#Manage Tenant Connection

Microsoft, Google, Salesforce, Amazon

#Connect Your Microsoft Tenant

To use AvePoint services to manage a tenant in the Microsoft platform, the Tenant Owner or Service Administrators must connect the tenant to AvePoint Online Services at first.

Connecting a Microsoft 365 tenant will create an app in the environment of the tenant, which requires a Microsoft 365 Global Administrator account within the same tenant to consent to the app. For more information about the required admin consent, refer to Why is Admin Consent Required to Use the AvePoint Apps?

*Note: If you want to connect a tenant which will be used to , the user consenting to this app must belong to the domain of this tenant, and cannot be an external user.

To connect a tenant, navigate to Management > Tenant management and refer to the instructions below:

1. On the Tenant management page, click Connect tenant.

2. The Connect tenant pane appears on the right of the page. Based on the type of tenant that you want to connect, select the Microsoft platform. In the following scenarios, you also need to provide additional information:

   • Azure environment version – In the AvePoint Online Services production environment for U.S. Government Public Sector, refer to the information below to select a version when you connect a Microsoft 365 tenant:

     • Commercial Microsoft 365 – Select this version if your Microsoft login URL ends with .com.

     • Microsoft 365 U.S. Government – Select this version only if your original onmicrosoft domain ends with .us, not just your custom domain. Most GCC High and DoD organizations should use this option.

3. Click Connect.

4. When you connect a Microsoft tenant, the sign in page appears in a new tab. Sign in with an account which meets the requirements mentioned above.

5. Connecting a Microsoft 365 tenant will create the AvePoint Online Services Tenant Registration for Microsoft365 app in the tenant’s Microsoft Entra ID. The table below lists the permissions required by the AvePoint Online Services Tenant Registration for Microsoft365 app.

API	Permission	Type	Purpose
Microsoft Graph	User.Read(Sign in and read user profile)	Delegated	Support signing into AvePoint Online Services with Microsoft 365 accounts.
Microsoft Graph	Domain.Read.All(Read domains)	Application	Retrieve your Microsoft 365 domain information.
Microsoft Graph	Group.Read.All(Read all groups)	Application	Add Microsoft 365 Groups into AOS, and support signing into AOS with Microsoft 365 accounts.
Microsoft Graph	LicenseAssignment.Read.All(Read all license assignments)	Application	Calculate user seats assigned in your Microsoft 365 tenant.
Microsoft Graph	User.Read.All(Read all users’ full profiles)	Application	Add Microsoft 365 users into AOS, and support signing into AOS with Microsoft 365 accounts.

7. *Note: You do not need any permissions or Microsoft licenses other than those listed in this guide.

8. Once your tenant is successfully connected to AvePoint Online Services, a message prompt will be displayed.

9. Once a Microsoft 365 tenant has been successfully connected to AvePoint Online Services, go to view details of the tenant and edit the SharePoint Online admin center URL value if it is incorrect.

#Connect Your Google Tenant

To use AvePoint services to manage a tenant in the Google Cloud Platform, the Tenant Owner or Service Administrators must connect the tenant to AvePoint Online Services at first.

To connect a Google tenant, ensure the AvePoint Tenant Management app has been installed. Note that the AvePoint Tenant Management app can only be accessed via the Google Workspace Marketplace link on the Connect tenant page in AvePoint Online Services > Management > Tenant management.

![Clicking the "Google Workspace Marketplace" link to access the "AvePoint Tenant Management" app.](/en/configuration-and-deployment/manage-tenant-connection/images/image1.png "Clicking the "Google Workspace Marketplace" link to access the "AvePoint Tenant Management" app.")

Connecting a Google tenant requires an account with the Users > Read, Groups > Read, and License Management > License Read privileges in the same tenant.

To connect a tenant, navigate to Management > Tenant management and refer to the instructions below:

1. On the Tenant management page, click Connect tenant.

2. The Connect tenant pane appears on the right of the page. Based on the type of tenant that you want to connect, select the Google platform.

