MigrationWiz – Permission Requirements

This article provides a list of permissions required for all administrator accounts used to perform migrations with MigrationWiz. Whenever possible, we recommend using a Global Administrator, or equivalent, account. When that is not possible, this list can be used to provide the strictest possible level of permissions required to migrate data.

Mailbox Migrations

Exchange 

Please see Exchange FAQ for directions.

G Suite

Source

Destination

Lotus Notes/Lotus Domino

Source

  • The Lotus account being used for the migration will need to have Manager Access and Delete Permissions.

Office 365 Exchange Online (Mailbox and Archive)

Source

  • An administrator account with read-only access to the migrating users' mailboxes.

Destination

  • Use impersonation. Impersonation rights allow the migration account to function as the user; therefore, no additional access rights are required above impersonation. MigrationWiz will attempt to apply impersonation rights automatically if the administrator account does not currently have access to the user mailboxes.

Document Migrations

Google Drive

Source or Destination

  • Enable OAuth 2.0. This allows the required authorizations to be set within the Google Admin Console. For specific instructions on enabling the OAuth protocol, see Enable access to G Suite (IMAP) using OAuth 2.0.

    Important

    Google Drive Document Migrations requires that the Enable API access setting in the Google Admin Portal be enabled.

OneDrive or Sharepoint

Source

  • OneDrive Migration only: An administrator account with Site Collection permissions. If using this level of permission, the following Advanced Option will need to be added to the Support Options in the project:
    ForceOneDriveNonGlobalAdminAuthExport=1

Read-Only Application Permissions for SharePoint and OneDrive Migrations  are now available! 

Read Only permissions granted:

  • SharePoint API
    • Sites.Read.All
    • User.Read.All
  • Graph API
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)

Full Control permissions granted:

  • SharePoint API
    • Sites.FullControl.All
    • User.ReadWrite.All
  • Graph API
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)

Destination

Use App-based Authentication. This allows the required permissions to be set for a specific App ID. If the users have not yet been provisioned on the Destination, a Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication

  •  MicrosoftGraphAPI
    • Directory.Read.All
    • Files.Read
    • Files.ReadWrite
    • Files.Read.All
    • Files.ReadWrite.All
    • Sites.Read.All
    • Sites.ReadWrite.All
  • Microsoft Entra ID
    • User.Read
  • SharePoint
    • AllSites.FullControl
    • User.ReadWrite.All

For more information on the available permissions for OneDrive and SharePoint, see Permissions for OneDrive API.

Collaboration Migrations

Microsoft Teams

Source

Read-Only Application Permissions for Teams Migrations 

Read Only permissions granted:

  • SharePoint API
    • Sites.Read.All
    • User.Read.All
  • Graph API
    • Files.Read.All
    • Group.ReadWrite.All

      Important

      This is to add the user to the team as an owner first before being able to read conversations.
    • User.Read.All
    • Group.Read.All (delegate permission)

      Important

      This is to be able to read all the conversations as a user after being added.
    • User.Read (delegate permission)

Full Control permissions granted:

  • SharePoint API:
    • Sites.FullControl.All
    • User.ReadWrite.All

  • Graph API:
    • Files.Read.All
    • Group.ReadWrite.All
    • User.Read.All
    • Group.ReadWrite.All (delegate permission)
    • User.Read (delegate permission)

Source or Destination

Use App-based Authentication. This allows the required permissions to be set for a specific App ID. 
A Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication

  • Microsoft Entra ID
    • User.Read
  • Microsoft Graph API
    • Directory.Read.All
    • Group.ReadWrite.All
    • Sites.Read.All
    • User.ReadWrite.All
  • SharePoint
    • AllSites.FullControl
    • User.ReadWrite.All
Was this article helpful?
0 out of 9 found this helpful