You will need specific Microsoft administrative permissions to perform actions using ShareGate Migrate. These permissions are required to interact with the Microsoft APIs in your environment with a secure connection.

Tip: For an example of how ShareGate Migrate interacts with your environment, see our SharePoint to SharePoint migration diagram.

Note: Permissions granted through Azure PIM might not work or could cause unauthorized errors during an operation.

Index

Global admin and SharePoint admin (Microsoft 365)
Site collection admin (Microsoft 365 and SharePoint on-premises)
- Auto-assign as site collection administrator
Teams admin (Microsoft 365)
Farm admin (SharePoint on-premises)
Term store admin
Manage user alerts permissions
Read-only lock

Global admin and SharePoint admin (Microsoft 365)

In most cases, the difference between a global admin and a SharePoint admin is that a global admin can consent to the Azure ShareGate migration tool application. If you do not consent to the app, you will experience limitations with Microsoft Teams and Microsoft 365 Groups and may experience more throttling in Microsoft 365.

With a SharePoint admin account, you can:

Connect to your Microsoft 365 SharePoint admin center.
Access all your site collections.
Access all your OneDrives.
Add/remove site collection admins.
Perform migrations of multiple site collections (requires a connection to your admin center).
Perform migrations of permissions.

With a global admin account, you can:

Perform the same actions as a SharePoint admin.
Consent to the Azure ShareGate migration tool application.
Perform migrations with Copy mailboxes.
- You cannot use Copy mailboxes with SharePoint admin permissions even if the Azure ShareGate migration tool app was consented to.

Site collection admin (Microsoft 365 and SharePoint on-premises)

Site collection admin permissions are also required when running most operations in ShareGate Migrate, even if you have global admin or SharePoint admin permissions.

Without site collection admin permissions, many interactions with the SharePoint APIs will fail, causing unforeseen issues.

We recommend site collection admin permissions at the source and destination environments to:

Perform most procedures in Explorer and Migration.
Run any migration.
Perform OneDrive for Business and My Site migrations.

We recommend site collection admin permissions at the destination environment to:

Perform an Import from file share.
Perform an Import from Google Drive.

Auto-assign as site collection administrator

You can use a global admin or SharePoint admin account to enable Auto-assign as a site collection administrator when required in the ShareGate Migrate security settings. This setting will automatically add you as a site collection admin when running procedures in Explorer or when running reports on your site collections and OneDrives.

Auto-assign as site collection administrator does not work in migration, only with reports and in Explorer.

Tip: To assign your account as site collection admin on many site collections for migration, you can run a site collection report on your tenant with the auto-assign setting activated.

Notes:

While you might be able to perform very simple content migrations with Full control permissions, it is not supported as it can cause unexpected errors.
While you might be able to run some reports and other actions without site collection admin permissions, it is not supported as it can cause unexpected errors.
Site collection admin is a different role than Site Owner.
For on-premises versions of SharePoint, you do not need site collection admin permissions if you have Full Control permissions on the web application.
If you use SharePoint 2003, you must also have site owner permissions.

Teams admin (Microsoft 365)

In addition to SharePoint admin permissions, you need Teams admin to:

Migrate teams.

Teams admin is not required for team migrations if you have global admin permissions.

Note: SharePoint admin permissions are required to migrate the associated SharePoint site.

Farm admin (SharePoint on-premises)

Required to:

Connect to your SharePoint central admin and access your web apps in Explorer and Migration.
Access all your site collections.
Access all your MySites.
Access all your OneDrives for Business.
Add/remove site collection admins.
Perform migrations of multiple site collections (requires a connection to your central administration).

Term store admin

Required to (source and destination):

Migrate managed metadata applied to your list items and documents.
Migrate Terms, term groups, and term sets.

Manage user alerts permissions

Required in the source and destination to:

Copy user alerts in migration (note that you must also have the server extension installed in the source and destination).

Read-only lock

You must remove the Read-only lock from your site collections to:

Perform any action in ShareGate Migrate.

Some SharePoint services do not respond correctly when your site collections have a Read-only lock, and the requests will not be processed as intended, causing unexpected issues.

You can remove the Read-only lock from your SharePoint Central admin. You may require higher-level administrative credentials to clear the lock status.

For more information, see Read-only lock.