Required permissions for SharePoint Online
WikiTraccs requires two distinct permission surfaces to be configured for a Confluence to SharePoint Online migration:
- SharePoint account permissions - the role held by the migration user on each target site (applies to interactive, credentials, and device-login authentication), or the role held by the application on each target site (applies to app-only certificate authentication with
Sites.Selected). - Entra ID application permissions - the scopes configured on the Entra ID app registration that WikiTraccs authenticates through.
This page documents the supported combinations of the two, their limitations, and the configurations that are insufficient.
Recommendation
When unsure which configuration to choose, select the Recommended default in each section below. These configurations cover the broadest range of migration scenarios and require the least tuning.SharePoint account permissions on target sites
The migration account is expected to hold site-scoped admin-level permissions on each site that participates in the migration. The SharePoint Administrator and Microsoft 365 Global Administrator directory roles are not required.
Note
This section applies when WikiTraccs authenticates as a user (Interactive, Credentials, or Device Login). Under certificate or app-only authentication, the equivalent concept is the per-site permission grant on the Entra ID application - see Entra ID application permissions below.Role model
SharePoint Online distinguishes two roles with “Full Control”:
- Site Owner - holds Full Control on the site. Permits creating lists, libraries, content types, and pages; setting page metadata (Author, Editor, Created, Modified); and managing permissions. When permissions inheritance is broken on a specific item (for example, a page), a Site Owner account retains access to that item only if it is still present in that item’s access control list.
- Site Admin (formerly Site Collection Administrator) - holds all Site Owner capabilities and, in addition, retains access to every item in the site collection regardless of the item-level access control list. A Site Admin account is therefore not locked out of items where permissions inheritance has been broken, even when the account is not listed in the item’s permissions. Site Admin also permits managing search, the recycle bin, and site collection features. Reference: Admin center site permissions reference.
Recommended default: Site Owner
For migration runs performed by a single account, Site Owner on every target site (and on the WikiTraccs site) is sufficient. Full Control covers all operations WikiTraccs performs:
- creating lists, fields, content types, and modern SharePoint pages
- setting page metadata: Author, Editor, Created, Modified
- uploading attachments
- breaking inheritance on individual pages and applying page-level restrictions
The migration account is preserved in the page access control list during the break-inheritance step. The account therefore retains access to each page it migrates.
When Site Admin is required
Site Admin only becomes relevant when Confluence page restrictions are migrated to SharePoint. Without permission migration, WikiTraccs does not break inheritance on pages, and Site Owner is sufficient.
Migrating page restrictions is generally not recommended - the Confluence and SharePoint permission models differ in ways that often make direct migration impractical. See Mapping principals and migrating permissions for the full discussion.
If permission migration is enabled, Site Admin is recommended to circumvent access-related issue, for example when multiple migration accounts are involved, or permission-related issues need to be investigated.
Insufficient account permissions
- Contribute, Edit, or Read. Full Control is required to break inheritance, set system fields, and apply provisioning templates.
- SharePoint Administrator or Microsoft 365 Global Administrator alone. Tenant-level roles are not a reliable substitute for per-site access; some per-site operations still require the account to hold at least Read on the site. When in doubt, grant Site Owner or Site Admin explicitly.
Entra ID application permissions
Each authentication mode requires an Entra ID application that WikiTraccs authenticates through. The permissions configured on the application determine which API scopes WikiTraccs can request.
Recommended default for interactive, credentials, and device-login authentication: FullControl delegated
- Microsoft Graph > Sites.FullControl.All (delegated) - requires admin consent
- SharePoint > AllSites.FullControl (delegated) - requires admin consent
Under delegated authentication, WikiTraccs receives the intersection of the signed-in user’s permissions and these scopes. The user account must additionally hold Site Owner or Site Admin on the target sites (see SharePoint account permissions).
Intermediate configuration: Manage delegated
If an administrator is unable to consent FullControl scopes in the target tenant:
- Microsoft Graph > Sites.Manage.All (delegated) - no admin consent required
- SharePoint > AllSites.Manage (delegated) - no admin consent required
Migrations continue to succeed with this configuration, at the cost of reduced capability:
- Page permissions cannot be configured. WikiTraccs cannot break inheritance or apply page restrictions under
Managescopes. - Author, Editor, Created, and Modified cannot be set. Setting these system fields falls under the same permission category as managing permissions.
This configuration is appropriate in tenants where admin consent for FullControl is not available.
Recommended default for certificate and app-only authentication: Sites.Selected application with per-site FullControl
- Microsoft Graph > Sites.Selected (application) - requires admin consent
- SharePoint > Sites.Selected (application) - requires admin consent
On the app registration’s API permissions page, both Sites.Selected entries (the Microsoft Graph one and the SharePoint one) must display the “Granted for [Tenant]” status with the green checkmark. Adding the permission rows alone is not sufficient; admin consent must be granted explicitly.
In addition, the application must be granted FullControl on every target site and on the WikiTraccs site via Microsoft Graph. The roles Read, Write, and Manage are also available, but WikiTraccs requires FullControl for the same reasons interactive authentication requires Site Owner.
For the end-to-end configuration procedure, see Configuring Sites.Selected Authentication for WikiTraccs.
Intermediate configuration for certificate authentication: broader FullControl application permissions
If per-site scoping is not a requirement in the target environment:
- Microsoft Graph > Sites.FullControl.All (application) - requires admin consent
- SharePoint > Sites.FullControl.All (application) - requires admin consent
The application receives tenant-wide Full Control. Configuration is simpler because no per-site grants are needed, at the cost of tenant-wide SharePoint access that defeats the point of choosing app-only authentication for isolation. This configuration is listed for completeness; Sites.Selected is the recommended default.
Quick reference
| Scenario | Minimum account permission | Entra application permission | Notes |
|---|---|---|---|
| Regular migration runs, single account | Site Owner | Sites.FullControl.All + AllSites.FullControl (delegated) | Simplest configuration. |
| Regular migration runs, tenant does not grant admin consent for FullControl | Site Owner | Sites.Manage.All + AllSites.Manage (delegated) | Page permissions and system-field metadata not set. |
| Ongoing administrative access to restricted pages required | Site Admin | Sites.FullControl.All + AllSites.FullControl (delegated) | Required when additional administrators must reach pages restricted by WikiTraccs. |
| Periodic rotation of migration accounts | Site Admin, or certificate authentication | delegated FullControl, or Sites.Selected (application) | Site Admin for user-based authentication; certificate authentication removes the concern. |
| Unattended or automated runs | Not applicable (application-based) | Sites.Selected (application) with per-site FullControl grant, or Sites.FullControl.All (application) | No user account required. Choose the application permission based on security posture: Sites.Selected for per-site scoping, Sites.FullControl.All if tenant-wide access is acceptable. |
| Locked-down tenant where tenant-wide application permissions are not permitted | Not applicable (application-based) | Sites.Selected (application) with per-site FullControl grant | Access is granted per site individually. Sites.FullControl.All is not an option because it requires tenant-wide admin consent. |
Related
- Authenticating with SharePoint Online - reference for the supported authentication modes (Interactive, Device Login, Credentials, Certificate)
- Registering WikiTraccs as App in Entra ID - step-by-step application registration procedure
- Configuring Sites.Selected Authentication for WikiTraccs - end-to-end Sites.Selected configuration, including Microsoft Graph Explorer
- Run an Automated Confluence to SharePoint Migration - unattended migration with certificate authentication
- WikiTraccs FAQ - access levels