This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Required permissions for SharePoint Online

Reference for the SharePoint permissions WikiTraccs requires on the migration account, the Entra ID application, and each target site. Includes scenarios, alternatives, and intermediate configurations.

WikiTraccs requires two distinct permission surfaces to be configured for a Confluence to SharePoint Online migration:

SharePoint account permissions - the role held by the migration user on each target site (applies to interactive, credentials, and device-login authentication), or the role held by the application on each target site (applies to app-only certificate authentication with Sites.Selected).
Entra ID application permissions - the scopes configured on the Entra ID app registration that WikiTraccs authenticates through.

This page documents the supported combinations of the two, their limitations, and the configurations that are insufficient.

Recommendation

When unsure which configuration to choose, select the Recommended default in each section below. These configurations cover the broadest range of migration scenarios and require the least tuning.

SharePoint account permissions on target sites

The migration account is expected to hold site-scoped admin-level permissions on each site that participates in the migration. The SharePoint Administrator and Microsoft 365 Global Administrator directory roles are not required.

Note

This section applies when WikiTraccs authenticates as a user (Interactive, Credentials, or Device Login). Under certificate or app-only authentication, the equivalent concept is the per-site permission grant on the Entra ID application - see Entra ID application permissions below.

Role model

SharePoint Online distinguishes two roles with “Full Control”:

Site Owner - holds Full Control on the site. Permits creating lists, libraries, content types, and pages; setting page metadata (Author, Editor, Created, Modified); and managing permissions. When permissions inheritance is broken on a specific item (for example, a page), a Site Owner account retains access to that item only if it is still present in that item’s access control list.
Site Admin (formerly Site Collection Administrator) - holds all Site Owner capabilities and, in addition, retains access to every item in the site collection regardless of the item-level access control list. A Site Admin account is therefore not locked out of items where permissions inheritance has been broken, even when the account is not listed in the item’s permissions. Site Admin also permits managing search, the recycle bin, and site collection features. Reference: Admin center site permissions reference.

Recommended default: Site Owner

For migration runs performed by a single account, Site Owner on every target site (and on the WikiTraccs site) is sufficient. Full Control covers all operations WikiTraccs performs:

creating lists, fields, content types, and modern SharePoint pages
setting page metadata: Author, Editor, Created, Modified
uploading attachments
breaking inheritance on individual pages and applying page-level restrictions

The migration account is preserved in the page access control list during the break-inheritance step. The account therefore retains access to each page it migrates.

When Site Admin is required

Site Admin only becomes relevant when Confluence page restrictions are migrated to SharePoint. Without permission migration, WikiTraccs does not break inheritance on pages, and Site Owner is sufficient.

Migrating page restrictions is generally not recommended - the Confluence and SharePoint permission models differ in ways that often make direct migration impractical. See Mapping principals and migrating permissions for the full discussion.

If permission migration is enabled, Site Admin is recommended to circumvent access-related issue, for example when multiple migration accounts are involved, or permission-related issues need to be investigated.

Insufficient account permissions

Contribute, Edit, or Read. Full Control is required to break inheritance, set system fields, and apply provisioning templates.
SharePoint Administrator or Microsoft 365 Global Administrator alone. Tenant-level roles are not a reliable substitute for per-site access; some per-site operations still require the account to hold at least Read on the site. When in doubt, grant Site Owner or Site Admin explicitly.

Entra ID application permissions

Each authentication mode requires an Entra ID application that WikiTraccs authenticates through. The permissions configured on the application determine which API scopes WikiTraccs can request.

Recommended default for interactive, credentials, and device-login authentication: `FullControl` delegated

Microsoft Graph > Sites.FullControl.All (delegated) - requires admin consent
SharePoint > AllSites.FullControl (delegated) - requires admin consent

Under delegated authentication, WikiTraccs receives the intersection of the signed-in user’s permissions and these scopes. The user account must additionally hold Site Owner or Site Admin on the target sites (see SharePoint account permissions).

Intermediate configuration: `Manage` delegated

If an administrator is unable to consent FullControl scopes in the target tenant:

Microsoft Graph > Sites.Manage.All (delegated) - no admin consent required
SharePoint > AllSites.Manage (delegated) - no admin consent required

Migrations continue to succeed with this configuration, at the cost of reduced capability:

Page permissions cannot be configured. WikiTraccs cannot break inheritance or apply page restrictions under Manage scopes.
Author, Editor, Created, and Modified cannot be set. Setting these system fields falls under the same permission category as managing permissions.

This configuration is appropriate in tenants where admin consent for FullControl is not available.

Recommended default for certificate and app-only authentication: `Sites.Selected` application with per-site `FullControl`

Microsoft Graph > Sites.Selected (application) - requires admin consent
SharePoint > Sites.Selected (application) - requires admin consent

On the app registration’s API permissions page, both Sites.Selected entries (the Microsoft Graph one and the SharePoint one) must display the “Granted for [Tenant]” status with the green checkmark. Adding the permission rows alone is not sufficient; admin consent must be granted explicitly.

In addition, the application must be granted FullControl on every target site and on the WikiTraccs site via Microsoft Graph. The roles Read, Write, and Manage are also available, but WikiTraccs requires FullControl for the same reasons interactive authentication requires Site Owner.

For the end-to-end configuration procedure, see Configuring Sites.Selected Authentication for WikiTraccs.

Intermediate configuration for certificate authentication: broader `FullControl` application permissions

If per-site scoping is not a requirement in the target environment:

Microsoft Graph > Sites.FullControl.All (application) - requires admin consent
SharePoint > Sites.FullControl.All (application) - requires admin consent

The application receives tenant-wide Full Control. Configuration is simpler because no per-site grants are needed, at the cost of tenant-wide SharePoint access that defeats the point of choosing app-only authentication for isolation. This configuration is listed for completeness; Sites.Selected is the recommended default.

Quick reference

Scenario	Minimum account permission	Entra application permission	Notes
Regular migration runs, single account	Site Owner	`Sites.FullControl.All` + `AllSites.FullControl` (delegated)	Simplest configuration.
Regular migration runs, tenant does not grant admin consent for FullControl	Site Owner	`Sites.Manage.All` + `AllSites.Manage` (delegated)	Page permissions and system-field metadata not set.
Ongoing administrative access to restricted pages required	Site Admin	`Sites.FullControl.All` + `AllSites.FullControl` (delegated)	Required when additional administrators must reach pages restricted by WikiTraccs.
Periodic rotation of migration accounts	Site Admin, or certificate authentication	delegated `FullControl`, or `Sites.Selected` (application)	Site Admin for user-based authentication; certificate authentication removes the concern.
Unattended or automated runs	Not applicable (application-based)	`Sites.Selected` (application) with per-site `FullControl` grant, or `Sites.FullControl.All` (application)	No user account required. Choose the application permission based on security posture: `Sites.Selected` for per-site scoping, `Sites.FullControl.All` if tenant-wide access is acceptable.
Locked-down tenant where tenant-wide application permissions are not permitted	Not applicable (application-based)	`Sites.Selected` (application) with per-site `FullControl` grant	Access is granted per site individually. `Sites.FullControl.All` is not an option because it requires tenant-wide admin consent.

Authenticating with SharePoint Online - reference for the supported authentication modes (Interactive, Device Login, Credentials, Certificate)
Registering WikiTraccs as App in Entra ID - step-by-step application registration procedure
Configuring Sites.Selected Authentication for WikiTraccs - end-to-end Sites.Selected configuration, including Microsoft Graph Explorer
Run an Automated Confluence to SharePoint Migration - unattended migration with certificate authentication
WikiTraccs FAQ - access levels