ShareGate requires a global or privileged role admin consent to specific Microsoft 365 permission scopes, depending on the features or apps you want to use.
When you consent to a set of permissions, an enterprise application is added to your Microsoft 365 Entra ID portal.
There are two different types of permissions:
Delegated: Allows an app to perform tasks on behalf of a signed-in user.
Application: Allows an app to perform tasks without a signed-in user.
This article outlines the permissions required to utilize various ShareGate features and apps.
For an overview of permission scopes and their associated Entra ID enterprise applications, see ShareGate's Enterprise applications in Microsoft Entra.
To learn how a global or privileged role admin can consent to these permissions, see How a global or privileged role admin can consent to ShareGate's Microsoft 365 permission scopes.
Note: if data localisation is crucial to you, pay attention to which Enterprise application you consent to for ShareGate Protect and the migration assessment.
You need to consent to the permission scope that corresponds to where you want your data to reside, either in North America or Europe.
For more information, see Data residency for ShareGate Protect and the migration assessment.
ShareGate Migrate
General Microsoft 365 permissions
While consenting to these permissions is not necessary to use all of ShareGate Migrate's features, they are highly recommended.
They are necessary for certain features, such as Copy teams, and improve the overall migration experience by alleviating some limitations, enhancing performance, and reducing throttling.
Note: ShareGate Migrate's enterprise apps (permission scopes) are not supported in GCC or GCC High environments.
Unless you need to use Copy mailboxes and Copy from Gmail, which require additional application permissions, only delegated permissions are required to get the most out of ShareGate Migrate.
Microsoft Entra ID Enterprise application: ShareGate Migrate
Permission | Description |
Read user sensitivity labels and label policies | Delegated: As the signed-in user, an app can read information protection sensitivity labels and label policy settings. |
Read all unified policies a user has access to | Delegated MIP Sync Service permission: Read unified labeling policies related to a user. |
Create and access protected content for the user | Delegated Azure Rights Management Service permission: Encrypt or access content, based on the user’s label policies, to apply labels or encrypt content natively. |
Read the members of the channels | Delegated: Allows the app to read the members of channels as the signed-in user. |
Add and remove members from the channel | Delegated: Allows the app to add and remove members from channels on behalf of the signed-in user. It also allows the app to change members' roles. |
Send channel messages | Delegated: Allows the app to send channel messages on behalf of the signed-in user. |
Read and write the names, descriptions, and settings of channels | Delegated: Allows the app to read and write all channels' names, descriptions, and settings as the signed-in user. |
Have full access to all files user can access | Delegated: Allows the app to read, create, update, and delete all files the signed-in user can access. |
Read and write all OneNote Notebooks that the user can access | Delegated: Allows the app to read, share, and modify OneNote notebooks that the signed-in user has access to. |
View users' basic profile | Delegated: Allows the app to view the signed-in user's basic profile (name, picture, username). |
Create, read, update, and delete user's tasks and task list | Delegated: Allows the app to create, read, update, and delete the signed-in user's tasks and task lists, including any shared with the user. |
Create teams | Delegated: Allows the app to create teams as the signed-in user |
Add and remove members from teams | Delegated: Allows the app to add and remove members from teams on behalf of the signed-in user. Also allows the app to change members' roles. |
Manage user's installed Teams apps | Delegated: Allows the app to read, install, upgrade, and uninstall Teams apps for the signed-in user. It does not give the ability to read application-specific settings. |
Read and change teams' settings | Delegated: Allows the app to read and change all teams' settings as the signed-in user. |
Read and write tabs in Microsoft Teams | Delegated: Allows the app to read, install, upgrade, and uninstall Teams apps as the signed-in user and for teams the signed-in user is a member of. |
Access directory as the signed-in user | Delegated: Allows the app to have the same access to information in the directory as the signed-in user. |
Read user files | Delegated: Allows the app to read the signed-in user's files. |
Read all groups | Delegated: Allows the app to read basic group properties and memberships on behalf of the signed-in user. |
Read and write all groups | Delegated: Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally, it allows group owners to manage their groups and allows group members to update group content. |
Sign in and read the user profile | Delegated: Allows users to sign in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. |
Have full control of all site collections | Delegated: Allows the app to have full control of all site collections on behalf of the signed-in user. |
Read and write items and lists in all site collections | Delegated: Allows the app to read, create, update, and delete document libraries and lists in all site collections on behalf of the signed-in user. |
Read items in all site collections | Delegated: Allows the app to read documents and list items in all site collections on behalf of the signed-in user. |
Read and write items in all site collections | Delegated: Allows the app to create, read, update, and delete documents and list items in all site collections on behalf of the signed-in user. |
Read user files | Delegated: Allows the app to read the current user's files. |
Read and write user files | Delegated: Allows the app to read, create, update, and delete the current user's files. |
Run search queries as a user | Delegated: Allows the app to run search queries and to read basic site info on behalf of the currently signed-in user. Search results are based on the user's permissions instead of the app's permissions. |
Read managed metadata | Delegated: Allows the app to read managed metadata and basic site information on behalf of the signed-in user. |
Read and write managed metadata | Delegated: Allows the app to read, create, update, and delete managed metadata, as well as read basic site information on behalf of the signed-in user. |
Read user profiles | Delegated: Allows the app to read user profiles and basic site information on behalf of the signed-in user. |
Read and write user profiles | Delegated: Allows the app to read and update user profiles, as well as read basic site information on behalf of the signed-in user. |
Copy mailboxes and Copy from Gmail permissions
These permissions are not included when you perform standard consent outside of Copy mailboxes and Copy from Gmail.
A global admin must consent to these permissions to use mailbox migration features, and they include a few Application permissions.
