The Azure application allows ShareGate Desktop to identify to Office 365 that it is running operations on your tenant through an access token. This will reduce throttling and improve performance on tasks between ShareGate Desktop and Office 365. It also grants ShareGate Desktop rights to use certain Microsoft functionality, such as the Graph API.
The app can then use the permissions granted and delegated through the consent process to access your Azure resources as the user.
That means that ShareGate Desktop will have the same access on Azure resources as the user who is logged in.
As with all operations in ShareGate Desktop, your data remains secure.
Users need to consent to the Azure ShareGate Desktop application within the ShareGate Desktop app. You will be prompted to consent as soon as you login to your environment. This option can be changed anytime in the permissions settings. When you consent, all SharePoint Online Administrators will have access to the Office Graph for Office 365 Group creation.
If you usually run your operations on PowerShell, open the ShareGate Desktop application to consent, then continue operations as normal (there is no way to consent to the Azure Desktop application through PowerShell).
Note: The ShareGate Desktop application in Azure requires the Global Administrator permission level to consent to the app. If your account is not a Global Administrator, you can request that the Global Administrator consents for you. You cannot consent the app in a GCC environment.
See also:
Which permissions does the Azure ShareGate Desktop application need?
Comments
5 comments
This does not work with GCC High correctly. Tells me that I need consent from an admin. I sign in as admin, consent, and it gives the same errors. There is something wrong with the way your program deals with O365 groups within GCC High. Even before the Teams feature, it would create the O365 group, but would not add any users to it.
FYI - the permission settings URL link in the article goes to a 404 page. https://support-desktop.sharegate.com/hc/en-us/articles/360031121911-Permissions
Hi Jesse,
GCC is sadly not supported. You can find more about this in this article.
---
Hi Patrick,
Thank you for letting us know about the broken link. It's now fixed! :)
Have a great day!
Hi Support,
When referencing "Users" in this article. It would be helpful if it would provide more context to who the user is. When is the "User" the "Global Admin" and when is the "User" the user that is logged into the ShareGate Desktop "connection".
In the following statement, who is the "User" referred to here?
"The app uses permission delegation to impersonate your user and access your Azure resources. That means that ShareGate Desktop will have the same access on Azure resources as the user who is logged in."
Is ShareGate ultimately connecting as the Global Admin that "signed" the access_token? Or is it connecting at the user that's signed into the ShareGate desktop "connection"?
Thanks!
Hi Michael,
By user, it means the user account that you use to connect to your environment through ShareGate Desktop.
Once a Global admin provides consent to the app, it is consented for any user that access their environment through the app.
These users are not granted further access to the environment than what their user account already provides them with.
Best regards,
Please sign in to leave a comment.