MigrationWiz - Migration Planning - Modern Authentication for Office 365

BitTitan® now supports Modern Authentication for Office 365 endpoints used for Mailbox migrations. Modern Authentication provides a more secure authentication mechanism for registered applications to connect to Azure Active Directory and Office 365. For more information on Modern Authentication, see this page from Microsoft: How to authenticate an EWS application by using OAuth.

Prerequisites

• A Global Administrator account with access to Azure Active Directory.
• MigrationWiz® Mailbox project(s) created and ready for configuration.
• The Global Administrator account must have Multi-Factor Authentication (MFA) disabled.
• The application will require admin consent. This process will include the steps for granting admin consent. For more information on granting admin consent, see this article from Microsoft: Configure the way end-users consent to an application in Azure Active Directory

Process

1. Log in to Azure AD admin console at: https://aad.portal.azure.com/ with a Global Administrator login.
2. Select Azure Active Directory in the Azure Active Directory Admin Center.
3. Select App Registrations, which is found under Manage.
4. Select New Registration at the top of the screen.
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in any organizational directory button.
7. Under Redirect Uri, select Public Client (mobile & desktop) and set it to urn:ietf:wg:oauth:2.0:oob
8. Click Register.
9. Go back to App registrations.
10. Select the App you just created.
11. In the Overview, you will find a ClientId (aka Application) and Directory (Tenant) ID.
12. Copy both of these to another application, such as Notepad, for use later in this process.
13. Under the Manage menu, select Authentication.
14. Set the option Treat application as a public client to Yes.
    Note: This does not open public access; it indicates that the client is not capable of protecting the Open Authorization client secrets. A different authentication mechanism will be needed.
15. Click Save.
16. From the Manage menu, select API permissions.
17. Select Add a Permission.
18. Select Exchange from Supported Legacy APIs.
19. When asked “What type of permissions does your application require?” click Delegated permissions.
20. Check the box under EWS for EWS.AccessAsUser.All.
21. Click Add permissions.
    Note: This permission only allows the OAuth application (MigrationWiz) to be associated with EWS. This does not grant access to all mailbox data.
22. Click Grant admin consent.
23. Click Yes to confirm the settings.
24. In MigrationWiz select the project that needs to be configured for Modern Authentication.
25. Click the Edit Project menu.
26. Select Advanced Options.
27. Under Support Options enter the ClientID and TenantID information you saved earlier in the following format:
    • If enabling Modern Authentication for the Source:
      • ModernAuthClientIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • ModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • If enabling Modern Authentication for the Destination:
      • ModernAuthClientIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • ModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
        Notes:
        • Enter the specific ClientID and TenantID for your tenant in place of the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
        • These options can be entered for either the Source or the Destination, or both, depending on the settings on the tenants.
        • These options need to be configured for each MigrationWiz project that needs to have Modern Authentication enabled.
        • For further details on entering Support Options, see How do I add support options to a project or to a single item?
28. Run a Verify Credentials to confirm that MigrationWiz can connect using Modern Authentication. For specific steps, see How do I verify credentials?
29. Click on the item that was verified. There will be a message in the MigrationWiz Migration Information page that Modern Authentication is being used.
    Note: This message will show in the “Migration Errors” box; however, it is not an error. This is just a message confirming that Modern Authentication is now active and being used for connection.