ShareGate Migrate needs access to specific resources from Microsoft to work correctly. To obtain this access, a global admin must consent to the Azure ShareGate migration tool app to use delegated permissions on your tenant for most operations.
With these permissions, ShareGate Migrate can connect to your environment and perform actions.
Your network identifies this as an application performing actions and not you directly. As with all operations in ShareGate, your data remains secure.
For more information, see What is the Azure ShareGate migration tool app?
Note: The default Azure ShareGate migration tool only uses delegated permissions. You must consent to additional application permissions to use Copy mailboxes.
Index
Regular permissions
Permission | Description |
Read the members of the channels | Delegated: Allows the app to read the members of channels as the signed-in user. |
Add and remove members from the channel | Delegated: Allows the app to add and remove members from channels as the signed-in user. It also allows the app to change members' roles. |
Send channel messages | Delegated: Allows the app to send channel messages as the signed-in user. |
Read and write the names, descriptions, and settings of channels | Delegated: Allows the app to read and write all channels' names, descriptions, and settings as the signed-in user. |
Have full access to all files user can access | Delegated: Allows the app to read, create, update, and delete all files the signed-in user can access. |
Read and write all OneNote Notebooks that the user can access | Delegated: Allows the app to read, share, and modify OneNote notebooks that the signed-in user can access. |
View users' basic profile | Delegated: Allows the app to see users' basic profile (name, picture, user name) as the signed-in user. |
Create, read, update, and delete user's tasks and task list | Delegated: Allows the app to create, read, update, and delete the signed-in user's tasks and task lists, including any shared with the user. |
Create teams | Delegated: Allows the app to create teams as the signed-in user |
Add and remove members from teams | Delegated: Allows the app to add and remove members from teams as the signed-in user. Also allows the app to change members' roles. |
Manage user's installed Teams apps | Delegated: Allows the app to read, install, upgrade, and uninstall Teams apps for the signed-in user. It does not give the ability to read application-specific settings. |
Read and change teams' settings | Delegated: Allows the app to read and change all teams' settings as the signed-in user. |
Read and write tabs in Microsoft Teams | Delegated: Allows the app to read, install, upgrade, and uninstall Teams apps as the signed-in user and for teams the signed-in user is a member of. |
Access directory as the signed-in user | Delegated: Allows the app to have the same access to information in the directory as the signed-in user. |
Read user files | Delegated: Allows the app to read the signed-in user's files. |
Read all groups | Delegated: Allows the app to read basic group properties and memberships on behalf of the signed-in user. |
Read and write all groups | Delegated: Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content. |
Sign in and read the user profile | Delegated: Allows users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Have full control of all site collections | Delegated: Allows the app to have full control of all site collections on behalf of the signed-in user. |
Read and write items and lists in all site collections | Delegated: Allows the app to read, create, update, and delete document libraries and lists in all site collections on behalf of the signed-in user. |
Read items in all site collections | Delegated: Allows the app to read documents and list items in all site collections on behalf of the signed-in user. |
Read and write items in all site collections | Delegated: Allows the app to create, read, update, and delete documents and list items in all site collections on behalf of the signed-in user. |
Read user files | Delegated: Allows the app to read the current user's files. |
Read and write user files | Delegated: Allows the app to read, create, update, and delete the current user's files. |
Run search queries as a user | Delegated: Allows the app to run search queries and to read basic site info on behalf of the currently signed-in user. Search results are based on the user's permissions instead of the app's permissions. |
Read managed metadata | Delegated: Allows the app to read managed metadata and to read basic site info on behalf of the signed-in user. |
Read and write managed metadata | Delegated: Allows the app to read, create, update, and delete managed metadata and to read basic site info on behalf of the signed-in user. |
Read user profiles | Delegated: Allows the app to read user-profiles and to read basic site info on behalf of the signed-in user. |
Read and write user profiles | Delegated: Allows the app to read and update user profiles and to read basic site info on behalf of the signed-in user. |
Additional app permissions needed for Copy mailboxes
These permissions are not included when you perform standard consent outside of the Copy mailboxes feature.
A global admin must only consent to these additional application permissions to use Copy mailboxes.
If you have not consented to these permissions, you will get prompted to consent to a version of the Azure ShareGate migration tool app that includes them when you use Copy mailboxes for the first time.
Permission | Description |
Read and write mail in all mailboxes | Application: Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. It does not include permission to send mail. |
Read and write all user mailbox settings | Application: Allows the app to create, read, update, and delete a user's mailbox settings without a signed-in user. It does not include permission to send mail. |
Read and write calendars in all mailboxes | Application: Allows the app to create, read, update, and delete events of all calendars without a signed-in user. |
Read and write contacts in all mailboxes | Application: Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. |