Consent Permission Types are Application (A) and Delegated (D).
Quest On Demand - Core - Basic
Purpose: Initial tenant setup. Required for source and target tenant
Permission |
Description |
API |
Type |
---|---|---|---|
AuditLog.Read.All |
READ ALL AUDIT LOG DATA |
Graph |
A |
Directory.Read.All |
READ DIRECTORY DATA |
Graph |
A |
Organization.Read.All |
ORGANIZATION.READ.ALL |
Graph |
A, D |
profile |
VIEW USERS' BASIC PROFILE |
Graph |
D |
Reports.Read.All |
READ ALL USAGE REPORTS |
Graph |
A |
Quest On Demand - Migration - Basic - Minimal
Purpose: Account discovery and migration. Required for source tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Application.Read.All |
READ DIRECTORY DATA |
Graph |
A |
Group.Read.All |
READ ALL GROUPS |
Graph |
A |
RoleManagement.ReadWrite.Directory |
READ AND WRITE ALL DIRECTORY RBAC SETTINGS |
Graph |
A |
Exchange.ManageAsApp |
MANAGE EXCHANGE AS APPLICATION |
Exchange Online |
A |
Quest On Demand - Migration - Basic - Full
Purpose: Account discovery and migration. Required for target tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Directory.ReadWrite.All |
READ AND WRITE DIRECTORY DATA |
Graph |
A |
Group.ReadWrite.All |
READ AND WRITE ALL GROUPS |
Graph |
A |
RoleManagement.ReadWrite.Directory |
READ AND WRITE ALL DIRECTORY RBAC SETTINGS |
Graph |
A |
Exchange.ManageAsApp |
MANAGE EXCHANGE AS APPLICATION |
Exchange Online |
A |
Quest On Demand - Migration - Mailbox Migration - Minimal
Purpose: Mailbox discovery and migration. Required for source tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Calendars.Read |
READ CALENDARS IN ALL MAILBOXES |
Graph |
A |
full_access_as_app |
USE EXCHANGE WEB SERVICES WITH FULL ACCESS TO ALL MAILBOXES |
Exchange Online |
A |
Quest On Demand - Migration - Mailbox Migration - Full
Purpose: Mailbox discovery and migration. Required for target tenant.
Permission |
Description |
API |
Type |
---|---|---|---|
Calendars.Read.Shared |
READ USER AND SHARED CALENDARS |
Graph |
D |
Calendars.ReadWrite |
READ AND WRITE CALENDARS IN ALL MAILBOXES |
Graph |
A |
full_access_as_app |
USE EXCHANGE WEB SERVICES WITH FULL ACCESS TO ALL MAILBOXES |
Exchange Online |
A |
Quest On Demand - Migration - OneDrive - Minimal
Purpose: OneDrive discovery. Required for source tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Files.Read.All |
READ FILES IN ALL SITE COLLECTIONS |
Graph |
A |
Sites.FullControl.All |
HAVE FULL CONTROL OF ALL SITE COLLECTIONS |
SPO |
A |
Quest On Demand - Migration - OneDrive - Full
Purpose: OneDrive migration. Required for target tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Directory.Read.All |
READ DIRECTORY DATA |
Graph |
A |
Files.Read.All |
READ FILES IN ALL SITE COLLECTIONS |
Graph |
A |
Sites.FullControl.All |
HAVE FULL CONTROL OF ALL SITE COLLECTIONS |
