M365 Tenant to Tenant Migrations - Performing Migration using API permissions

This article provides all the necessary information to set up your environment for Exchange Online (Microsoft 365) to Exchange Online (Microsoft 365) using coexistence migrations when applying licenses to target mailboxes. The approach outlined in the article is important to follow as it contains new information about the setup of the tenant, the application registration, the transition to Microsoft Graph API, and the assignment of permissions.

The quick checklist below outlines the basic steps covered in detail in this article. These steps allow for the process of replacing the application impersonation.

1. Create a new Application Registration
2. Assign the API Permissions and Grant Admin Consent
3. Obtain the AppID and TenantID from the Application Registration
4. Create a Client Secret
5. Set up your MigrationWiz Project

Considerations

• The following replacement only applies to Exchange Online (Microsoft 365) to Exchange Online (Microsoft 365) using coexistence migrations when the Apply Licenses to Target Mailboxes during Pre-Stage Process checkbox is enabled in your advanced options' Source/Destination tab.

  Tip 

  In case you perform an Exchange Online (Microsoft 365) to Exchange Online (Microsoft 365) using coexistence without applying licenses to target mailboxes please use this guide to complete your migration.
• You can only perform the recommended replacement with Administrator credentials. If you use end-user credentials you should use the delegated permissions process.
• The Use Impersonation to Authenticate checkbox must be enabled in your advanced options' Source/Destination tab.
  
  Otherwise, the following error might arise.
  

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

1. Log in to the Microsoft Entra admin center with a Global Administrator login.
2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
4. Select New Registration at the top of the screen.
   
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in this organizational directory only ('Tenant name only' - Single tenant) radio button.
7. Click Register.
   
8. Under the Manage menu, select Authentication.
9. Set the option Allow public client flows to Yes. 
10. Click Save.
    

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

1. From the Manage menu, select API permissions.

   Important

   If an API permission is named User.Read under Microsoft Graph is already present, this can be removed. The Microsoft Graph API does not apply to this project type and is not used.
2. Click + Add a permission.
   
3. Select the Microsoft Graph API option from the Microsoft APIs tab (default window).
4. You can choose between Delegated permissions or Application permissions. While the permissions are the same for both, they may differ based on your endpoint type (source or destination). Please review the minimum permissions for each endpoint type and select the appropriate option:
   Source Endpoint Destination Endpoint

   The following list outlines the minimum API permissions required for the source endpoint:

   • Domain.Read.All
   • Group.Read.All
   • Group.Member.Read.All
   • LicenseAssignment.Read.All
   • RoleManagement.Read.Directory
   • User.Read.All

   The following list outlines the minimum API permissions required for the destination endpoint:

   • Group.Read.Write.All
   • Group.Member.Read.Write.All
   • LicenseAssignment.ReadWrite.All
   • User.Read.Write.All
5. Click Add permissions.
6. Click + Add a permission.
7. Select APIs my organization uses.
8. Scroll down or search for the Office 365 Exchange Online API permissions.
   
9. Select Delegated Permissions.
10. Select EWS and select the following permissions:
    • EWS.AccessAsUser.All
      

      Important

      This permission only allows the OAuth application (MigrationWiz) to be associated with EWS. This does not grant access to all mailbox data.
11. Click Add permissions.
12. Repeat steps 9 to 11.
13. Select Application Permissions.
14. Search for Other Permissions and select the following permissions:
    • full_access_as_app
15. Click Add Permissions.
16. Click Grant admin consent.
    
    

    Warning

    The image above reflects how your configuration should look like when using Delegated permissions for the source endpoint. This image will change according to your endpoint and permissions type.
17. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain.

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.
   

Step Four - Create a Client Secret

Create a Client Secret for the application by following the steps below.

1. Go to Manage > Certificates & secrets from the left sidebar.
2. Create a new secret client by clicking + New client secret.
3. Copy and save the client secrets' value on a notepad or other preferred tool.
   

Step Five - Set up your MigrationWiz Project

Add the details from the Application Registration into the MigrationWiz project.

1. Create your migration project.
2. Set up your Endpoints. During this setup, you will be asked for:
   • Application (Client) ID - Obtained in Step Three
   • Directory (Tenant) ID - Obtained in Step Three
   • Client Secret - Obtained in Step Four

     Tip

     The Client Secret value is not mandatory if you use Delegated permissions, if that is the case, please leave the Client Secret field empty. If you are using Application permissions, you must add the Client Secret.

The correct Application and Directory IDs must be used, from the App Registration screen. These are NOT the values you used in running the ConfigureM365Tenant script above. They are obtained from Step Three and Step Four in these instructions.

Advanced Options

Support Tab

The following support options will appear in the Advanced Options depending on the Microsoft 365 endpoints defined in your project.

• ModernAuthClientSecretExport=xxxxxxxxxxxx Where the value is the client secret's value for M365 endpoints at the source.
• ModernAuthClientSecretImport=xxxxxxxxxxxx Where the value is the client secret's value for M365 endpoints at the destination.

These values can only be modified by editing your project's endpoints.

Having the Client Secret with a value in the dialog box notifies the system that you are using the new way of authenticating in the M365 environment. If you are still using the Application Impersonation method, then do not enter a client secret into this box.

Finally, you should add some advanced options when using Delegated permissions. Otherwise, you do not need any of the following advanced options when using Application permissions.

• Delegated Permissions at the source and destination
  Source Destination

  Below you can find the mandatory AO at the source.

  • UseApplicationPermissionAtSource=0 

  Below you can find the mandatory AO at the destination.

  • UseApplicationPermissionAtDestination=0
• Delegated Permissions at the source only
  Source Destination

  Below you can find the mandatory AO at the source.

  • UseApplicationPermission=1
  • UseApplicationPermissionAtSource=0

  There are not any AOs at the destination.

• Delegated Permissions at the destination only
  Source Destination

  Below you can find the mandatory AO at the source.

  • UseApplicationPermission=1

  Below you can find the mandatory AO at the destination.

  • UseApplicationPermissionAtDestination=0

Source/Destination Tab

Ensure that the following advanced options are enabled:

• Use Impersonation to Authenticate at source and destination endpoints.
• Apply Licenses to Target Mailboxes during Pre-Stage Process.
  

In case of any questions or concerns about this new method, contact our support team.

Related Topics

• Exchange Online (Microsoft 365) to Exchange Online (Microsoft 365) using coexistence
• M365 Mailbox and Archive Migrations - Performing Migration using only API permissions
• MigrationWiz Impersonation and Delegation for Microsoft 365