ShareGate's Copilot readiness assessment requires that a Global admin or privileged role admin consent to the following application permissions.
Once consented, they allow ShareGate Protect to access your Tenant's information through Graph and Office 365 SharePoint online APIs.
These permissions are different from the permissions needed for Protect's governance features.
A global or privileged role admin consents only once to these permissions. The admin can then grant access to another user through an Assessor role for ShareGate Protect in Entra ID.
To learn how to consent to these permissions and grant access, see Access ShareGate's Copilot readiness assessment.
Permission | Used to |
Read all users' basic profiles | Determine your current user account's role. |
Read tabs in Microsoft Teams. | Determine your Microsoft Teams activity. |
Read SharePoint and OneDrive tenant settings | Determine your tenant-level Sharing Settings. |
Read calendars in all mailboxes | Determine your Microsoft Teams activity. |
Read all directory RBAC settings | Count the number of unique users who have role assignments. |
Read all groups | Detect changes to your groups to drive crawls (activity and sharing activity). |
Read items in all site collections | Detect changes to your SharePoint sites to drive crawls (activity and sharing activity). |
Read directory data | Detect changes to your users to drive crawls (sharing activity and site/group ownership). |
Read all users' full profiles | Determine your users' details (name, department, and role). |
Read Records Management configuration, labels, and policies | Determine your tenant-level Retention Policy configuration. |
Read all group memberships | Determine ownership and activity changes. |
Get a list of all teams | Detect changes to your teams. |
Read all channel messages | Detect your Microsoft Teams activity. |
Read organization-wide Microsoft 365 apps installation settings | Determine your Microsoft 365 app update channels (Copilot prerequisite). |
Read all published labels and label policies for an organization. | Determine your tenant-level Sensitivity Label configuration. |
Read all audit log data | Determine your tenant-level activity. |
Read all usage reports | Read your Microsoft-365-generated group and site usage reports. |
Read items in all site collections | Detect changes to sites within your tenant and read all items within site collections. |
Have full control of all site collections | Read the permission configuration of your SharePoint sites.
This permission is exclusively used to read your tenant's permission configuration. It is required because no read-only alternative allows the Copilot readiness assessment to get that information. |