In this article, we will review connection account requirements for Project Online -> Project for the web migration scenario.
Project Online account
The connection account for migration from Project Online (source) should meet the following requirements:
1. The account should be a user of the tenant and the Project Web App site used for the connection. The account should be Active in the PWA.
2. The account should have any of the following licenses assigned:
- Project Plan 3
- Project Plan 5
- Project Online Essentials
3. The account used to register the Project Migrator app and grant permission for the connection with the OAuth authentication type should have at least a Cloud Application Administrator permission (as the app is registered on the tenant level).
The Cloud Application Administrator permission or a Site Collection Administrator permission is not required for the Basic authentication.
4. If the account is a Site Collection Administrator, all PWA projects and related data will be available for migration.
Administrator permissions are recommended but not required for the migration account.
If the account is not a Site Collection Administrator:
The connection account should be added to a Security Group (for the Project Permission Mode) or to a SharePoint permission group (for the SharePoint Permission Mode) that allows logging in to the PWA, reading projects, and project schedules (project team members, tasks, and their field values), resources and users, project and task custom fields, calendars.
The account or its security group should be granted permission to the Security Category that includes all necessary projects and resources and allows ‘Open Project’ permission.
Minimum required PWA permissions
Admin permissions:
- Manage Enterprise Calendars (required for reading and mapping source calendars)
- Manage Enterprise Custom Fields (recommended)
General permissions:
- Log On
- Access Project Server Reporting Service
- View Resource Center (required for reading all project-level fields)
Category Project permissions: - Open Project
For the Project Permission Mode, the account should be added to any of the following default Security Groups with the allowed abovementioned permissions (if the account is not a Site Collection Administrator):
- Administrators (the account will be able to access all PWA projects)
- Portfolio Managers group (the account will be able to access all PWA projects)
- Portfolio Viewers group (the account will be able to access all PWA projects)
- Project Managers group (the account will be able to access only the projects where it is a project owner or a project team member).
Suitable default Security Categories (with the allowed ‘Open Project’ permission):
- My Organization (the account will be able to access all the projects);
- My Projects (the account will be able to access only the projects allowed by that category, e.g. the projects where it is an owner or a project member).
For the SharePoint Permission Mode, the account should be added to any of the following default SharePoint permission groups (if the account is not a Site Collection Administrator):
- Administrators for Project Web App (the account will be able to access all PWA projects)
- Portfolio Managers for Project Web App (the account will be able to access all PWA projects)
Project Migrator SharePoint app will have the following permissions in the PWA once trusted:
- read items in the site collection.
- read items on the PWA site.
- access basic information about the users of the PWA site.
- have administrative access to the PWA site collection.
- have read access to data in all projects.
- have read access to enterprise resources.
- read reporting data from all projects.
Project for the web account
The connection account for migration to Project for the web (target) should meet the following requirements:
1. The account should be a member/a user of the tenant and the Power Platform Environment where the Project for the web is deployed.
2. The account should have any of the following licenses assigned:
- Project Plan P1
- Project Plan P3 (previously called Project Online Professional)
- Project Plan P5 (previously called Project Online Premium)
The account should have Read-Write or Non-interactive Access Mode to the Power Platform Environment enabled. Also, the account should have a Security Role in the Environment that allows reading and writing data to the Project for the web (e.g. System Administrator or Service Writer default security roles, or custom roles with Read, Create and Write permissions enabled).
In case the migration is performed to the existing Microsoft 365 groups and projects, the migration account should be added as a member or an owner.
To connect to Project for the web for the first time, Microsoft 365 tenant Global Administrator consent is required to allow Project Migrator to access your Microsoft 365 tenant.
Admin consent should be granted only once before adding the first Project for the web connection account. Once the consent is granted, any user account credentials that meet the requirements can be used for connecting to the Project for the web environment.
Project Migrator application for the Project for the web connection will be added to the Microsoft 365 tenant.
The following API permissions are required:
For the target Project for the web account:
- Microsoft Graph: User.ReadBasic.All
- Microsoft Graph: Group.ReadWrite.All
- Microsoft Grap: Directory.Read.All
- Microsoft Graph: offline_access
- Dataverse (Common Data Service): user_impersonation
Project Migrator will have the following permissions for reading and writing data to the Project for the web environment:
- Read data in the organization's directory, such as users, groups, all users' basic profiles, users' primary email addresses on behalf of the signed-in user.
- Read data from existing Microsoft 365 groups such as basic information, email addresses, membership, ownership on behalf of the signed-in user.
- Create groups, read, and update the group properties and memberships on behalf of the signed-in user. It allows group owners to manage their groups and allows group members to update group content.
- Read and update data in the existing Projects that the connection account has access to in Project for the web, create new Projects, Resources, and Dynamics 365 Teams.
- Maintain access to data you have given it access to.
- Access Common Data Service (CDS) as organization users.