3. Click Connect.

4. When you connect a Google tenant, the sign in page appears in a new tab. Sign in with an account which meets the requirements mentioned above.

5. The following permissions requested by AvePoint Online Services should be accepted when you install the AvePoint Tenant Management app. Note that the AvePoint Tenant Management app can only be accessed via the Google Workspace Marketplace link on the Connect tenant page in AvePoint Online Services > Tenant management.

Scope	Permission	Purpose
https://www.googleapis.com/auth/admin.directory.domain.readonly	Read domain information	Retrieve organization's Google domain information.
https://www.googleapis.com/auth/apps.licensing	Read Google license information	Collect user seats.
https://www.googleapis.com/auth/admin.directory.user.readonly	Read Google users	Invite Google users for login.
https://www.googleapis.com/auth/admin.directory.group.readonly	Read Google groups	Invite Google groups for login.

6. Once your tenant is successfully connected to AvePoint Online Services, a message prompt will be displayed.

#Connect Your Salesforce Tenant

To use AvePoint services to manage a tenant in the Salesforce platform, the Tenant Owner or Service Administrators must connect the tenant to AvePoint Online Services at first.

Connecting a Salesforce tenant will create an app in the tenant’s Salesforce environment, which requires a Salesforce account with the System Administrator profile in the same tenant or another profile which includes the permissions for the System Administrator profile in the same tenant.

*Note: Salesforce has published an to restrict the use of uninstalled connected apps from early September 2025. This will not affect your organization if there are no apps to be created/reconnected. However, for organizations who need to create a new tenant app or reconnect a tenant app, you must either install the tenant app in your Salesforce environment, or ensure that the user consenting to the tenant app has the following required permissions:

To connect a tenant, navigate to Management > Tenant management and refer to the instructions below:

1. On the Tenant management page, click Connect tenant.

2. The Connect tenant pane appears on the right of the page. Based on the type of tenant that you want to connect, select the Salesforce platform.

3. In the Salesforce environment section, select the Salesforce or Salesforce sandbox environment when you connect a Salesforce tenant.

4. Click Connect. Connecting a Salesforce tenant will create the AvePoint Online Services Tenant Registration app in the tenant’s Salesforce environment. The table below lists the scope parameter values required by the app:

Value	Description
Access the identity URL service	Allows access to the identity URL service.
Manage user data via APIs	Allows access to the current, logged-in user’s account using APIs.
Perform requests at any time	Allows a refresh token to be returned when the requesting client is eligible to receive one.

1. Once your tenant is successfully connected to AvePoint Online Services, a message prompt will be displayed.

#Connect Your Amazon Tenant

To use AvePoint services to manage a tenant in the Amazon platform, the Tenant Owner or Service Administrators must connect the tenant to AvePoint Online Services at first.

Connecting an Amazon tenant will create policies and an IAM role in the AWS environment of the tenant, which requires an IAM user with at least the following required permissions:

To connect a tenant, navigate to Management > Tenant management and refer to the instructions below:

1. On the Tenant management page, click Connect tenant.

2. The Connect tenant pane appears on the right of the page. Based on the type of tenant that you want to connect, select the Amazon platform.

3. In the Amazon section, enter Access key ID and Secret access key to specify an IAM user, which will only be used to configure an IAM role and required policies in your AWS environment. For more details on managing your access key ID and secret access key, refer to this .

4. Click Connect. When you connect an Amazon tenant, AvePoint Online Services will check if your entered access key ID and secret access key are available.

5. Connecting an Amazon tenant will create an IAM role named AWSTenantAdminRole in the tenant’s AWS environment. Below are the API permissions which will be added to the IAM role:

API	Description
iam:ListAccountAliases	Lists the account alias associated with the AWS account.
iam:GetAccountSummary	Retrieves information about IAM entity usage and IAM quotas in the AWS account.

6. Once your tenant is successfully connected to AvePoint Online Services, a message prompt will be displayed.