Home > Get Started > Manage App Profiles
Export to PDFManage App Profiles
The Tenant Owner or Service Administrator can refer to Create an App Profile for details on creating app profiles in AvePoint Online Services.
You can select the setup method while creating your app profiles:
-
Modern mode is the recommended mode for all AvePoint’s default app. If you select this mode, the AvePoint MyHub app will be automatically created.
For the permissions that should be accepted when you authorize the service app, see MyHub.
NOTEThe user account that consents to or re-authorizes the app profile must be assigned either the Microsoft 365 Global Administrator or Privileged Role Administrator role. This role assignment must remain in place for the account to maintain the app profile’s functionality.
-
Custom mode is recommended for organizations who have identified use cases with extremely limited required permissions.
Before you create an app profile in custom mode in AvePoint Online Services, make sure an Azure app is in place to connect to your environment. For details on how to create an app in your Microsoft Entra ID, refer to Create a Custom Azure App.
For the permissions required by the custom Azure app, see API Permissions Required by New MyHub or API Permissions Required by Legacy MyHub based on your MyHub experience preference.
You can either select Azure app or Azure app with delegated permissions as the custom app type when creating the custom app profile in AvePoint Online Services. Both custom app profiles enable connection to your Azure app.
For details on editing, re-authorizing, deleting, or other managerial actions that are available for app profiles, refer to Manage App Profiles.
Create a Custom Azure App
To create a custom app, follow the steps below:
-
Create an Azure app. This app is used for connecting MyHub with your Microsoft 365 tenant.
-
Go to Microsoft Entra admin center (or Microsoft Azure portal).
-
Navigate to Identity > Applications > App registrations (or Microsoft Entra ID > App registrations).
-
Click New registration. The Register an application page appears.
-
Enter your application’s registration information and click Register to create the custom application. The application information page appears.
-
-
Upload a public certificate to the Azure app.
-
Click Certificates & secrets in the left navigation. In the Certificates tab, click Upload certificate.
NOTEThe application uses certificate authentication, and you need to upload your organization’s public certificate (.cer or .crt file types are recommended). If your organization does not have any certificates, you can refer to Prepare a Certificate for the Custom Azure App to prepare a self-signed certificate.
-
In the Upload certificate panel, click the folder button to browse and select your organization’s certificate. You can enter an optional description for this certificate. Then, click Add.
-
After the certificate file is successfully uploaded, it will be listed in the Certificates tab.
-
-
Grant required permissions to the Azure app.
-
Click API permissions in the left navigation.
-
Click Add a permission. In the Request API permissions panel, select the API permissions requested by MyHub and click Add permissions to add the selected permissions to the app.
For lists of API permissions required by MyHub, refer to API Permissions Required by New MyHub or API Permissions Required by Legacy MyHub based on your MyHub experience preference.
-
Click Grant admin consent for [Tenant name] to grant admin consent. After you have successfully granted admin consent for the requested permissions, the Status will be Granted for [Tenant name].
-
-
Expose the Azure app API to MyHub.
-
Click Expose an API in the left navigation.
-
Click Add next to Application ID URI. In the Edit application ID URI panel, edit the application ID URI if necessary and click Save.
-
In the Scopes defined by this API section, click Add a scope.
-
In the Add a scope panel, enter myhub.fullcontrol as the scope name, complete other settings, and click Add scope.
NOTEMake sure the added scope name is in the format of api://[application Id]/myhub.fullcontrol.
-
In the Authorized client applications section, click Add a client application.
-
In the Add a client application panel, enter the client ID, select the above added scope, and click Add application. You can repeat steps above to add multiple client applications.
To enable the Azure app to trust MyHub and allow your end users to log into the MyHub portal and MyHub Teams app, you need to add both the AvePoint Online Services login app and the MyHub app as client applications. Refer to the table below for the client IDs of both apps to be added based on your environment.
Environment AvePoint Online Services Login App Client ID MyHub App Client ID MyHub Insider Environment 36f960bc-7411-4cb0-a3f6-241dd13bdf6b f716a8a2-ca4b-4a15-99fc-644649e19dd9 MyHub Commercial Production Environment ae16e128-c76e-4a38-8e06-0927912b59d9 478c769e-bab3-4049-9cfc-302d08a232bf Microsoft 365 US Government GCC 4917c601-79cc-42c4-9cac-d801a4e23c0e 07cba5b9-098c-4b75-8874-f444bcc285c3 Microsoft 365 US Government GCC High 686b3c41-5309-436d-81b3-e3ef2d3cab77 5303c805-9c02-4910-8f8e-de002cdd2a30 21Vianet 2fc9dbc4-22ca-4bf8-a082-7c3e7fa04e1d 5fae81e4-f99b-4f20-870b-37b58000d1aa PHTest US Government GCC c6356b7a-1ba7-4dcc-8322-7b476dd15077 e47d899b-9871-40c8-8482-bdeeb1bc9b50 PHTest US Government GCC High 5eada455-a982-4676-b979-42e8e9337a5d 7de460df-61c0-4e4f-aa4e-8687e6d27264 PHProd US Government GCC c6356b7a-1ba7-4dcc-8322-7b476dd15077 448649cb-69b0-4d6a-bc52-64022e310784 PHProd US Government GCC High 5eada455-a982-4676-b979-42e8e9337a5d 668a6074-8120-41bc-92db-031e85c241ee
-
Then, refer to the Consent to Custom Apps section to create an app profile in the Custom mode with the created Azure app information.
