1. BitTitan Help Center
  2. Perform a Migration
  3. Microsoft Migrations
  4. Exchange Online Migrations
  5. Exchange Online Migration Planning

M365 Tenant to Tenant Migrations Using Coexistence when Applying Licenses to Target Mailboxes

This article provides all the necessary information to set up your environment for Exchange Online (Microsoft 365) to Exchange Online (Microsoft 365) using coexistence migrations when applying licenses to target mailboxes. The approach outlined in the article is important to follow as it contains new information about the setup of the tenant, the application registration, the transition to Microsoft Graph API, and the assignment of permissions.

Important

Keep in mind that the Apply Licenses to Target Mailboxes during the Pre-Stage Process option is configured when creating your project and can be changed at the Source/Destination tab of your Advanced Options.

The quick checklist below outlines the basic steps covered in detail in this article. These steps allow for the process of replacing the application impersonation.

  1. Create a new Application Registration
  2. Assign the API Permissions and Grant Admin Consent
  3. Obtain the AppID and TenantID from the Application Registration
  4. Create a Client Secret
  5. Set up your MigrationWiz Project

Considerations

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

  1. Log in to the Microsoft Entra admin center with a Global Administrator login.
  2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
  3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
  4. Select New Registration at the top of the screen.
    1. New App Registration.png
  5. Give the app a distinct name. You can change this later if necessary.
  6. Select the Accounts in this organizational directory ('Tenant name only' - Single tenant) radio button.
  7. Click Register.
  8. Under the Manage menu, select Authentication (preview).
  9. Select the Settings tab.
  10. Set the option Allow public client flows to Enabled
  11. Under the Supported Account types, select Accounts in this organizational directory ('Tenant name only' - Single tenant).
  12. Click Save.
    Authentication Multitenant.png

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

  1. From the Manage menu, select API permissions.
  2. Click Add a Permission.
    5. API Permissions_1.png
  3. Select APIs my organization uses.
  4. Scroll down or search for the following permissions Office 365 Exchange Online.
     
  5. Select Application Permissions.
  6. Check the box under Other Permissions for full_access_as_app.
  7. Check the box under Exchange for Exchange.ManageAsApp.
  8. Click Add Permissions.
    Mailbox Application APIs.png
  9. Repeat Step 2 and select Delegated Permissions.
  10. Check the box under Directory for EWS.AccessAsUser.All.
  11. Click Add Permissions.
    T2T Delegated APIs.png
  12. Now repeat Step 2 and select Microsoft APIs > Microsoft Graph.
  13. Select Application Permissions.
  14. Check the box under Directory for Directory.ReadWrite.All.
  15. Click Add Permissions.
    T2T Application APIs.png
  16. Click Grant admin consent.
    Grant Admin3.png
  17. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain. Your API scopes should look like the following:
    T2T APIs Scopes.png

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

  1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
  2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.
    3. Authentication Settings.png

Step Four - Create a Client Secret

Create a Client Secret for the application by following the steps below.

  1. Go to Manage > Certificates & secrets from the left sidebar.
  2. Create a new secret client by clicking + New client secret.
  3. Copy and save the client secrets' value on a notepad or other preferred tool.
    SecretValue.jpg

Warning

Consider that the secret client's value is only available until the first time you sign off the Azure Portal after the secret client creation. After that, it will be no longer visible. 
In case you lost the value, please create a new client secret as suggested above and use it in the steps below.

Step Five - Grant Exchange Administrator Role

Grant the Exchange Administrator Role to your app by following the steps below.

  1. Go to Entra ID> Roles & admins from the left sidebar.
  2. In the search bar, type Exchange Administrator and click on it.
    ExchangeAdministrator role.png
  3. On the Assignments page, click the button to Add assignments.
    Add Assignments.png
  4. In the search bar, enter the name of the app or its Application ID.
  5. Select your app from the list.

  6. Add to confirm the assignment. A confirmation message will appear after the permission is granted.
    Assignments Confirmation.png

    Warning

    This role process might take up to 30 minutes to take effect. 

Important

App password usage, MFA/2FA, SSO, and ADFS are not supported for the migration service account when using Application Permissions. However, users being migrated to your project can have these security features enabled.

Step Six - Set up your MigrationWiz Project

Add the details from the Application Registration into the MigrationWiz project.

  1. Create your migration project.
  2. Set up your Endpoints. During this setup, you will be asked for:
    • Application (Client) ID - Obtained in Step Three
    • Directory (Tenant) ID - Obtained in Step Three

    • Client Secret - Obtained in Step Four

      Tip

      The Client Secret value is not mandatory if you use Delegated permissions, if that is the case, please leave the Client Secret field empty. If you are using Application permissions, you must add the Client Secret.

The correct Application and Directory IDs must be used, from the App Registration screen. These are NOT the values you used in running the ConfigureM365Tenant script above. They are obtained from Step Three and Step Four in these instructions.
M365ClientSecret.png

Advanced Options

Support Tab

The following support options will appear in the Advanced Options depending on the Microsoft 365 endpoints defined in your project.

  • ModernAuthClientSecretExport=xxxxxxxxxxxx Where the value is the client secret's value for M365 endpoints at the source.
  • ModernAuthClientSecretImport=xxxxxxxxxxxx Where the value is the client secret's value for M365 endpoints at the destination.

These values can only be modified by editing your project's endpoints.

Having the Client Secret with a value in the dialog box notifies the system that you are using the new way of authenticating in the M365 environment. If you are still using the Application Impersonation method, then do not enter a client secret into this box.

Finally, you should add some advanced options when using Delegated permissions. Otherwise, you do not need any of the following advanced options when using Application permissions.

  • Delegated Permissions at the source and destination

    Source Destination

    Below you can find the mandatory AO at the source.

    • UseApplicationPermissionAtSource=0 

  • Delegated Permissions at the source only

    Source Destination

    Below you can find the mandatory AO at the source.

    • UseApplicationPermission=1
    • UseApplicationPermissionAtSource=0

  • Delegated Permissions at the destination only

    Source Destination

    Below you can find the mandatory AO at the source.

    • UseApplicationPermission=1

Source/Destination Tab

Ensure that the following advanced options are enabled:

  • Use Impersonation to Authenticate at source and destination endpoints.
  • Apply Licenses to Target Mailboxes during Pre-Stage Process.
    1.T2T_Advanced Options.png

In case of any questions or concerns about this new method, contact our support team.

Related Topics

Was this article helpful?
0 out of 0 found this helpful

Articles in this section