Modern authentication is based on the use of OAuth 2.0 tokens and the Active Directory Authentication Library. It notably adds support for multifactor authentication, in which a secondary challenge besides a password is used to verify a user's identity, such as previously set personal questions.

With Delegated Permissions, your application needs to access the web API as the signed-in user, but the selected permissions limit access. A user can grant this type of permission unless the permission is configured as requiring administrator consent.

With Application Permissions, your application needs to access the web API directly as itself (no user context). This type of permission requires administrator consent and is also not available for native client applications.

Modern Authentication - Delegated Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the following section. 

Global admin credentials are required for this method. 

• SharePoint migrations: Site Collection admin credentials
• OneDrive migrations: will utilize the SharePoint admin credentials. The admin will be promoted to a site collection admin for the OneDrive account being migrated. OneDrive user account provisioning is supported when using SharePoint admin credentials (provided the destination tenant doesn’t block basic authentication).

Modern Authentication - Application Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the following section. 

• This method uses user credentials, but the user will need to be a member of a created MigrationWiz security group in the Microsoft 365 tenant. 
• Global admin permissions are required to give consent to the BitTitan app. 
• OneDrive provisioning is not supported and only admin cred flow is supported. 
• Requires the Advanced Option UseApplicationPermission=1

Modern Authentication - Delegated Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the Teams to Teams migration guide.

• Requires global admin or Teams admin credentials.
• Requires the Advanced Option UseDelegatePermission=1

Modern Authentication - Application Permissions - BitTitan App

This authentication method requires the BitTitan permissions app. The steps for this app are described in the Teams to Teams migration guide.

• This method uses user credentials, but the user will need to be a member of a created MigrationWiz security group in the Microsoft 365 tenant. 

Document migrations in the Microsoft 365 Small Business Tenant require some special considerations.

MigrationWiz supports Document Migration, but the Destination has to be configured in the following manner:

While the Source (e.g., Google Drive) can use admin credentials, the Destination, Microsoft 365 Small Business Tenant, must be configured with the end user credentials. If admin credentials are used, the following error arises:

Destination: Your migration failed to check destination credentials. One Drive for Business administrative authentication failed with <your tenant URL>.

We use SharePoint administrator API to perform auto-provisioning and provide the administrator rights to access user sites. Some Office 365 plans prevent us from accessing them (Small Business, for example). If your plan does not provide access to the SharePoint administrator API, you must use your end-user credentials.

Some migrations may require only allowing rights to the migration process for a particular set of users. In such cases, use the following procedure that outlines how this can be achieved. To do so, please replace Step Two's instructions from the General API Permissions tab with the ones detailed below.

Replacement Step Two - Changes in API Permissions

In Step Two you must add the additional Application Permissions to the App Registration. In this case, the full_access_as_app permission should NOT be checked.

When this permission is selected, it will override any of the management scopes and simply provide access to all mailboxes in the organization. So, remove this permission if you had previously included it in your application registration.

Create Management Scope Manually Using a Mail-Enabled Security Group

To assign a management scope only for a particular set of mailboxes, create a mail-enabled security group in the tenant (or use an existing one).

Make sure you have copied down the distinguished name of the security group as you will need it when creating the restriction filter for your management scope. The following is an example of what a distinguished name for the group would look like:

CN=MailEnSecGro20240913485729,OU=BTTest.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMP210A006,DC=PROD,DC=OUTLOOK,DC=COM

To obtain the Distinguished Name of a Group, you can use the PowerShell command below. It does rely on the connection made into the Exchange Online module so be sure to connect there first.

Connect-ExchangeOnline
Get-distributiongroup -identity "GROUPNAME" | select distinguishedname | fl

Then follow the steps below to create the management scope.

1. Connect to the M365 Tenant with the following PowerShell command, using your Admin credentials.connect-exchangeonline
2. Run these PowerShell commands, replacing the items in bold with the details from your Enterprise Application, and make sure to use the distinguished name of your own security group and not the one in the example shown below:$applicationId = "ApplicationID from the Enterprise Application"
$objectId ="ObjectID from the Enterprise Application"
$MgmtScopeName="User Mailboxes"

New-ManagementScope -Name $MgmtScopeName -RecipientRestrictionFilter "MemberOfGroup -eq 'CN=MailEnSecGro20240913485729,OU=BTTest.onmicrosoft.com,OU=Microsoft Exchange Hosted Organizations,DC=NAMP210A006,DC=PROD,DC=OUTLOOK,DC=COM'"

New-ServicePrincipal -AppId $applicationId -ObjectId $objectid -DisplayName "MigrationWiz"

New-ManagementRoleAssignment -App $objectId -Role "Application EWS.AccessAsApp" -CustomResourceScope $MgmtScopeName
3. Check that the management scope is in place by using this command.Get-ManagementScope

   The results will have a similar output to this image.

