In this article, you will find reference tables that summarize the permissions and authorizations you need to perform different migrations in ShareGate Migrate.
For more details on each permission, see Microsoft administrative permissions.
For more information on Microsoft 365 roles, see Microsoft's About admin roles article.
Note: Permissions granted through Azure PIM may not function properly or may cause unauthorized errors during an operation.
Microsoft 365 and SharePoint on-premises
The following information applies to both the source and destination.
| Microsoft 365 | SharePoint on-premises |
Global admin |
Connect to your admin center to migrate multiple site collections.
Migrate teams and Microsoft 365 groups.
Use Copy mailboxes. | N/A |
Farm admin | N/A | Connect to your central admin to migrate multiple site collections. |
SharePoint admin | Connect to your admin center to migrate multiple site collections.
Migrate teams and Microsoft 365 groups after a global admin has consented to the necessary Microsoft 365 permissions. | N/A |
Site collection admin* | Perform migrations.
Use Insane mode.
| Perform migrations.
Note: You must also be site owner in SharePoint 2003. |
Exchange admin | Perform mailbox migrations using Copy mailboxes and Copy from Gmail after a global admin has consented to the necessary Microsoft 365 permissions. | N/A |
Teams admin | Also needed to migrate teams with a SharePoint admin account (if you are a global admin, this is not required). | N/A |
Term store admin | Migrate content with managed metadata.
| Migrate content with managed metadata.
|
Manage user alerts permissions | Copy user alerts. | Copy user alerts (you will need to install the server extension). |
Read-only lock | Must be removed from your site collection(s). See Read-only lock for more information. | Must be removed from your site collection(s). See Read-only lock for more information. |
*Site collection admin permissions are required even if you have a higher permission level like SharePoint admin. For more information, see Administrative permissions.
Note: Though you might be able to perform very simple content migrations with Full control permissions, it is not supported as it can cause unexpected errors.
File share
The following information is applicable to the source. See the table above for permissions related to the destination.
| File share |
Default Read NTFS permission or higher | Required so the app can read the file share items. |
Network drive mapping | Map your network drives so they can be accessed in the app. |
Google Workspace
The following information is applicable to the source. See the table above for permissions related to the destination.
| Google Drive |
Google Drive Administrator | Required to add ShareGate Migrate to the Google Workplace allowlist. |
The Google Apps domain permission is required to connect with ShareGate Migrate Administrator mode. | |
Useful when you want to migrate multiple users in your domain without connecting to each one of those accounts manually. | |
View users on your domain (read-only) | Needed for Administrator mode. We need to list all of your domain's users to display them in the Explorer, so you can create user mappings. |
View groups on your domain (read-only) | Needed for Administrator mode. We need to list your groups so you can create group mappings. |
View domains related to your customers (read-only) | Needed for Administrator mode. We need to know what domains are associated with your Google Apps account to check if you are allowed to create credentials for users who have a different domain in their email addresses. |
Box.com
The following information is applicable to the source. See the table above for permissions related to the destination.
| Box.com |
Administrator credentials | Needed to authorize ShareGate Migrate to connect to your Box enterprise account. |