SPO |
A |
Quest On Demand - Migration - Power BI
Purpose: Power BI migration. Required for source and target tenant
Permission |
Description |
API |
Type |
---|---|---|---|
profile |
VIEW USERS' BASIC PROFILE |
Graph |
D |
Quest On DemandQuest On Demand - Migration - SharePoint - Minimal
Purpose: SharePoint discovery. Required for source tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Directory.Read.All |
READ DIRECTORY DATA |
Graph |
A |
Files.Read.All |
READ FILES IN ALL SITE COLLECTIONS |
Graph |
A |
Sites.FullControl.All |
HAVE FULL CONTROL OF ALL SITE COLLECTIONS |
SPO |
A |
Sites.Read.All |
READ ITEMS IN ALL SITE COLLECTIONS |
SPO |
A |
TermStore.Read.All |
READ MANAGED METADATA |
SPO |
A |
TermStore.Read.All |
READ MANAGED METADATA |
Graph |
A |
Quest On Demand - Migration - SharePoint - Full
Purpose: SharePoint migration. Required for target tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Directory.Read.All |
READ DIRECTORY DATA |
Graph |
A |
Files.Read.All |
READ FILES IN ALL SITE COLLECTIONS |
Graph |
A |
Sites.FullControl.All |
HAVE FULL CONTROL OF ALL SITE COLLECTIONS |
SPO |
A |
Sites.Read.All |
READ ITEMS IN ALL SITE COLLECTIONS |
SPO |
A |
TermStore.Read.All |
READ MANAGED METADATA |
Graph |
A |
TermStore.ReadWrite.All |
READ AND WRITE MANAGED METADATA |
SPO |
A |
Quest On Demand - Migration - Teams - Minimal
Purpose: Teams, M365 Groups, and Chat discovery. Required for source tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Authorization.ReadWrite |
TEAMS AUTHORIZATION READWRITE |
Teams |
D |
ChannelMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL CHANNELS |
Graph |
A |
ChannelMessage.Read.All |
READ ALL CHANNEL MESSAGES |
Graph |
A |
ChannelMessage.Send |
SEND CHANNEL MESSAGES |
Graph |
D |
ChannelSettings.Read.All |
READ THE NAMES, DESCRIPTIONS, AND SETTINGS OF ALL CHANNELS |
Graph |
A |
Chat.Read.All |
READ ALL CHAT MESSAGES |
Graph |
A |
Chat.ReadWrite |
READ AND WRITE USER CHAT MESSAGES |
Graph |
D |
ChatMember.Read.All |
READ MEMBERS FROM ALL CHATS |
Graph |
A |
Directory.Read.All |
READ DIRECTORY DATA |
Graph |
D |
Group.ReadWrite.All |
READ AND WRITE ALL GROUPS |
Graph |
A, D |
Notes.Read.All |
READ ALL ONENOTE NOTEBOOKS AND NOTES FOR ALL USERS |
Graph, OneNote |
A |
Notes.ReadWrite.All |
READ AND WRITE ALL ONENOTE NOTEBOOKS AND NOTES FOR ALL USERS |
Graph, OneNote |
A |
Region.ReadWrite |
READ OR WRITE USER REGION |
Teams |
D |
Reports.Read.All |
READ ALL USAGE REPORTS |
Graph |
A |
Sites.Read.All |
READ ITEMS AND LISTS IN ALL SITE COLLECTIONS |
SPO |
A |
Tasks.Read.All |
READ ALL USERS TASKS AND TASK LISTS |
Graph |
A |
TeamMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL TEAMS |
Graph |
A, D |
TeamsAppInstallation.ReadWriteForTeam.All |
MANAGE TEAMS APPS FOR ALL TEAMS |
Graph |
