This article provides a list of permissions required for all administrator accounts used to perform migrations with MigrationWiz. Whenever possible, we recommend using a Global Administrator, or equivalent, account. When that is not possible, this list can be used to provide the strictest possible level of permissions required to migrate data.
Mailbox Migrations
Exchange
Please see Exchange FAQ for directions.
G Suite
Source
- Enable OAuth 2.0. This allows the required authorizations to be set within the Google Admin Console. For specific instructions on enabling the OAuth protocol, see Enable access to G Suite (IMAP) using OAuth 2.0.
Destination
- (Recommended) Set up a Google API endpoint. This allows specific permissions to be set for a Google endpoint that bypasses the need for IMAP to be enabled. For more information, see Set up Google API for migrating mailboxes.
- Enable OAuth 2.0. For specific instructions on enabling the OAuth protocol, see Enable access to G Suite (IMAP) using OAuth 2.0.
Lotus Notes/Lotus Domino
Source
- The Lotus account being used for the migration will need to have Manager Access and Delete Permissions.
Office 365 Exchange Online (Mailbox and Archive)
Source
- An administrator account with read-only access to the migrating users' mailboxes.
Destination
- Use impersonation. Impersonation rights allow the migration account to function as the user; therefore, no additional access rights are required above impersonation. MigrationWiz will attempt to apply impersonation rights automatically if the administrator account does not currently have access to the user mailboxes.
Document Migrations
Google Drive
Source or Destination
- Enable OAuth 2.0. This allows the required authorizations to be set within the Google Admin Console. For specific instructions on enabling the OAuth protocol, see Enable access to G Suite (IMAP) using OAuth 2.0.
Important
Google Drive Document Migrations requires that the Enable API access setting in the Google Admin Portal be enabled.
OneDrive or Sharepoint
Source
-
OneDrive Migration only: An administrator account with Site Collection permissions. If using this level of permission, the following Advanced Option will need to be added to the Support Options in the project:
ForceOneDriveNonGlobalAdminAuthExport=1
Read-Only Application Permissions for SharePoint and OneDrive Migrations are now available!
Read Only permissions granted:
- SharePoint API
- Sites.Read.All
- User.Read.All
- Graph API
- Directory.Read.All
- Files.Read.All
- Group.Read.All (delegate permission)
- User.Read (delegate permission)
Full Control permissions granted:
- SharePoint API
- Sites.FullControl.All
- User.ReadWrite.All
- Graph API
- Directory.Read.All
- Files.Read.All
- Group.Read.All (delegate permission)
- User.Read (delegate permission)
Destination
Use App-based Authentication. This allows the required permissions to be set for a specific App ID. If the users have not yet been provisioned on the Destination, a Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication.
- MicrosoftGraphAPI
- Directory.Read.All
- Files.Read
- Files.ReadWrite
- Files.Read.All
- Files.ReadWrite.All
- Sites.Read.All
- Sites.ReadWrite.All
- Microsoft Entra ID
- User.Read
- SharePoint
- AllSites.FullControl
- User.ReadWrite.All
For more information on the available permissions for OneDrive and SharePoint, see Permissions for OneDrive API.
Collaboration Migrations
Microsoft Teams
Source
Read-Only Application Permissions for Teams Migrations
Read Only permissions granted:
- SharePoint API
- Sites.Read.All
- User.Read.All
- Graph API
- Files.Read.All
- Group.ReadWrite.All
Important
This is to add the user to the team as an owner first before being able to read conversations. - User.Read.All
- Group.Read.All (delegate permission)
Important
This is to be able to read all the conversations as a user after being added. - User.Read (delegate permission)
Full Control permissions granted:
- SharePoint API:
- Sites.FullControl.All
-
User.ReadWrite.All
- Graph API:
- Files.Read.All
- Group.ReadWrite.All
- User.Read.All
- Group.ReadWrite.All (delegate permission)
- User.Read (delegate permission)
Source or Destination
Use App-based Authentication. This allows the required permissions to be set for a specific App ID.
A Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication.
- Microsoft Entra ID
- User.Read
- Microsoft Graph API
- Directory.Read.All
- Group.ReadWrite.All
- Sites.Read.All
- User.ReadWrite.All
- SharePoint
- AllSites.FullControl
- User.ReadWrite.All