ShareGate needs access to specific resources from Microsoft to work properly. You must grant ShareGate all the Microsoft Graph and SharePoint permissions described below to use ShareGate Protect.
This article explains permissions for ShareGate Protect. To learn about ShareGate Migrate permissions, see Which permissions does the Azure ShareGate migration application need? For ShareGate's end-user app, see Required permissions: ShareGate end-user app.
Note: Security is our highest priority. We comply with industry standards, and we have internal policies to ensure your data is protected. See our security overview for detailed information on our security measures and policies.
Index
Types of permissions
ShareGate uses two types of permissions---application permissions and delegated permissions. Application permissions define what ShareGate is allowed to do within your tenant without a signed-in user, while delegated permissions dictate what ShareGate can do within your tenant on behalf of the signed-in user.
Microsoft Graph
Application permissions
Read items in all site collections - ShareGate uses the permission to detect sites linked to Microsoft 365 Groups and get the properties of external sharing links for your external sharing reviews.
Read and write files in all site collections - Allows ShareGate Protect to remove external sharing links.
Read and write to all app catalogs - Allows ShareGate to update app catalogs, such as when it needs to add our Teams chatbot to Microsoft Teams.
Read and write directory data - ShareGate uses the permission to allow you to change the guest access setting of your groups and modify guests in a group through Protect.
Read all groups - Allows ShareGate to read group properties and memberships.
Read and write all groups - ShareGate uses the permission to crawl your teams, groups, properties, owners, members, Teams private channels, Teams activity, and Outlook activity. The permission also allows you to modify the privacy settings and membership of your teams and groups and to use the archive or restore features.
Send mail as any user - ShareGate uses the permission to send notifications to your owners via the email sender you've selected.
Manage Teams apps for all users - ShareGate uses the permission to read, upgrade, install, and uninstall our Teams chatbot for any user when required.
Channel member read and write all - ShareGate uses the permission to add and remove members from channels.
Channel message read all - ShareGate uses the permission to read channel messages.
Teams tab read and write all - ShareGate uses the permission to read and write tabs in Microsoft Teams.
Team member read and write all - ShareGate uses the permission to add and remove members from teams.
Tasks read and write all - ShareGate uses the permission to read and write all users' tasks and tasklists.
User read all - ShareGate uses the permission to read all users' full profiles.
Delegated permissions
Read all groups - ShareGate uses the permission to list groups, read properties and membership, and crawl the Outlook activity.
Read directory data - ShareGate uses the permission to validate that our Teams chatbot is available in the app catalog of a team.
Team create - ShareGate uses the permission to create teams via provisioning templates if they require approval.
Team member read and write all - ShareGate uses the permission to add or remove members from teams via provisioning templates if they require approval.
Channel create - ShareGate uses the permission to create channels via provisioning templates if they require approval.
Microsoft 365 SharePoint Online
Application permissions
Have full control of all site collections - ShareGate uses the permission to copy the content of the SharePoint sites within your Microsoft 365 Groups (including private channels) to archive them.
Read items in all site collections - ShareGate uses the permission to crawl SharePoint activity in order to detect inactive teams and groups and to get the properties of external sharing links for your external sharing reviews.