A |
TeamSettings.Read.All |
READ ALL TEAMS SETTINGS |
Graph |
A |
TeamsTab.Read.All |
READ TABS IN MICROSOFT TEAMS |
Graph |
A |
Teamwork.Migrate.All |
CREATE CHAT AND CHANNEL MESSAGES WITH ANYONE'S IDENTITY AND WITH ANY TIMESTAMP |
Graph |
A |
TeamworkTag.ReadWrite.All |
READ AND WRITE TAGS IN TEAMS |
Graph |
A |
User.Read.All |
READ ALL USERS' FULL PROFILES |
Graph |
A, D |
user_impersonation |
HAVE FULL ACCESS TO THE CHAT SERVICE AGGREGATOR AND SKYPE TEAMS SERVICE |
Teams |
D |
Quest On Demand - Migration - Teams - Full
Purpose: Teams, M365 Groups, and Chat migration. Required for target tenant
Permission |
Description |
API |
Type |
---|---|---|---|
Authorization.ReadWrite |
TEAMS AUTHORIZATION READWRITE |
Teams |
D |
ChannelMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL CHANNELS |
Graph |
A |
ChannelMessage.Read.All |
READ ALL CHANNEL MESSAGES |
Graph |
A |
ChannelMessage.Send |
SEND CHANNEL MESSAGES |
Graph |
D |
ChannelSettings.ReadWrite.All |
READ AND WRITE THE NAMES, DESCRIPTIONS, AND SETTINGS OF ALL CHANNELS |
Graph |
A |
Chat.Read.All |
READ ALL CHAT MESSAGES |
Graph |
A |
Chat.ReadWrite |
READ AND WRITE USER CHAT MESSAGES |
Graph |
D |
ChatMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL CHATS |
Graph |
A |
Directory.Read.All |
READ DIRECTORY DATA |
Graph |
D |
Directory.ReadWrite.All |
READ AND WRITE DIRECTORY DATA |
Graph |
A |
Group.ReadWrite.All |
READ AND WRITE ALL GROUPS |
Graph |
A, D |
Notes.ReadWrite.All |
READ AND WRITE ALL ONENOTE NOTEBOOKS AND NOTES FOR ALL USERS |
Graph, OneNote |
A |
Region.ReadWrite |
READ OR WRITE USER REGION |
Teams |
D |
Reports.Read.All |
READ ALL USAGE REPORTS |
Graph |
A |
Sites.Manage.All |
READ AND WRITE ITEMS AND LISTS IN ALL SITE COLLECTIONS |
SPO |
A |
Sites.ReadWrite.All |
READ AND WRITE ITEMS IN ALL SITE COLLECTIONS |
Graph |
A |
Tasks.ReadWrite.All |
READ AND WRITE ALL USERS TASKS AND TASKLISTS |
Graph |
A |
TeamMember.ReadWrite.All |
ADD AND REMOVE MEMBERS FROM ALL TEAMS |
Graph |
A, D |
TeamsAppInstallation.ReadWriteForTeam.All |
MANAGE TEAMS APPS FOR ALL TEAMS |
Graph |
A |
TeamSettings.ReadWrite.All |
READ AND CHANGE ALL TEAMS SETTINGS |
Graph |
A |
TeamsTab.ReadWrite.All |
READ AND WRITE TABS IN MICROSOFT TEAMS |
Graph |
A |
Teamwork.Migrate.All |
CREATE CHAT AND CHANNEL MESSAGES WITH ANYONE'S IDENTITY AND WITH ANY TIMESTAMP |
Graph |
A |
TeamworkTag.ReadWrite.All |
READ AND WRITE TAGS IN TEAMS |
Graph |
A |
User.Read.All |
READ ALL USERS' FULL PROFILES |
Graph |
A, D |
user_impersonation |
HAVE FULL ACCESS TO THE CHAT SERVICE AGGREGATOR AND SKYPE TEAMS SERVICE |
Teams |
D |
Quest On Demand - Migration - Active Directory
Purpose: Active Directory and EntraID Migration, Device Migration, Directory Sync, Domain Rewrite, and Domain Move. Required for source and target tenant.
