ShareGate needs access to specific resources from Microsoft to work properly. To use ShareGate Management, you need to provide consent for ShareGate to obtain this access.
This article explains permissions for ShareGate Management. To learn about migration tool permissions, see Which permissions does the Azure ShareGate migration application need?
Note: Security is our highest priority. We comply with industry standards and we have internal policies to ensure your data is protected. Our Security overview article provides detailed information on our security measures and policies.
Index
Types of permissions
ShareGate uses 2 types of permissions. Application permissions define what ShareGate is allowed to do within your tenant independently, without a signed-in user, while delegated permissions define what ShareGate is allowed to do within your tenant on behalf of the signed-in user.
Microsoft Graph
Application permissions
- Read items in all site collections - ShareGate uses the permission to detect sites that are linked to Microsoft 365 Groups and to get the properties of external sharing links for your external sharing reviews.
- Read and write files in all site collections - Allows ShareGate Management to remove external sharing links.
- Read and write to all app catalogs - Allows ShareGate to update app catalogs, such as when it needs to add our Teams chatbot to Microsoft Teams.
- Read and write directory data - ShareGate uses the permission to allow you to change the guest access setting of your groups and modify guests in a group through Management.
- Read all groups - Allows ShareGate to read group properties and memberships.
- Read and write all groups - ShareGate uses the permission to crawl your teams, groups, properties, owners, members, Teams' private channels, Teams activity, and Outlook activity. The permission also allows you to modify the privacy setting and membership of your teams and groups, and to use the archive or restore features.
- Send mail as any user - ShareGate uses the permission to send notifications to your owners via the email sender you've selected.
- Manage Teams apps for all users - ShareGate uses the permission to read, upgrade, install, and uninstall our Teams chatbot for any user when required.
- Channel member read and write all - ShareGate uses the permission to add and remove members from channels.
- Channel message read all - ShareGate uses the permission to read channel messages.
- Teams tab read and write all - ShareGate uses the permission to read and write tabs in Microsoft Teams.
- Team member read and write all - ShareGate uses the permission to add and remove members from teams.
- Tasks read and write all - ShareGate uses the permission to read and write all users' tasks and tasklists.
- User read all - ShareGate uses the permission to read all users' full profiles.
Delegated permissions
- Read all groups - ShareGate uses the permission to list groups, read properties and membership, and crawl the Outlook activity.
- Read directory data - ShareGate uses the permission to validate that our Teams chatbot is available in the app catalog of a team.
- Team create - ShareGate uses the permission to create teams via provisioning templates if they require approval.
- Team member read and write all - ShareGate uses the permission to add or remove members from teams via provisioning templates if they require approval.
- Channel create - ShareGate uses the permission to create channels via provisioning templates if they require approval.
Microsoft 365 SharePoint online
Application permissions
- Have full control of all site collections - ShareGate uses the permission to copy the content of the SharePoint sites within your Microsoft 365 Groups (including private channels) to archive them.
- Read items in all site collections - ShareGate uses the permission to crawl SharePoint activity in order to detect inactive teams and groups and to get the properties of external sharing links for your external sharing reviews.