Security & Permissions
Understanding the permissions required for SP Toolkit and how your data is protected during migrations.
Your Data Never Leaves Your Tenant
SP Toolkit runs entirely within your SharePoint environment. Data flows directly between source and target—never through third-party servers.
Same-Tenant Permissions
Migrations within a single Microsoft 365 tenant
Same-tenant migrations use your existing SharePoint permissions. No additional app registration or API permissions required.
| Permission | Scope | Purpose | Required |
|---|---|---|---|
| SharePoint Administrator | Tenant | Deploy to tenant-wide App Catalog | Required |
| Site Collection Administrator | Site | Deploy to site collection App Catalog | Required |
| Full Control / Design | Lists | Create lists, modify schema, write items | Required |
Cross-Tenant Permissions
Migrations between different Microsoft 365 tenants
Cross-tenant migrations require an Azure AD App Registration with Microsoft Graph API permissions. Admin consent is required for most permissions.
| Permission | Type | Purpose | Required |
|---|---|---|---|
Sites.Read.All | Application | Read sites and lists from source tenant | Required |
Sites.ReadWrite.All | Application | Write to target tenant sites and lists | Required |
User.Read.All | Delegated | Resolve user fields across tenants | Required |
TermStore.ReadWrite.All | Application | Read/write managed metadata terms | Recommended |
Directory.Read.All | Delegated | User lookup fallbacks | Recommended |
Setting Up Azure AD App Registration
- 1.Go to Azure Portal → Azure Active Directory → App registrations
- 2.Click New registration. Name it (e.g., "SharePoint Migration Tool")
- 3.Set redirect URI to
https://login.microsoftonline.com/common/oauth2/nativeclient - 4.Go to API permissions → Add a permission → Microsoft Graph
- 5.Add the permissions listed above (Sites.Read.All, Sites.ReadWrite.All, User.Read.All)
- 6.Click Grant admin consent (requires Global Administrator)
- 7.Copy the Application (client) ID and Directory (tenant) ID
Authentication Methods
SPFx Context
Same-tenant migrations use the current user's SharePoint context automatically.
Same-TenantMSAL Browser
Cross-tenant uses Microsoft Authentication Library with Azure AD App Registration.
Cross-TenantGraph API
Bearer token authentication for Microsoft Graph operations.
Cross-TenantSecurity Features
Token Caching
Secure in-memory token storage with automatic renewal
Scope Validation
Permission verification before migration starts
Tenant Isolation
Separate authentication contexts per tenant
Admin Consent URLs
UI helper for generating permission grant URLs
Security Best Practices
Use Least Privilege
Only grant the minimum permissions required. For read-only analysis, Sites.Read.All is sufficient.
Rotate Secrets Regularly
If using client secrets for app registration, rotate them according to your organization's security policies.
Audit Migration Activities
SP Toolkit generates detailed logs. Export and retain these for compliance and audit purposes.
Review Admin Consent Carefully
Admin consent grants permissions tenant-wide. Review the permissions carefully and revoke when migration is complete if appropriate.