This article provides a high-level list of permission requirements to perform migrations with MigrationWiz. However, we recommend you follow the migration guide for your scenario for complete instructions.
Mailbox Migrations
Exchange
Please review the Exchange FAQ article for directions.
G Suite
Source and Destination
- (Recommended) Set up a Google API endpoint. This allows specific permissions to be set for a Google endpoint that bypasses the need for IMAP to be enabled. For more information, see Set up Google API for migrating mailboxes.
- Enable OAuth 2.0. This allows the required authorizations to be set within the Google Admin Console. For specific instructions on enabling the OAuth protocol, see Enable access to G Suite (IMAP) using OAuth 2.0.
Lotus Notes/Lotus Domino
Source
- The Lotus account being used for the migration will need to have Manager Access and Delete Permissions.
Office 365 Exchange Online (Mailbox and Archive)
Source and Destination
An administrator account with full access to the user mailboxes. You can grant the recommended rights to your account in two different ways:
- Performing Migration using only API permissions (most recommended).
- Delegated Permissions (not most recommended)
Document Migrations
Google Drive
Source or Destination
Please review the Google API Set up to Migrate Google Workspace Products article for more information.
OneDrive or Sharepoint
Source
Requirements
Customers need to create a "MigrationWiz" security group and add the admin account as a member.
Limitations
- Using Read-Only permissions, MigrationWiz can migrate only folders and documents.
- Permissions, versions, and metadata cannot be migrated.
Read-Only Permissions Granted
- SharePoint API
- Sites.Read.All
- User.Read.All
- Graph API
- Directory.Read.All
- Files.Read.All
- Group.Read.All (delegate permission)
- User.Read (delegate permission)
Additional Advanced Options
Please add the following advanced options UseApplicationPermission=1 for SharePoint and OneDrive source endpoints, in case you are using Application permissions.
We recommend you review the migration guide for additional advanced options for setup.
MigrationWiz also supports full control permissions, please review the following information to understand what permissions are granted.
Requirements
Customers need to create a "MigrationWiz" security group and add the admin account as a member.
Full Control Permissions Granted
- SharePoint API
- Sites.FullControl.All
- User.ReadWrite.All
- Graph API
- Directory.Read.All
- Files.Read.All
- Group.Read.All (delegate permission)
- User.Read (delegate permission)
Additional Advanced Options
Please review the migration guide for additional advanced options for setup.
Destination
Use App-based Authentication. This allows the required permissions to be set for a specific App ID. If the users have not yet been provisioned on the Destination, a Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication.
- MicrosoftGraphAPI
- Directory.Read.All
- Files.Read
- Files.ReadWrite
- Files.Read.All
- Files.ReadWrite.All
- Sites.Read.All
- Sites.ReadWrite.All
- Microsoft Entra ID
- User.Read
- SharePoint
- AllSites.FullControl
- User.ReadWrite.All
For more information on the available permissions for OneDrive and SharePoint, see Permissions for OneDrive API.
Collaboration Migrations
Microsoft Teams
Source
MigrationWiz allows the use of read-only and full control permissions for Microsoft Teams source endpoints. Please review the following information to check the permissions granted in each case.
Read-Only Application Permissions for Teams Migrations
Read-Only Permissions Granted
- SharePoint API
- Sites.Read.All
- User.Read.All
- Graph API
- Files.Read.All
- Group.ReadWrite.All
Important
This is to add the user to the team as an owner first before being able to read conversations. - User.Read.All
- Group.Read.All (delegate permission)
Important
This is to be able to read all the conversations as a user after being added. - User.Read (delegate permission)
Full Control Permissions Granted
- SharePoint API:
- Sites.FullControl.All
-
User.ReadWrite.All
- Graph API:
- Files.Read.All
- Group.ReadWrite.All
- User.Read.All
- Group.ReadWrite.All (delegate permission)
- User.Read (delegate permission)
Source or Destination
Use App-based Authentication. This allows the required permissions to be set for a specific App ID.
A Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication.
- Microsoft Entra ID
- User.Read
- Microsoft Graph API
- Directory.Read.All
- Group.ReadWrite.All
- Sites.Read.All
- User.ReadWrite.All
- SharePoint
- AllSites.FullControl
- User.ReadWrite.All