Connect Tenants

TenantLift requires admin consent on both the source and target Microsoft 365 tenants. This grants the TenantLift app registration the Graph API and Exchange Online permissions it needs to discover and migrate data.

Auto Setup (recommended)

1. Open your project and click Connect Source Tenant (or Target).
2. In the Setup Wizard, select Auto Setup.
3. Click Grant Admin Consent.
4. Sign in as a Global Administrator on the tenant.
5. Review the permissions and click Accept.
6. You'll be redirected back to TenantLift — the connection should show as Consented.

TenantLift uses a single unified consent that includes all permissions for both the standard source audit and the enhanced audit modules (Teams, SharePoint, Conditional Access, Apps, Intune).

Manual Setup

If your organisation restricts third-party app consent, you can create your own App Registration:

1. In the Setup Wizard, select Manual Setup.
2. Follow the on-screen instructions to create an App Registration in Entra ID.
3. Add all listed API permissions (application type, not delegated).
4. Grant admin consent in the Entra portal.
5. Enter the Client ID and Client Secret back in TenantLift.

Verifying the connection

After consent, TenantLift verifies:

• The service principal exists in the tenant
• All required app role assignments are in place
• The connection can successfully authenticate

If any permission is missing, the connection panel will show which specific permissions need attention.

Re-consent

When TenantLift adds new permissions (e.g. after an update), existing connections will show a "Re-consent" prompt. Click it to re-run the admin consent flow — this grants only the newly added permissions; existing ones are retained.