AvePoint Docs
Graph API
My support tickets
Graph API
My support tickets
English

    Home > Manage Apps > Manage App Profiles for Microsoft Tenants > Configure Default AvePoint App Profiles for Microsoft Tenants

    Export to PDF

    Configure Default AvePoint App Profiles for Microsoft Tenants

    Before creating an app profile, refer to the Default AvePoint Apps for Microsoft Cloud Products and Services section to see which apps are required by the services that your organization uses.

    In Management > App management, the Tenant Owner and Service Administrators can click Create and follow the steps below to create an app profile.

    1. Select services – Select a tenant and select services for which you want to create app profiles. Click Next.

      *Note: Before you create an app profile, you must ensure that the tenant has been connected to AvePoint Online Services. For more details on connecting tenants, refer to Connect Tenants.

    2. Choose setup method – Refer to the information below, and select a mode based on your scenario:

      • Modern mode is the recommended mode for all AvePoint’s default apps. In this mode, the related apps are listed in a service-based view, and you can consent to apps separately for the selected services

        Note that, in Auto discovery, scan profiles will run jobs and randomly use app profiles which have the required permissions to scan objects. For specific functionalities in services, only the related service apps have the required permissions to support. For additional details on the permissions of service apps, see Apps for Individual Services.

      • Classic mode includes the method of consenting to one app which can be used by multiple services. This mode will not be displayed if it is not supported by the selected services.

        If you select this mode, note the following:

        • In the Application list, you can consent to the following apps which can be used by multiple services: Microsoft 365 (All permissions), Microsoft Entra ID, and Viva Engage.

          The table below lists the services supported by the apps in the classic mode Application list:

    AppsSupported servicesConsent method
    Microsoft 365 (All permissions)CenseClassic DocAve Backup Cloud ArchivingCloud Backup for Microsoft 365Cloud GovernanceCloud IndexCloud InsightsCloud Management OpusInsights Policies for Microsoft 365Consent to one app to be used by multiple services.
    Microsoft Entra IDCenseCloud GovernanceCloud IndexCloud Management Policies for Microsoft 365Consent to one app to be used by multiple services.
    Viva EngageCloud Backup for Microsoft 365Cloud GovernanceConsent to one app to be used by multiple services.
    Delegated appCloud Backup for IaaS + PaaSCloud Backup for Microsoft 365Consent to the app separately for each service.
    - In the **Service app list**, you can also separately consent to the apps used by specific services. > ***Note**: **Custom mode** is recommended for organizations who have identified use cases with extremely limited required permissions. For more information, refer to [Configure Custom Azure App Profiles](#missing-link).

    3. Consent to apps – To consent to an app, click Consent next to the app, and refer to the information below to continue with the consent:

    - For a Microsoft 365 tenant, creating app profiles for AvePoint apps in a Microsoft tenant’s environment requires a **Microsoft 365 Global Administrator** or a **Privileged Role Administrator** account, who is in the same tenant. For more details on this requirement, see the [Why is Admin Consent Required to Use the AvePoint Apps?](#missing-link) section. Note the following: - The **Engage Administrator**, which is the **Yammer Administrator** in Microsoft Entra ID, can also consent to the AvePoint services’ apps for Viva Engage. - When creating an app profile for the AvePoint Portal Manager service, the consent user must be a Microsoft 365 Global Administrator or have the Privileged Role Administrator and Teams Service admin role. - When creating an app profile for the Fly service and consenting to the app with a **Privileged Role Administrator** account, the account may need additional permissions. - For Fly for Power Platform app, make sure the account has the **Power Platform Administrator** role. - For Fly app, refer to for details. - For Fly delegated app, refer to for details. - If multi-factor authentication (MFA) is enabled on a Microsoft 365 account, this account can still be used to consent to app profiles. For apps with delegated permissions, the related app profiles need to be re-authorized if MFA is enabled on the consent users’ Microsoft 365 accounts after they have given consent to the app profiles. - When creating an app profile for the **Cloud Backup for Microsoft 365** service, note the following: - When consenting to the **Cloud Backup for Microsoft 365 delegated app**, you also need to choose the functions that will use this app. The user who consents to the app must have the **Microsoft 365 Global Administrator** role. For details, refer to the section in the Cloud Backup for Microsoft 365 user guide. - When consenting to a Viva Engage app profile used by Cloud Backup for Microsoft 365, the consent user must be a **Microsoft 365 Global Administrator** with the Viva Engage product license. - When consenting to the **Cloud Backup Express** app profile, the consent user must be a **Microsoft 365 Global Administrator**. - When creating an app profile for the **Cloud Governance** service, note the following: - When consenting to the **Cloud Governance** **delegated app**, the user must have the **Microsoft 365 Global Administrator**, **Privileged Role Administrator**, or **Exchange** **Administrator** role. - When consenting to the **Cloud Governance for Power Platform** app or **Viva Engage** app, the user must have the **Microsoft 365 Global Administrator** role. When you finish creating app profiles, you can click **Finish** to exit the **Create app profile** wizard. > ***Note**: According to , the sign-in logs show the original IP used for the original token issuance, as the IP address of non-interactive sign-ins performed by confidential clients (AvePoint Online Services) doesn’t match the actual original IP of the event when a Microsoft user signed in and consented to an app. If you create an app with delegated permissions, you must add the original IP address to your Microsoft tenant’s conditional access policies (if any). Otherwise, the apps with delegated permissions will be **Invalid**. After you add the original IP address to your conditional access policies, you can manually re-authorize the app profile to update its status or wait for AvePoint Online Services to automatically update its status.

    4. After you create app profiles for the following apps, you may need to go to the Microsoft Entra admin center (or Microsoft Azure portal) to assign roles to the apps:

    - If an app will be used to manage Exchange mailboxes and settings / Security and distribution group objects / Microsoft 365 Defender settings, you need to assign the **Exchange** **Administrator** role to the app. For additional details on assigning the role, refer to [How to Assign the Exchange Administrator Role to an App?](#missing-link) - The Cloud Governance for Microsoft 365 app requires the **Groups** **Administrator** role for some specific features. For additional details, refer to the .