Authentication Methods for Microsoft 365 (All Products) Migrations

Authentication and permission management for Microsoft 365 can be complex and varies by type. This article covers the various types of authentication, what scenarios they apply to, and special cases. 

The specific authentication needed, and the steps to enable it, will be found in the migration guide for your specific scenario.

Terminology
Basic Authentication Modern Authentication Delegated Permissions Application Permissions

Basic Authentication is no longer supported between MigrationWiz and Exchange Online endpoints as of the end of December 2022 due to Microsoft discontinuing support for Basic Authentication in Exchange Online. Basic Authentication will not be supported after that and configuring MigrationWiz to use Modern Authentication will be required.

Authentications Available per Product Type

SharePoint & OneDrive

Modern Authentication - Delegated Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the following section. 

Global admin credentials are required for this method. 

  • SharePoint migrations: Site Collection admin credentials
  • OneDrive migrations: will utilize the SharePoint admin credentials. The admin will be promoted to a site collection admin for the OneDrive account being migrated. OneDrive user account provisioning is supported when using SharePoint admin credentials (provided the destination tenant doesn’t block basic authentication).

Modern Authentication - Delegated Permissions - Customer Tenant App

  • SharePoint migrations: Global admin and site collection admin (GA role required to create tenant app)
  • OneDrive migrations: will utilize the SharePoint admin credentials. The global admin will create the tenant app and promote their permissions to site collection admin levels for the account being migrated. OneDrive user account provisioning is supported when using SharePoint admin credentials (provided the destination tenant doesn’t block basic authentication).

Modern Authentication - Application Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the following section. 

  • This method uses user credentials, but the user will need to be a member of a created MigrationWiz security group in the Microsoft 365 tenant. 
  • Global admin permissions are required to give consent to the BitTitan app. 
  • OneDrive provisioning is not supported and only admin cred flow is supported. 
  • Requires the Advanced Option UseApplicationPermission=1

Teams

Modern Authentication - Delegated Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the Teams to Teams migration guide.

  • Requires global admin or Teams admin credentials.
  • Requires the Advanced Option UseDelegatePermission=1

Modern Authentication - Delegated Permissions - Customer Tenant App

  • Requires global admin credentials.
  • Requires the Advanced Option UseDelegatePermission=1

Modern Authentication - Application Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the Teams to Teams migration guide.

  • This method uses user credentials, but the user will need to be a member of a created MigrationWiz security group in the Microsoft 365 tenant. 

Microsoft 365

Modern Authentication - Delegated Permissions

  • Created in the customer's Microsoft Entra account.
  • Requires admin credentials.

Small Business Tenant

Document migrations in the Microsoft 365 Small Business Tenant require some special considerations.

MigrationWiz supports Document Migration, but the Destination has to be configured in the following manner:

While the Source (e.g., Google Drive) can use admin credentials, the Destination, Microsoft 365 Small Business Tenant, must be configured with the end user credentials. If admin credentials are used, the following error arises:

Destination: Your migration failed checking destination credentials. One Drive for Business administrative authentication failed with <your tenant URL>.

We use SharePoint administrator API to perform auto-provisioning and provide the administrator rights to access user sites. Some Office 365 plans prevent us from accessing them (Small Business, for example). If your plan does not provide access to the SharePoint administrator API, you must use end-user credentials.

Obtain Client and Tenant ID Settings for Mailbox and Exchange Online Migrations

BitTitan only supports Modern Authentication for Microsoft 365 endpoints used for Mailbox, Online Archive mailbox, and Public Folder migrations. Modern Authentication provides a more secure authentication mechanism for registered applications to connect to Microsoft Entra ID and Microsoft 365. 

Microsoft's documentation explains enabling and disabling Modern Authentication for Exchange Online.

