![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 55.00000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | SharePoint | Development
The process of building custom applications and tools that interact with Microsoft SharePoint, including SharePoint Online in Microsoft 365.
Use a migration approach that explicitly migrates permissions and relies on identity mapping, rather than manually copying content.
Recommended approach:
- Plan identity and guest access
- Ensure all internal users and guest users that currently have access exist and are correctly mapped in the destination site.
- For cross-tenant or B2B guests, provision them in Microsoft Entra ID first so they can be used in permissions and “Shared with” references.
- When using migration APIs or tools, complete identity mapping before any migration so that principals (users/groups/guests) resolve correctly.
- Use a migration tool that preserves permissions
- For site-to-site moves, use SharePoint migration capabilities (Migration Manager/SPMT or Migration API–based tools) rather than manual download/upload.
- Configure the project to migrate permissions:
- Folder permissions: by default, folder permissions are migrated and files inherit from folders.
- File permissions: if you need item-level permissions preserved, enable file-permission migration in project settings so destination files keep the same ACLs and sharing as the source.
- Be aware that migrating file permissions can slow down the migration, but it is required if fine-grained access must be preserved.
- Understand how permissions are translated
- When migrating from file-share–like sources, NTFS permissions are mapped to SharePoint roles (Full control → Full control, Modify/Write → Contribute, Read → Read, etc.).
- For cloud sources (Box, Google Drive, Dropbox, Egnyte), roles are mapped to SharePoint/OneDrive roles such as Owner, Can edit, Can view.
- Advanced NTFS permissions and explicit deny entries are removed; the most restrictive effective permission is used. Plan for possible changes in edge cases where deny was used.
- Preserve sharing and “Shared with me” behavior
- The per-user sharing model depends on both:
- The actual permission (ACL/role assignment), and
- The “Shared With” references.
- During migration, ensure both are imported:
- Use migration APIs (e.g., PRIME/Import API) or tools that can import SPFile/SPFolder and SPListItem with “Shared With” data and then apply security scopes and role assignments.
- This is especially important for guest users so that their “Shared with me” view continues to surface migrated content.
- The per-user sharing model depends on both:
- Handle checked-out files and active use
- Permission updates will not apply to files that are checked out. Before migration, check in or discard checkout for items that must have permissions updated.
- If the source site is actively used during migration, existing permissions on the site and documents are enforced. Schedule a freeze window or use delta sync to avoid conflicts.
- Use delta sync to keep permissions aligned
- After the initial migration, use delta sync (incremental migration) to pick up changes. Permissions are updated when corresponding files are transferred in delta runs.
- This helps keep the destination site aligned with the source until cutover.
- Special considerations for cross-tenant or geo moves (if applicable)
- For cross-tenant SharePoint migrations, use the built-in cross-tenant migration feature:
- Precreate users and groups and prepare identity mapping so users (including guests) retain access.
- After migration, users with permissions continue to have access if they were included in identity mapping.
- Be aware that workflows, apps, Power Apps/Power Automate, and some sensitivity label behaviors do not automatically migrate and may need to be recreated.
- For cross-tenant SharePoint migrations, use the built-in cross-tenant migration feature:
- Post-migration validation
- After cutover, validate:
- Key folders and files have the expected unique/inherited permissions.
- Guest users can still access content and see items in “Shared with me” where applicable.
- No critical content became broadly accessible due to removal of advanced/deny permissions.
- After cutover, validate:
This approach—identity mapping first, then using a migration tool/API configured to migrate both permissions and sharing metadata, with delta sync and validation—provides the best chance of preserving all existing access rights, including guest-user permissions, when moving content between SharePoint sites.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 11%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)