API Permissions
TenantLift requires the following Microsoft Graph API and Exchange Online permissions. All are application-level (not delegated) and are requested during the initial admin consent flow.
Microsoft Graph
| Permission | Type | Purpose |
|---|---|---|
User.Read.All | Application | Read user profiles, UPNs, and licence assignments |
Mail.Read | Application | Read mailbox contents for migration |
Mail.ReadWrite | Application | Write migrated mail to target mailboxes |
Calendars.Read | Application | Read calendar events and meeting details |
Calendars.ReadWrite | Application | Write migrated calendar events to target |
MailboxSettings.Read | Application | Read mailbox settings (auto-replies, time zones) |
MailboxSettings.ReadWrite | Application | Configure forwarding & mailbox settings |
Directory.Read.All | Application | Read directory objects (users, groups, domains) |
Organization.Read.All | Application | Read tenant subscriptions and licence SKUs |
Group.Read.All | Application | Read Microsoft 365 and security groups |
Sites.Read.All | Application | Read SharePoint sites and OneDrive usage |
Files.Read.All | Application | Read OneDrive files for size calculation |
Reports.Read.All | Application | Read Microsoft 365 usage reports |
ReportSettings.ReadWrite.All | Application | Un-conceal hashed UPNs in usage reports |
Team.ReadBasic.All | Application | Read Teams team metadata |
Channel.ReadBasic.All | Application | Read Teams channel metadata |
Policy.Read.All | Application | Read Conditional Access policies |
Application.Read.All | Application | Read Entra ID app registrations |
DeviceManagementConfiguration.Read.All | Application | Read Intune device configuration |
DeviceManagementApps.Read.All | Application | Read Intune app management |
DeviceManagementManagedDevices.Read.All | Application | Read Intune managed devices |
Exchange Online
| Permission | Type | Purpose |
|---|---|---|
full_access_as_app | Application | Full access to Exchange Online mailboxes for migration |
Consent versions
TenantLift tracks which permissions have been consented via a version number:
| Version | Changes |
|---|---|
| 1 | Initial permission set |
| 2 | Added ReportSettings.ReadWrite.All |
| 3 | Added enhanced audit permissions (Teams, CA, Apps, Intune) |
| 4 | Unified consent — all permissions requested up-front; added Organization.Read.All |
Connections on an older version will show a re-consent prompt.