Prerequisites

  • A Global Administrator account with access to Microsoft Entra ID. MFA/2FA is not supported at this time. The administrator account will need to be excluded from these policies if enabled. 
  • MigrationWiz Mailbox project(s) created and ready for configuration.
  • End-user credentials are not supported. Administrator credentials must be used for the endpoints in the MigrationWiz project
  • The application will require administrator consent

Supported Endpoints

Project Type

Source

Destination

 

 

 

Mailbox

  1. Exchange Server 2003+

  2. Microsoft 365

  3. Microsoft 365 (China)

  4. Microsoft 365 (Germany)

  5. Microsoft 365 (US Government)

  6. Microsoft 365 Groups

  1. Exchange Server 2003+

  2. Microsoft 365

  3. Microsoft 365 (China)

  4. Microsoft 365 (Germany)

  5. Microsoft 365 (US Government)

  6. Microsoft 365 Groups

 

 

 

 

 

 

 

 

Public Folder

  1. Exchange Server 2003+

  2. Exchange Server Public Folder

  3. Microsoft 365

  4. Microsoft 365 China

  5. Microsoft 365 Germany

  6. Microsoft 365 US Government

  7. Microsoft 365 Public Folders

  8. Microsoft 365 Public Folders (China)

  9. Microsoft 365 Public Folders (Germany)

  10. Microsoft 365 Public Folders (US Government)

  1. Exchange Server 2003+

  2. Exchange Server Public Folder

  3. Microsoft 365

  4. Microsoft 365 China

  5. Microsoft 365 Germany

  6. Microsoft 365 US Government

  7. Microsoft 365 Public Folders

  8. Microsoft 365 Public Folders (China)

  9. Microsoft 365 Public Folders (Germany)

  10. Microsoft 365 Public Folders (US Government)

 

 

Personal Archive

  1. Exchange Server 2003+

  2. Microsoft 365

  3. Microsoft 365 (China)

  4. Microsoft 365 (Germany)

  5. Microsoft 365 (US Government)

  1. Exchange Server 2003+

  2. Microsoft 365

  3. Microsoft 365 (China)

  4. Microsoft 365 (Germany)

  5. Microsoft 365 (US Government)

Hybrid

  1. On-Premises Exchange 2010+

  1. Microsoft 365 (Hybrid Migrations only)

Registration and Configuration

Important

Below the steps, please find corresponding images representing each step or a group of steps.

  1. Log in to the Microsoft Entra admin center with a Global Administrator login.
  2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
  3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under Manage
  4. Select New Registration at the top of the screen.

    1. New App Registration.png
  5. Give the app a distinct name. You can change this later if necessary.
  6. Select the Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multi Tenant) radio button.
  7. Under Redirect URI (optional), select Public client/native (mobile & desktop) and set it to urn:ietf:wg:oauth:2.0:oob
  8. Click Register.
    2. Register App.png
  9. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
  10. Copy both of these to another application, such as Notepad, for use later in this process.
    3. Authentication Settings.png
  11. Under the Manage menu, select Authentication.
  12. Set the option Allow public client flows to Yes
  13. Click Save.
    4. Add Permissions.png
  14. From the Manage menu, select API permissions.
  15. If an API permission is named User.Read under Microsoft Graph is already present, this can be removed. The Microsoft Graph API does not apply to this project type and is not used.
  16. Click Add a Permission.
    5. API Permissions.png
  17. Select APIs my organization uses.
  18. Scroll down or search for the following permissions Office 365 Exchange Online.
    5. Request API permissions.png

  19. Select Delegated Permissions.

  20. Select EWS.

  21. Check the box under EWS for EWS.AccessAsUser.All.
  22. Click Add Permissions. This permission only allows the OAuth application (MigrationWiz) to be associated with EWS.

    Important

    This does not grant access to all mailbox data.
    6. Request API permissions.png
  23. Click Grant admin consent.
    7. Grant permissions.png
  24. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain.

Google Groups to O365 Migrations

For this type of migration, some API permissions must be added to the destination tenant. To complete the process you must follow the next steps:

  1. Repeat steps 15 and 16.
  2. Search Microsoft Graph.
  3. Then select Delegated Permissions.
  4. Select permissions below and click Add Permissions.
      • Directory.ReadWrite.All
      • Group.ReadWrite.All
      • GroupMember.ReadWrite.All
      • User.Read.All
  5. Click Grant admin consent.
  6. Click Yes to confirm the settings.

Once you created a MigrationWiz project, do not forget to use the credentials you use here. These are required when setting up your endpoints (source and destination).

Destintation Settings.png

Warning

Please consider that you will not be able to save your project if you do not complete these fields, the credentials (client or tenant) are incorrect, or the credentials do not belong to the tenant.

