Consent Permission Types are Application (A) and Delegated (D)
|
Permission |
Description |
API |
Core |
Basic |
Mailboxes |
SharePoint |
Teams |
ODM AD |
|---|---|---|---|---|---|---|---|---|
|
AuditLog.Read.All |
READ ALL AUDIT LOG DATA |
Graph |
A |
|
|
|
|
|
|
Calendars.Read.Shared |
READ USER AND SHARED CALENDARS |
Graph |
|
|
D |
|
|
|
|
Calendars.ReadWrite |
READ AND WRITE CALENDARS IN ALL MAILBOXES |
Graph |
|
|
A |
|
|
|
|
ChannelMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL CHANNELS |
Graph |
|
|
|
|
A |
|
|
ChannelMessage.Read.All |
READ ALL CHANNEL MESSAGES |
Graph |
|
|
|
|
A |
|
|
ChannelMessage.Send |
SEND CHANNEL MESSAGES |
Graph |
|
|
|
|
D |
|
|
ChannelSettings.ReadWrite.All |
READ AND WRITE THE NAMES, DESCRIPTIONS, AND SETTINGS OF ALL CHANNELS |
Graph |
|
|
|
|
A |
|
|
Chat.Read.All |
READ ALL CHAT MESSAGES |
Graph |
|
|
|
|
A |
|
|
Chat.ReadWrite |
READ AND WRITE USER CHAT MESSAGES |
Graph |
|
|
|
|
D |
|
|
ChatMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL CHATS |
Graph |
|
|
|
|
A |
|
|
Directory.Read.All |
READ DIRECTORY DATA |
Graph |
A |
|
|
|
|
|
|
Directory.ReadWrite.All |
READ AND WRITE DIRECTORY DATA |
Graph |
|
A |
|
A |
A |
D |
|
Domain.ReadWrite.All |
READ AND WRITE DOMAINS |
Graph |
|
|
|
|
|
D |
|
Exchange.ManageAsApp |
MANAGE EXCHANGE AS APPLICATION |
EXO |
|
A |
|
|
|
|
|
Files.Read.All |
READ FILES IN ALL SITE COLLECTIONS |
Graph |
|
|
|
A |
|
|
|
full_access_as_app |
USE EXCHANGE WEB SERVICES WITH FULL ACCESS TO ALL MAILBOXES |
EXO |
|
|
A |
|
|
|
|
Group.ReadWrite.All |
READ AND WRITE ALL GROUPS |
Graph |
|
A |
|
|
A,D |
D |
|
Notes.ReadWrite.All |
READ AND WRITE ALL ONENOTE NOTEBOOKS AND NOTES FOR ALL USERS |
Graph, OneNote |
|
|
|
|
A |
|
|
Organization.Read.All |
ORGANIZATION.READ.ALL |
Graph |
A |
|
|
|
|
|
|
profile |
VIEW USERS' BASIC PROFILE |
Graph |
D |
|
|
|
|
|
|
Region.ReadWrite |
READ OR WRITE USER REGION |
Teams |
|
|
|
|
D |
|
|
Reports.Read.All |
READ ALL USAGE REPORTS |
Graph |
A |
|
|
|
A |
|
|
RoleManagement.ReadWrite.Directory |
READ AND WRITE ALL DIRECTORY RBAC SETTINGS |
Graph |
|
A |
|
|
|
D |
|
Sites.FullControl.All |
HAVE FULL CONTROL OF ALL SITE COLLECTIONS |
SPO |
|
|
|
A |
|
|
|
Sites.Manage.All |
READ AND WRITE ITEMS AND LISTS IN ALL SITE COLLECTIONS |
SPO |
|
|
|
A |
A |
|
|
Sites.ReadWrite.All |
READ AND WRITE ITEMS IN ALL SITE COLLECTIONS |
SPO |
|
|
|
A |
A |
|
|
Tasks.ReadWrite.All |
READ AND WRITE TASKS AND TASK LISTS FOR ALL USERS |
Graph |
|
|
|
|
A |
|
|
TeamMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL TEAMS |
Graph |
|
|
|
|
A,D |
|
|
TeamsAppInstallation.ReadWriteForTeam.All |
MANAGE TEAMS APPS FOR ALL TEAMS |
Graph |
|
|
|
|
A |
|
|
TeamSettings.ReadWrite.All |
READ AND CHANGE ALL TEAMS SETTINGS |
Graph |
|
|
|
|
A |
|
|
TeamsTab.ReadWrite.All |
READ AND WRITE TABS IN MICROSOFT TEAMS |
Graph |
|
|
|
|
A |
|
|
Teamwork.Migrate.All |
CREATE CHAT AND CHANNEL MESSAGES WITH ANYONE'S IDENTITY AND WITH ANY TIMESTAMP |
Graph |
|
|
|
|
A |
|
|
TeamworkTag.ReadWrite.All |
READ AND WRITE TAGS IN TEAMS |
Graph |
|
|
|
|
A |
|
|
TermStore.Read.All |
READ MANAGED METADATA |
Graph |
|
|
|
A |
|
|
|
TermStore.ReadWrite.All |
READ AND WRITE MANAGED METADATA |
SPO |
|
|
|
A |
|
|
|
User.Read.All |
READ ALL USERS' FULL PROFILES |
Graph |
|
|
|
|
A,D |
D |
|
User.ReadWrite.All |
READ AND WRITE USER PROFILES |
SPO |
|
|
|
A |
|
|
|
user_impersonation |
HAVE FULL ACCESS TO THE CHAT SERVICE AGGREGATOR AND SKYPE TEAMS SERVICE |
Teams |
|
|
|
|
D |
|
For Tenant Administrator
|
Asset |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
|---|---|---|---|---|---|
|
Accounts, Mailboxes, OneDrive, SharePoint |
Source, Target |
Global Admin role, which can be removed after consents are granted. |
Yes |
Grant consents, which creates ODM application service principals in the tenant. |
