			}
		]
	},
	{
		"resourceAppId": "00000003-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
				"type": "Scope"
			},
			{
				"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
				"type": "Scope"
			}
		]
	},
	{
		"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
		"resourceAccess": [
			{
				"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
				"type": "Scope"
			},
			{
				"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
				"type": "Scope"
			}
		]
	}
],

#Custom Delegated App Profile Permissions when Migrating to Gmail

Make sure the custom delegated app profile has the following permissions.

For easy use, you can directly use the following commands to add required API permissions through Manifest for Microsoft 365 Commercial tenants.

"requiredResourceAccess": [
	{
		"resourceAppId": "00000012-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "c9c9a04d-3b66-4ca8-a00c-fca953e2afd3",
				"type": "Scope"
			}
		]
	},
	{
		"resourceAppId": "870c4f2e-85b6-4d43-bdda-6ed9a579b725",
		"resourceAccess": [
			{
				"id": "34f7024b-1bed-402f-9664-f5316a1e1b4a",
				"type": "Scope"
			}
		]
	},
	{
		"resourceAppId": "00000003-0000-0000-c000-000000000000",
		"resourceAccess": [
			{
				"id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
				"type": "Scope"
			},
			{
				"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
				"type": "Scope"
			}
		]
	},
	{
		"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
		"resourceAccess": [
			{
				"id": "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c",
				"type": "Scope"
			},
			{
				"id": "3b5f3d61-589b-4a3c-a359-5dd4b5ee5bd5",
				"type": "Scope"
			}
		]
	}
],