Common Errors when Configuring Your Endpoint

For more information, review the AADSTS700016, AADSTS90002, and ADDSTS50126 issues on the Common Errors Using Modern Authentication page.

Application and Directory ID Issues Administration Credentials Issues

Make sure to complete the Application (client) ID and the Directory (tenant)  ID fields, otherwise, the following warnings arise and you cannot go to the next step.

Application and Directory ID issues.png

This happens when configuring the source or destination endpoints.

Invalid Application Client ID at Source Settings

Check that the Application ID has been installed before or make sure that it is the right one. For more information, refer to AADSTS700016.

Invalid Directory Tenant ID at Source Settings

Check that the Directory Tenant ID has been installed before or make sure that it is the right one. For more information, refer to AADSTS90002.

Microsoft Entra SSO Login

Microsoft 365 Microsoft Entra login can be enabled on your company's MigrationWiz account by our Support team. Note that SSO login happens at the domain level, which means all users with the domain you request will therefore be required to sign in with their Microsoft 365 Microsoft Entra logins - for example, instead of enabling SS just for You@company.com, it would be enabled for all users of @company.com. 

To set this up, you must have at least one MigrationWiz account with the same domain as your Microsoft 365 account. We do not support other SSO providers at this time.

  1. Contact our Support team.
  2. Our support team will set up your account to use Microsoft Entra login.
  3. Once your Microsoft Entra is ready, Support will contact you with instructions. 
  4. You will receive a response from Support when your account is all setup.

If there are any Security Conditional Access Policy at the Microsoft Entra that is blocking the BitTitan Application for MigrationWiz SSO then Exclude the application for the SSO to work.

To use the MigrationWiz PowerShell SDK with MigrationWiz SSO, you must use your original MigrationWiz/MSPComplete password, not your Microsoft Entra password.

Enabling Application Permissions

Teams - Global admin & Application Permissions

In recent updates, the AO ‘UseApplicationPermission=1’ has been defaulted. Use Teams-FullControlApp for both Source and Destination.

MigrationWiz now supports read-only Application Permissions for Team migrations, in addition to full-control permissions. This new app, with ReadOnly permissions, can only be used at the source to enhance security, and will not export document permissions. The destination permissions will always require FullControl permissions.

This allows for a secure migration without the use of Global Admin or Site Collection Admin permissions on the source and destination. The account being used still needs to be licensed for Teams in the Exchange Online tenant.

This app is similar to the Office 365 Authentication App previously deployed, which utilized delegate permissions. This app uses the application permissions. If you are not using application permissions, go to the Authentication App article and follow those steps.

61d5b82a-cc9f-42d9-8565-7813f8c94121.png

Enable Application Permissions

Enable Permissions at Source

These are the steps to enable permission level at the source only. This authentication process gives you control over who is entitled to use the source.

  1. Ensure you are signed in as a Global Admin in the Office 365 Admin Portal.

  2. Go to either Teams-ReadOnlyApp or Teams-FullControlApp and consent to the app access when prompted. If choosing the Teams-ReadOnlyApp option, you will need to disable AMR via "DisableAsynchronousMetadataRead=1", due to Microsoft API limitation.

  3. Create a new Security Group named “MigrationWiz” on the Microsoft 365 Admin Portal. If you have not created a security group before, follow Microsoft's instructions.

  4. Create a new user. This user must have an active Teams license applied.

  5. Add a new user to the previously created security group as a member. Important: ADFS and MFA must be turned off for this user.

  6. Create MigrationWiz project.

  7. When creating the endpoints, enter the new user credentials.

Enable Permissions at Destination

These are the steps to enable the permissions level at the destination.

  1. Ensure you are signed in as a Global Admin.

  2. Go to Teams-FullControlApp and consent to the app access when prompted.

  3. Create a new Security Group named “MigrationWiz” on the Microsoft 365 Admin Portal.

  4. Create a new user. This user must have an active Teams license applied. Important: ADFS and MFA must be turned off for this user.

  5. Add a new user to the previously created security group as a member.

  6. Create MigrationWiz project.

  7. When creating the endpoints, enter the new user credentials.

Teams-FullControlApp may be used on both source and destination tenants and will export document permissions. Teams-ReadOnly can only be used on the source tenant, and will not export document permissions.

