Migration Assessment Scan: Web Application Policies

Learn how to fix issues with Web Application policies during migration.


In the source environment, there are typically discrete web applications for Team, Portal, Partner, and MySite (OneDrive). SharePoint Server allows the use of web application policies to grant or deny blanket-level permissions to entire web applications. These permissions override any permissions set at the site collection, site, list/library, or item level.

The target environment uses a single web application to host all site collections.

We do not currently offer a permission feature that applies uniquely to specific root site names and all child items together.

Data Migration

None of the web application policies are migrated to the target environment.


Any site that is configured as "No Access" (locked), in SharePoint will be skipped. To see a list of locked site collections see the Locked Sites scan output.

Preparing for Migration

Web application policies are not migrated. Some alternatives at this time include:

  • Change administrative procedures to manage all permissions at the site collection level (this can be performed via Tenant Admin) instead of using web application policies.

  • Use licensing to grant or limit specific capabilities to specific users and groups.

Post Migration

Ensure the alternative options function correctly during the User Acceptance Testing phase.

Scan Result Reports

WebApplicationPolicy-detail.csv This scan report lists all policies for all of your web applications.

Column Description
The source web application.
Display Name of the user or group.
The login ID of the user or group.
Permission granted to the user or group in the source.
Unique identifier assigned to a specific execution of the SharePoint Migration Assessment Tool.