Sites.Selected permissions allow the user to limit the access of the On Demand for SharePoint and Teams migration tools to specified sites.
If Sites.Selected is used for the source tenant, only the sites granted Sites.Selected permissions can be discovered and read as the source site for a migration.
If Sites.Selected is used for the target tenant, the target sites must be pre-provisioned before the migration and granted permission. Only target sites granted Sites.Selected permission can be used as a target site for a migration.
Using Sites.Selected permission will restrict access to tenant level information. The following are the limitations when using Sites.Selected permission:
For Source or Target using Sites.Selected permission:
Hub settings are not migrated
Term Store migration, including site term stores are not supported
Migrations in Multi Geo tenants is limited to migration into and out of the central region
Tenant level site settings are not migrated or discovered in Collect Statistics task
Site Type (M365 group site, Teams site) can’t be retrieved
In addition, for Source using Sites.Selected permissions:
Site with Sites.Selected permissions can only be discovered if included in Discover from File task
For Target using Sites.Selected permissions:
Target site must be pre-provisioned and give Sites.Selected permission before migration
ODMSP will not be able to automatically manage Custom Script site setting that must be set to “Allowed” to support Site Page migrations
For Teams migrations:
ODMT will not be able to archive chats due to lack of permissions on OneDrive.
Request that feature flag migration.sharepoint.siteselected.allow be enabled for the customer Organization.
Prerequisites:
The user account used to perform the following steps must have the following roles and permissions:
Set up the SharePoint Selected Sites consent application for the tenant.
From the Tenants page:
Add tenant, granting consent to Core Basic application
Edit tenant consents and grant consent to Migration Basic application, needed for user account management and mapping.
Grant consent to the SharePoint – Selected Sites application. This application is pre-provisioned with the Sites.Selected permissions.
SharePoint application display name and IDs required for the following procedures.
|
Quest On Demand - Migration - SharePoint - Selected Sites |
8990c8ce-4afb-48f0-9e30-f1338ef249db |
Create the ODM project for the migration
Create the ODM project for the migration in the usual way.
On the Consents page of the project creation wizard, make sure that the SharePoint – Selected Sites application is selected as required for your source or target tenant.
Use Graph Explorer to assign the application to specific site:
The following steps in Graph Explorer will need to be performed for each site. For Teams migration, the steps will need to be performed for the team site as well as the sites for any Private or Shared channels associated with the team.
The user used to connect to the graph explorer must be a global administrator and must have at least SharePoint read (Viewer) permission for the sites to be added to the Sites.Selected permission.
Open Graph Explorer
https://developer.microsoft.com/en-us/graph/graph-explorer?adlt=strict
Login to graph explorer using site administrator credentials.
Run GET https://graph.microsoft.com/v1.0/me in graph explorer to confirm the current user.
Run GET https://graph.microsoft.com/v1.0/sites/<hostname>:/<relativeUrl> to get the site “id”. Note the format includes host name and relative site Url separated with a colon “:”.
e.g.
GET https://graph.microsoft.com/v1.0/sites/m365x13156933.sharepoint.com:/sites/TargetSitesSelected
Sample response:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET sites('<key>')/microsoft.graph.getByPath(path=<key>)?$select=displayName,error",
"createdDateTime": "2025-02-17T17:49:32.977Z",
"description": "",
"id": "m365x13156933.sharepoint.com,59ce1e8e-cb4f-44e6-9f38-99ed413d7c1d,2b139a34-a9ae-491d-a767-06948ddfa38c",
"lastModifiedDateTime": "2025-02-17T17:53:55Z",
"name": "TargetSitesSelected",
"webUrl": "https://m365x13156933.sharepoint.com/sites/TargetSitesSelected",
"displayName": "Target Sites Selected",
"root": {},
"siteCollection": {
"hostname": "m365x13156933.sharepoint.com"
}
}
Copy the site “id” value as returned in the above response and run
Post command POST https://graph.microsoft.com/v1.0/sites/<siteId>/permissions with the following request body which includes the SharePoint or Teams application id and display name. Make sure to include “/permissions” at end of command.
e.g. For SharePoint – Selected Sites permission
POST https://graph.microsoft.com/v1.0/sites/m365x13156933.sharepoint.com,59ce1e8e-cb4f-44e6-9f38-99ed413d7c1d,2b139a34-a9ae-491d-a767-06948ddfa38c/permissions
with request body
{
"roles": ["fullcontrol"],
"grantedToIdentities": [{
"application": {
"id": "8990c8ce-4afb-48f0-9e30-f1338ef249d ",
"displayName": " Quest On Demand - Migration - SharePoint – Selected Sites"
}
}]
}
Sample Response for SharePoint permission:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('m365x13156933.sharepoint.com%2C59ce1e8e-cb4f-44e6-9f38-99ed413d7c1d%2C2b139a34-a9ae-491d-a767-06948ddfa38c')/permissions/$entity",
"id": "aTowaS50fG1zLnNwLmV4dHw1NzRkYTEyYS1mZGQwLTRiNDQtOWM0Zi1iMWExMjYxNjc2NzJAYjcyMzY5NjktYmQ1Yy00YjVhLTg1YjQtN2MwYmIxYTdjYzll",
"roles": [
"fullcontrol“
],
"grantedToIdentitiesV2": [
{
"application": {
"displayName": " Quest On Demand - Migration - SharePoint – Selected Sites",
"id": "8990c8ce-4afb-48f0-9e30-f1338ef249d “
}
}
],
"grantedToIdentities": [
{
"application": {
"displayName": " Quest On Demand - Migration - SharePoint – Selected Sites",
"id": "8990c8ce-4afb-48f0-9e30-f1338ef249d "
}
}
]
}
Running SharePoint migrations using Sites.Selected Permissions with ODMSP
Sites.Selected on Source
Grant the sites you want to migrate Sites.Selected permissions from Graph Explorer
Task
Migrate sites as usual.
Sites.Selected on Target
Pre-provision target sites
Grant the sites you want to migrate Sites.Selected permissions from Graph Explorer
Manually update the target site “Custom scripts” settings to “Allowed”
Note that the Custom script setting is automatically reset to Blocked every 24 hours (to be confirmed)
Migrate sites as usual.
Note that if Custom script setting is reset to blocked during a migration, the Sites Pages library may not be migrated.
Running Teams migrations using Sites.Selected Permissions with ODM Teams
Site.Selected on Source
Sites.Selected on Target
Provision Teams or M365 Groups.
Grant the Teams or M365 Group sites you want to migrate Sites.Selected permissions for the SharePoint and Teams applications from Graph Explorer. For Teams grant the Private and Shared channel sites Sites.Selected permissions as needed.
Migrate Teams or M365 Groups as usual.
Note: If you are migrating Teams and SharePoint contents using the Standard and Customized (All SharePoint Content) manually update the target site “Custom scripts” settings to “Allowed”