   

In the example above, only mailboxes that are members of the mail-enabled security used for the recipient restriction filter will be in scope for the migration. 

As a result, when you try to perform a migration with MigrationWiz, mailboxes that are not added as members of the mail-enabled security group will fail with a 403 error like in the following example. 

Your migration failed while checking destination credentials. The request failed. The remote server returned an error: (403) Forbidden.

In the example above, the destination mailbox fails as it is not a member of the mail-enabled security group being used for the management scope in the destination tenant.

Another way to confirm that a mailbox is part of the scope created is by running the following PowerShell commands against the impacted mailbox in the tenant. 

Test-ServicePrincipalAuthorization -Identity <ObjectID, AppID, or DisplayName> [-Resource] <target mailbox>

As a result, you will get the following values:

• InScope = False, indicating the mailbox is not a member of the mail-enabled security group used for the management scope.
• InScope = True, indicating the mailbox is a member of the mail-enabled security group.

The DisplayName of the Service Principal is used in the example below, showing an InScope value of False.

Updating the Management Scope

To update the management scope, you must remove the previous one and re-apply it to the tenant. To do this, follow the next steps:

1. Remove the Management Role Assignment. get-managementroleassignment -Identity "Application EWS.AccessAsApp*" -RoleAssigneeType ServicePrincipal | remove-managementroleassignment

2. Remove the Service Principal. remove-serviceprincipal -identity "MigrationWiz"
3. Remove the Management Scope itself. remove-managementscope -identity "User Mailboxes"

Afterward, you can rerun the commands from the sections above to recreate the Management Scope with the updated filter.

In case you want to use delegated permissions, follow the steps below. Keep in mind that we do not recommend this approach due to performance porpuses.

As you may know, having administrative access to the Microsoft 365 control panel to manage users does not necessarily mean that the same account has permission to access all mailboxes for migration. In order to have administrative permissions to migrate mailbox data, it is necessary to grant the account permissions on each mailbox.

Below you can find a PowerShell example to manually grant administrative access for migration. In case you want to perform it through the Exchange Admin Center you can follow the steps provided by Microsoft here. 

$LiveCred = Get-Credential

Install-Module -Name ExchangeOnlineManagement
Import-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred

Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -Automapping $false -User MigrationWiz

The above command must be applied each time a new mailbox is created, as permissions are set directly on the mailbox. The administrative account will not have access until the permissions are applied.​

The global admin account does have the necessary rights for delegation. However, again, we recommend using API permissions for migrations​ from and/or to Microsoft 365.

If connecting to GCC High with Powershell, use:

Connect-ExchangeOnline -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -ExchangeEnvironmentName O365USGovGCCHigh

If you want to set up a Microsoft 365 Groups endpoint please consider the following recommendations before setting up your API permissions as suggested in steps below.

• Configuration without ModernAuthClientSecret: Avoid using ModernAuthClientSecret in the advanced options. Instead, use ClientId, TenantId, and Global/Exchange Admin credentials.
• Connector User Ownership: Ensure that the connector user is the owner of the Microsoft 365 Group being migrated.
• Utilize Recipient Mappings: Implement recipient mappings for mapping user attributes during the migration. For more information, please check the recipient mapping section of the Advanced Options and General Options article.

Please use this approach for Microsoft 365 Groups migration endpoints, taking into account the information provided above.

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

1. Log in to the Microsoft Entra admin center with a Global Administrator login.
2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
4. Select New Registration at the top of the screen.
   
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in this organizational directory only ('Tenant name only' - Single tenant) radio button.
7. Under Redirect URI (optional), select Public client/native (mobile & desktop) and set it to urn:ietf:wg:oauth:2.0:oob
8. Click Register.
   
9. Under the Manage menu, select Authentication.
10. Set the option Allow public client flows to Yes. 
11. Click Save.
    

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

1. From the Manage menu, select API permissions.

   Important

   If an API permission is named User.Read under Microsoft Graph is already present, this can be removed. The Microsoft Graph API does not apply to this project type and is not used.
2. Click Add a Permission.
   
3. Select APIs my organization uses.
4. Scroll down or search for the following permissions Office 365 Exchange Online.
   
5. Select Delegated Permissions.
6. Select EWS.
7. Check the box under EWS for EWS.AccessAsUser.All. 
   

   Important

   This permission only allows the OAuth application (MigrationWiz) to be associated with EWS. This does not grant access to all mailbox data.
8. Click Add Permissions.
   
9. Click Grant admin consent.
   
10. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain.

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.