BitTitan® now supports Modern Authentication for Office 365 endpoints used for Mailbox migrations. Modern Authentication provides a more secure authentication mechanism for registered applications to connect to Azure Active Directory and Office 365. For more information on Modern Authentication, see this page from Microsoft: How to authenticate an EWS application by using OAuth.
Note: The Autodiscovery of items option will not work with Modern Authentication in place.
Prerequisites
- A Global Administrator account with access to Azure Active Directory.
- MigrationWiz® Mailbox project(s) created and ready for configuration.
- The application will require administrator consent. This process will include the steps for granting that consent. For more information on granting administrator consent, see this article from Microsoft: Configure the way end-users consent to an application in Azure Active Directory
Process
- Log in to Azure AD admin console at: https://aad.portal.azure.com/ with a Global Administrator login.
- Select Azure Active Directory in the Azure Active Directory Admin Center.
- Select App Registrations, which is found under Manage.
- Select New Registration at the top of the screen.
- Give the app a distinct name. You can change this later if necessary.
- Select the Accounts in any organizational directory button.
- Under Redirect Uri, select Public Client (mobile & desktop) and set it to urn:ietf:wg:oauth:2.0:oob
- Click Register.
- Go back to App registrations.
- Select the App you just created.
- In the Overview, you will find a ClientId (aka Application) and Directory (Tenant) ID.
- Copy both of these to another application, such as Notepad, for use later in this process.
- Under the Manage menu, select Authentication.
- Set the option Treat application as a public client to Yes.
Note: This does not open public access; it indicates that the client is not capable of protecting the Open Authorization client secrets. A different authentication mechanism will be needed. - Click Save.
- From the Manage menu, select API permissions.
- Select Add a Permission.
- Select Exchange from Supported Legacy APIs.
- When asked “What type of permissions does your application require?” click Delegated permissions.
- Check the box under EWS for EWS.AccessAsUser.All.
- Click Add permissions.
Note: This permission only allows the OAuth application (MigrationWiz) to be associated with EWS. This does not grant access to all mailbox data. - Click Grant admin consent.
- Click Yes to confirm the settings.
- In MigrationWiz select the project that needs to be configured for Modern Authentication.
- Click the Edit Project menu.
- Select Advanced Options.
- Under Support Options enter the ClientID and TenantID information you saved earlier in the following format:
- If enabling Modern Authentication for the Source:
ModernAuthClientIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
- If enabling Modern Authentication for the Destination:
ModernAuthClientIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx- Notes:
- Enter the specific ClientID and TenantID for your tenant in place of the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
- These options can be entered for either the Source or the Destination, or both, depending on the settings on the tenants.
- These options need to be configured for each MigrationWiz project that needs to have Modern Authentication enabled.
- If enabling Modern Authentication for the Source:
- Run a Verify Credentials to confirm that MigrationWiz can connect using Modern Authentication.
- Click on the item that was verified. There will be a message in the MigrationWiz Migration Information page that Modern Authentication is being used.
Note: This message will show in the “Migration Errors” box; however, it is not an error. This is just a message confirming that Modern Authentication is now active and being used for connection.