Permission |
Description |
API |
Type |
---|---|---|---|
DeviceManagementConfiguration.ReadWrite.All |
READ AND WRITE MICROSOFT INTUNE DEVICE CONFIGURATION AND POLICIES |
Graph |
A |
DeviceManagementManagedDevices.ReadWrite.All |
READ AND WRITE MICROSOFT INTUNE DEVICES |
Graph |
A |
DeviceManagementServiceConfig.ReadWrite.All |
READ AND WRITE MICROSOFT INTUNE CONFIGURATION |
Graph |
A |
Directory.ReadWrite.All |
READ AND WRITE DIRECTORY DATA |
Graph |
D |
Domain.ReadWrite.All |
READ AND WRITE DOMAINS |
Graph |
D |
Group.ReadWrite.All |
READ AND WRITE ALL GROUPS |
Graph |
D |
RoleManagement.ReadWrite.Directory |
READ AND WRITE ALL DIRECTORY RBAC SETTINGS |
Graph |
D |
User.Read.All |
READ ALL USERS' FULL PROFILES |
Graph |
A, D |
For Tenant Administrator
Asset |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
---|---|---|---|---|---|
Accounts, Mailboxes, OneDrive, SharePoint |
Source, Target |
Global Admin role, which can be removed after consents are granted. |
Yes |
Grant consents, which creates ODM application service principals in the tenant. |
The same Tenant Administrator Account can be used for all assets and features. |
Teams, M365 Groups |
Source, Target |
Global Admin role, which can be removed after consents are granted. Teams Admin role, with active Teams license. |
Yes |
Grant consents, which creates ODM application service principals in the tenant. Provisions target Teams and M365 Groups, updates membership, and migrates Teams chats. Migrates Group mailboxes for Teams and M365 Groups. |
The Tenant Administrator Account name appears in migrated Teams chats unless you specify another default target user. |
For Tenant Administrator
Feature |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
---|---|---|---|---|---|
Public Folders Migration |
Source, Target |
Owner permission for root Public Folders |
Yes |
Migrates public folders |
Required if public folder migrations are in scope. ODM needs only the username; password is not required. |
OneDrive Provisioning |
Target |
SharePoint Admin role |
No |
Provisions target OneDrives |
Required if target OneDrives are not pre-provisioned. |
For Tenant Administrator
Activity |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
---|---|---|---|---|---|
Domain Rewrite, Domain Move, Directory Sync, Active Directory Migration |
Source, Target |
Global Admin role, which can be removed after consents are granted and PowerShell accounts are created. Exchange Admin, Teams Admin, User Admin roles. |
Yes |
Grant consents, which creates an ODM application service principal in the tenant. Auto-creates PowerShell accounts and a mail-enabled security group using an OAuth Token. Auto-assigns required privileges to the PowerShell accounts. |
Global Admin role must be reactivated during a Domain Move to auto-elevate the PowerShell accounts. |
For PowerShell Accounts
Activity |
Tenant |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
---|---|---|---|---|---|
Directory Sync, Active Directory Migration |
Source, Target |
Exchange Admin, Teams Admin, User Admin roles. |
No |
Reads and updates tenant objects. |
Account names will be in the format of BinaryTreeCDSPowerShell.[GUID] |
Domain Rewrite, Domain Move |
Source, Target |
Exchange Admin, Teams Admin, User Admin roles, with active Exchange Online license. Account will be auto-elevated to Global Admin during a Domain Move. |
No |
Reads and updates tenant objects. Auto-creates transport rules, connectors, and distribution groups for domain rewrite and advanced domain move functions. |
Account names will be in the format of BinaryTreePowerShell.[GUID] and BinaryTreeCDSPowerShell.[GUID] |
For Domain Account
Activity |
Directory |
Required Privileges |
MFA Allowed |
Purpose |
Additional Notes |
---|---|---|---|---|---|
Domain Rewrite, Domain Move, Directory Sync, Active Directory Migration |
Source, Target |
Permissions to read and update Active Directory objects in scope. |
N/A |
Reads and updates Active Directory objects. |
Required if local Active Directory environments are in scope. |
Password Sync |
Source, Target |
Member of Administrators group or Domain Admins group |
N/A |
Sync passwords from source Active Dircetory to target Active Directory. |
Required if password sync is in scope. |
SID History Migration |
Source |
Member of Administrators group or Domain Admins group |
N/A |
Sync SID History from source Active Directory to target Active Directory |
Required if SID History migration is in scope |
SID History Migration |
Target |
Member of Administrators group or Domain Admins group or assigned Delegated migrateSIDHistory permissions |
N/A |
Sync SID History from source Active Directory to target Active Directory |
Required if SID History migration is in scope |
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center