You can either select Azure app or Azure app with delegated permissions as the custom app type when creating the custom app profile in AvePoint Online Services. Both custom app profiles enable connection to your Azure app.
API Permissions Required by the New MyHub
The table below lists the API permissions that are requested by the new MyHub experience.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | email (View users' email address) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | offline_access (Maintain access to data you have given it access to) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | openid (Sign users in) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | profile (View users' basic profile) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | Calendars.ReadBasic (Read basic details of user calendars) | Delegated | Get the users' event list to be shown on the Dashboard |
| Microsoft Graph | Channel.ReadBasic.All (Read the names and descriptions of channels) | Delegated | List channels of teams |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Delegated | Get group membership information for users Create and delete groups Create teams from groups Add and remove group/community members |
| Microsoft Graph | InformationProtectionPolicy.Read (Read user sensitivity labels and label policies.) | Delegated | Retrieve sensitivity labels that users have access. |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Delegated | Get users' permission to SharePoint sites |
| Microsoft Graph | Tasks.ReadWrite (Create, read, update, and delete user's tasks and task lists) | Delegated | Get and complete Microsoft To Dos |
| Microsoft Graph | User.Invite.All (Invite guest users to the organization) | Delegated | Invite guest users as group, team, and community members |
| Microsoft Graph | User.Read (Sign in and read user profile) | Delegated | Search for users and retrieve user information |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Delegated | Get user profiles |
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Get the basic information and membership of groups, teams, and communities Create teams |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Get the last activities in groups, teams, communities, and site collections. |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Get the basic information about SharePoint sites Create groups |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Get user profiles |
| SharePoint | Sites.FullControl.All (Have full control of all site collections) | Application | Create SharePoint sites |
API Permissions Required by Legacy MyHub
The table below lists the API permissions that are requested by the legacy MyHub experience.
| API | Permission | Type | Purpose |
|---|---|---|---|
| Microsoft Graph | email (View users' email address) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | offline_access (Maintain access to data you have given it access to) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | openid (Sign users in) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | profile (View users' basic profile) | Delegated | MyHub Teams app single sign-on |
| Microsoft Graph | Channel.ReadBasic.All (Read the names and descriptions of channels) | Delegated | List channels of teams |
| Microsoft Graph | Directory.Read.All (Read directory data) | Delegated | Get information of groups, teams, and communities Create groups and teams |
| Microsoft Graph | Group.ReadWrite.All (Read and write all groups) | Delegated | Get group membership information for users Create and delete groups Create teams from groups Add and remove group/community members |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Delegated | Get users' permission to SharePoint sites |
| Microsoft Graph | TeamMember. ReadWrite.All (Add and remove members from teams) | Delegated | Add and remove community members |
| Microsoft Graph | User.Invite.All (Invite guest users to the organization) | Delegated | Invite guest users as group, team, and community members |
| Microsoft Graph | User.Read (Sign in and read user profile) | Delegated | Search for users and retrieve user information |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Delegated | Get user profiles |
| Microsoft Graph | Directory.Read.All (Read directory data) | Application | Create groups |
| Microsoft Graph | Group.Read.All (Read all groups) | Application | Retrieve information and membership of groups., teams, and communities Create teams Add group members Send email notifications in Shared hubs |
| Microsoft Graph | GroupMember.ReadWrite.All (Read and write all group memberships) | Application | Add group members |
| Microsoft Graph | Reports.Read.All (Read all usage reports) | Application | Retrieve the last activities in groups, teams, communities, and site collections to filter active workspaces |
| Microsoft Graph | Sites.Read.All (Read items in all site collections) | Application | Retrieve the basic information of SharePoint sites Create groups |
| Microsoft Graph | Team.Create (Create teams) | Application | Create teams |
| Microsoft Graph | User.Read.All (Read all users' full profiles) | Application | Add group member Send email notifications in Shared hubs |
| SharePoint | Sites.FullControl.All (Have full control of all site collections) | Application | Create SharePoint sites |