Post-Migration Steps

  1. Remove the newly created user.

  2. Remove the MigrationWiz Security Group created in Step 3.

To remove the app from the source or destination, perform the following steps:

  1. Launch PowerShell.

  2. Connect PowerShell to Microsoft 365.

  3. Enter the command: Connect-AzureAD

  4. Enter the admin credentials in the prompt.

  5. Enter the command:Get-AzureADServicePrincipal -SearchString Migration.

  6. Look for the ObjectId of the app you want to remove and enter the following command: Remove-AzureADServicePrincipal -objectId <the object id>

Permissions Granted

  Teams ReadOnly Teams FullControl
Conversations Y Y
Teams Permissions Y Y
Documents Y Y
Document Permissions N Y
Read Only Full Control

The following permissions are granted for Read Only.

SharePoint API

  • Sites.Read.All
  • User.Read.All

Graph API

  • Files.Read.All
  • Group.ReadWrite.All
    (This is to add the user to the team as an owner first before being able to read conversations)
  • User.Read.All
  • Group.Read.All (delegate permission)
    (This is to be able to read all the conversations as a user after being added)
  • User.Read (delegate permission)

SharePoint & OneDrive

MigrationWiz now supports read-only Application Permissions for SharePoint and OneDrive migrations, via use of the support option UseApplicationPermission=1, in addition to full control permissions. This new app, with ReadOnly permissions, can only be used at the source to enhance security. The destination permissions will always require FullControl permissions.

This allows for a secure migration without the use of Global Admin or Site Collection Admin permissions on the source and destination.

This app is similar to the Office 365 Authentication App previously deployed, which utilized delegate permissions. This app uses application permissions. 

BitTitan applications are fully verified and accepted by Microsoft. 

Enable Application Permissions

SharePoint_Read_Only.PNG

Sharepoint_Full_Permissions.PNG

Enable Permissions at Source

These are the steps to enable permission level at the source only. This authentication process gives you control over who is entitled to use the source.

  1. Ensure you are signed in as a Global Admin.
  2. Go to either MigrationWiz-SharePoint-ReadOnly or MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
  3. Create a new Security Group named “MigrationWiz” on the Office 365 Admin Portal. 
  4. Create a new user. This user must have a SharePoint/OneDrive license applied.
  5. Add a new user to the previously created security group as a member.
  6. Create MigrationWiz project.
  7. When creating the endpoints, enter the new user credentials.
  8. Add support option UseApplicationPermission=1

Enable Permissions at Destination

The following steps enable permission level at the destination.

  1. Ensure you are signed in as a Global Admin.
  2. Go to MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
  3. Create a new Security Group named “MigrationWiz” on the Microsoft 365 Admin Portal.
  4. Create a new user. This user must have a SharePoint/OneDrive license applied.
  5. Add a new user to the previously created security group as a member.
  6. Create MigrationWiz project.
  7. When creating the endpoints, enter the new user credentials.

MigrationWiz-SharePoint-FullControl may be used on both source and destination tenants and will export document permissions. MigrationWiz-SharePoint-ReadOnly can only be used on the source tenant, will not export document permissions, and cannot use AMR.

Post-Migration Steps

  1. Remove the newly created user.
  2. Remove the MigrationWiz Security Group created in Step 3. 

To remove the app from the source or destination, perform the following steps:

  1. Launch PowerShell.
  2. Connect PowerShell to Microsoft 365.
  3. Enter the command: Connect-AzureAD
  4. Enter the admin credentials in the prompt.
  5. Enter the command:Get-AzureADServicePrincipal -SearchString Migration
  6. Look for the ObjectId of the app you want to remove and enter the following command: Remove-AzureADServicePrincipal -objectId <the object id>

Permissions Granted

Read Only Full Control

The following permissions are granted for Read Only.

SharePoint API

  • Sites.Read.All
  • User.Read.All

Graph API

  • Directory.Read.All
  • Files.Read.All
  • Group.Read.All (delegate permission)
  • User.Read (delegate permission)
Was this article helpful?
8 out of 21 found this helpful