The same Tenant Administrator Account can be used for all assets and features |
|
Teams, M365 Groups |
Source, Target |
Global Admin role, which can be removed after consents are granted. Teams Admin role, with active Teams license. ApplicationImpersonation role. |
Yes |
Grant consents, which creates ODM application service principals in the tenant. Provisions target Teams and M365 Groups, updates membership, and migrates Teams chats. Migrates Group mailboxes for Teams and M365 Groups. |
The Tenant Administrator Account name appears in migrated Teams chats unless you specify another default target user |
For Tenant Administrator
|
Feature |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
|---|---|---|---|---|---|
|
Public Folders Migration |
Source, Target |
Global Admin role or Exchange Admin role. Owner permission for root Public Folders |
No |
Migrates public folders |
Required if public folder migrations are in scope |
|
OneDrive Provisioning |
Target |
SharePoint Admin role |
No |
Provisions target OneDrives |
Required if target OneDrives are not pre-provisioned |
For Tenant Administrator
|
Activity |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
|---|---|---|---|---|---|
|
Domain Rewrite, Domain Move, Directory Sync, Active Directory Migration |
Source, Target |
Global Admin role, which can be removed after consents are granted and PowerShell accounts are created. Exchange Admin, Teams Admin, User Admin roles. |
Yes |
Grant consents, which creates an ODM application service principal in the tenant. Auto-creates PowerShell accounts and a mail-enabled security group using an OAuth Token. Auto-assigns required privileges to the PowerShell accounts. |
Global Admin role must be reactivated during a Domain Move to auto-elevate the PowerShell accounts. |
For PowerShell Accounts
|
Activity |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
|---|---|---|---|---|---|
|
Directory Sync, Active Directory Migration |
Source, Target |
Exchange Admin, Teams Admin, User Admin roles. |
No |
Reads and updates tenant objects. |
Account names will be in the format of BinaryTreeCDSPowerShell.[GUID] |
|
Domain Rewrite, Domain Move |
Source, Target |
Exchange Admin, Teams Admin, User Admin roles, with active Exchange Online license. Account will be auto-elevated to Global Admin during a Domain Move. |
No |
Reads and updates tenant objects. Auto-creates transport rules, connectors, and distribution groups for domain rewrite and advanced domain move functions. |
Account names will be in the format of BinaryTreePowerShell.[GUID] and BinaryTreeCDSPowerShell.[GUID] |
For Domain Account
|
Activity |
Directory |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
|---|---|---|---|---|---|
|
Domain Rewrite, Domain Move, Directory Sync, Active Directory Migration |
Source, Target |
Permissions to read and update Active Directory objects in scope. |
N/A |
Reads and updates Active Directory objects. |
Required if local Active Directory environments are in scope. |
|
Password Sync |
Source, Target |
Member of Administrators group or Domain Admins group |
N/A |
Sync passwords from source Active Dircetory to target Active Directory. |
Required if password sync is in scope. |
|
SID History Migration |
Source |
Member of Administrators group or Domain Admins group |
N/A |
Sync SID History from source Active Directory to target Active Directory |
Required if SID History migration is in scope |
|
SID History Migration |
Target |
Member of Administrators group or Domain Admins group or assigned Delegated migrateSIDHistory permissions |
N/A |
Sync SID History from source Active Directory to target Active Directory |
Required if SID History migration is in scope |
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
