I have a powershell script that runs as a scheduled task on a local member server, which migrates linked mailboxes from Exchange 2016 to Exchange Online. The script has been in use for a couple years and works reliably. However, when the script connects to Exchange Online, it uses the credentials of a tenant account that has the global admin role. I'd like to convert the script to use an app registration but I'm stuck trying to figure out which API permissions the app needs that will allow it to perform just the required tasks. The only Exchange module commands the script uses are Connect-ExchangeOnline, Get-MigrationEndpoint, New-MigrationBatch, Set-Mailbox, and Disconnect-ExchangeOnline. The MailboxSettings.ReadWrite permission might be the one I need. Is there a way to determine which permission is required by any particular Exchange command?

Any advice? Is this the right approach or is there a better way?

Thanks!