Power365 Application Permission Requirements

When you Add your Tenants or Environment, the application service account will be requested to grant the minimal Microsoft Graph Permissions to access required resources within the given environment, on your behalf.

The following list illustrates the minimal Graph Permissions required for Power365 to execute a workflow, migration or integration activities.

Figure 1: Required Graph Permissions for Power365 App (Click to view larger)

Click here for more information about granting Tenant Admin Consent for Microsoft Graph. And click here for full reference material regarding all Microsoft Graph permissions.

 

Graph Permission Details

  1. Sign in and read user profile (User.Read)

    Permission Definition: Allows users to sign-in to the app and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

    Application Purpose: Used by Power365 Authentication services to connect a tenant or environment using an authorized administrator account.

  2. Read and write all users’ full profile (User.ReadWrite.All)

    Permission Definition: Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user. Also allows the app to create and delete users as well as reset user passwords on behalf of the signed-in user.

    Application Purpose: Used by Power365 Sync services to provide OneDrive migration activities.

  3. Read and write all groups (Group.ReadWrite.All)

    Permission Definition: Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally, allows group owners to manage their groups and allows group members to update group content.

    Application Purpose: Used by Power365 Sync services to provide OneDrive migration activities.

  4. Read and write directory data (Directory.ReadWrite.All)

    Permission Definition: Allows the app to have the same access to information in the directory as the signed-in user.

    Application Purpose: Used by Power365 Discovery and Provisioning Services to discover all workloads (such as Organizations, available SKUs, users, groups, contacts, etc.) and to automate O365 licensing.

  5. Access directory as the signed in user (Directory.AccessAsUser.All)

    Permission Definition: Allows the app to read and write data in your organization's directory, such as users, and groups. It does not allow the app to delete users or groups or reset user passwords.

    Application Purpose: Used by Power365 Discovery & Tenant Health services to provision the Binary Tree PowerShell account and assign the required administrative roles to the account for migration and integration services.

  6. Send mail as user (Mail.Send)

    Permission Definition: Allows the app to send mail as users in the organization.

    Application Purpose: Used by Power365 User Cutover services to send the User Cutover email notification from the administrator’s mailbox.

  7. Have full access to all files user can access (Files.ReadWrite.All)

    Permission Definition: Allows the app to read, create, update, and delete all files the signed-in user can access.

    Application Purpose: Used by Power365 Sync services to read & write OneDrive files during migration activities.