Once consent is given, an Exchange admin can run these features in ShareGate Migrate.
Microsoft Entra ID Enterprise application: ShareGate Migrate - Mailbox
Permission | Description |
Read and write calendars in all mailboxes | Application: Allows the app to create, read, update, and delete events of all calendars without a signed-in user. |
Read and write contacts in all mailboxes | Application: Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user. |
Read and write directory data | Delegated: Allows the app to read and write data, such as users and groups, to your organization's directory.
It does not allow password resets or user deletions. |
Read and write mail in all mailboxes | Application: Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user.
It does not include permission to send mail. |
Read and write all user mailbox settings | Application: Allows the app to create, read, update, and delete a user's mailbox settings without a signed-in user. It does not include permission to send mail. |
Sign users in | Delegated: Allows users to sign in to the app using their accounts and enables the app to view basic user profile information. |
View users' basic profile | Delegated: Allows the app to see your users' basic profile.
For example, your name, user name, and email address. |
Sign in and read user profile | Delegated: Allows users to sign in to the app and enables the app to read their profiles. It also allows the app to read their basic company information. |
Read all users' full profiles | Delegated: Allows the app to read profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
Read and write all users' full profiles | Delegated: Allows the app to read and write profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. |
ShareGate migration assessment
To use the migration assessment for the first time, a global admin must consent to these permissions and set you up with the Assessor role in Entra ID.
Note: The migration assessment is a feature currently available only to select partners.
Microsoft Entra ID Enterprise application: ShareGate Migrate Assessment or ShareGate Migrate Assessment (EU)
Permission | Description |
Read directory data | Application: Allows the app to read data in your organization's directory (users, apps, groups). |
Read all groups | Application: Allows the app to read memberships and group properties. It also allows reading conversations for all groups. |
Read all group memberships | Application: Allows the app to read group memberships and basic group properties. |
Read all usage reports | Application: Allows the app to read all service usage reports. |
Read items in all site collections | Application: Allows the app to read documents and list items in all site collections. |
Get a list of all teams | Application: Allows the app to get a list of all teams. |
Read all users’ full profiles | Application: Allows the app to read user profiles. |
Read all users’ basic profiles | Application: Allows the app to read basic properties, such as display name and email address, of other users in your organization. |
Sign in and read user profile | Delegated: Allows users to sign in to the app and enables the app to read their profiles. It also allows the app to read their basic company information. |
Read items in all site collections | Application: Detect changes to sites within your tenant and read all items within site collections. |
ShareGate Protect
Governance risk assessment
A global or privileged role admin consents. They can then grant access to another user through an Assessor role for ShareGate Protect in Entra ID.
To learn how to consent to these permissions and grant access, see Assign the Assessor role in Entra ID.
Microsoft Entra ID Enterprise application: ShareGate Protect or ShareGate Protect (EU)
Permissions | Used to |
Read your organization's policies (Added 22 September 2025) | Application: Detect external collaboration settings. |
Read cross-tenant basic information (Added 22 September 2025) | Application: Detect cross-tenant access settings. |
Read all users' basic profiles | Application: Determine your current user account's role. |
Read tabs in Microsoft Teams. | Application: Determine your Microsoft Teams activity. |
Read SharePoint and OneDrive tenant settings | Application: Determine your tenant-level Sharing Settings. |
Read calendars in all mailboxes | Application: Determine your Microsoft Teams activity. |
Read all directory RBAC settings | Application: Count the number of unique users who have role assignments. |
Read all groups | Application: Detect changes to your groups to drive crawls (activity and sharing activity). |
Read items in all site collections | Application: Detect changes to your SharePoint sites to drive crawls (activity and sharing activity). |
Read directory data | Application: Detect changes to your users to drive crawls (sharing activity and site/group ownership). |
Read all users' full profiles | Application: Determine your users' details (name, department, and role). |
Read Records Management configuration, labels, and policies | Application: Determine your tenant-level Retention Policy configuration. |
Read all group memberships | Application: Determine ownership and activity changes. |
Get a list of all teams | Application: Detect changes to your teams. |
Read all channel messages | Application: Detect your Microsoft Teams activity. |
Read organization-wide Microsoft 365 apps installation settings | Application: Determine your Microsoft 365 app update channels (a prerequisite for Copilot). |
Read all published labels and label policies for an organization. | Application: Determine your tenant-level Sensitivity Label configuration. |
Read all audit log data | Application: Determine your tenant-level activity. |
Read all usage reports | Application: Read your Microsoft-365-generated group and site usage reports. |
Read items in all site collections | Application: Detect changes to sites within your tenant and read all items within site collections. |
Have full control of all site collections | Application: Read the permission configuration of your SharePoint sites.
This permission is exclusively used to read your tenant's permission configuration. It is required because no read-only alternative allows the Governance risk assessment to get that information. |
Governance actions
A global admin must consent to these additional permissions to perform remediation actions, such as deleting sharing links, in the Governance risk assessment.
Microsoft Entra ID Enterprise application: ShareGate Protect Remediation Actions or ShareGate Protect Remediation Actions (EU)
Permissions | Description |
Read and write directory data | Application: Allows the app to read and write data, such as users and groups, to your organization's directory.
It does not allow user or group deletions. |
Read and write all groups | Application: Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Additionally, it allows the app to read and write conversations. |
Read and write files in all site collections | Application: Allows the app to read, create, update, and delete all files in all site collections. |
Sign in and read user profile | Delegated: Allows users to sign in and enables the app to read the profiles of signed-in users. It also allows the app to read their basic company information. |
Have full control of all site collections | Application: Allows the app to have full control of all site collections. |