BitTitan uses application permissions for SharePoint, OneDrive for Business, Microsoft 365 Groups (Documents), and Teams migrations. This provides greater security and reduces the potential of Microsoft throttling. It replaces the previous Microsoft 365 authentication, which has been subject to increased throttling by Microsoft. However, it is sometimes the case that you will want to use delegated permissions to limit better the access granted to your tenant.
Delegated permissions can be used on either the source, destination, or both tenants with a migration. However, you will not use delegated application permissions AND full-control application permissions within the same tenant.
Warning
Please consider the following information when configuring your permissions:
- You will need a global admin to install the delegated app in the tenant.
- The account being used as admin in the project needs to have MFA disabled and must be exempt from any conditional access policies that may prevent access to the migrated environment.
- App password usage, MFA/2FA, and ADFS are not supported for the migration admin account/service account being used by this endpoint.
- For SharePoint and OneDrive migrations, the account used as admin in the project needs to be a Global Admin or SharePoint Admin (alternate admin options for the source tenant can be found later in this document).
- For the SharePoint/OneDrive Delegated App, the account being used as administrator should have a license assigned to the tenant with SharePoint/OneDrive active.
- For Teams migrations, the account being used as admin in the project needs to be a Global Admin or Teams (alternate admin options for the source tenant can be found later in this document).
- For the Teams Delegated App, the account being used as administrator should have a license assigned to the tenant with Teams active.
Add the App to the Tenant
Visit the following URL and sign in as the administrator user:
- For Teams migrations
- For Teams Government migrations
- For SharePoint and/or OneDrive migrations
- For SharePoint and/or OneDrive Government migrations
Perform this for both Source and Destination tenants (as needed). When authorizing the app, you will see something similar to the below screenshot. You can expand the permissions to see exactly what is being granted for the application.
Create a Service Account and Add Permissions
To add the necessary permissions to the tenants, you will need a service account that you will use for the migration. When creating the account please consider the following:
- The account is preferable to be a Global Admin account, but it is not required.
- The account needs to have MFA disabled and needs to be exempt from any conditional access policies that may prevent access to the migrated environment.
Once created, this account will need to meet the following requirements:
- An Office 365 license that includes SharePoint/OneDrive
- Site Collection Permissions for each OneDrive and/or SharePoint site you want to migrate.
Important
MigrationWiz will only be able to have access to OneDrive or Sites to which the service account has site collection rights. No other sites will be visible to MigrationWiz.
- An Office 365 license that includes Teams
- Ownership of any Team that you want to migrate.
- Ensure the admin account shows as an owner of the source Team, owner in Private Channels for the Team, and Owner or Site Collection Admin for the SharePoint site associated with the Team.
- If Teams are pre-existing for the destination tenant, ensure the same for those Teams as with the source.
Warning
Please confirm that the migration account is the site admin for all the SharePoint sites (Shared Documents, Site Assets) that you are migrating. Otherwise, you might encounter issues.
Advanced Options
You will need to add Advanced Options to your project to tell MigrationWiz that you are using delegated permissions for your migration. Depending on whether the permissions you are using on the source, destination, or both tenants you will need different options described below.
SharePoint and OneDrive Migrations
You should add the following advanced options for OneDrive and SharePoint migrations when using a Global Admin or SharePoint Admin along with the delegated app.
-
Delegated Permissions at the source and destination
Below you can find the mandatory AO at the source.
- UseApplicationPermissionAtSource=0
Below you can find the mandatory AO at the destination.
- UseApplicationPermissionAtDestination=0
-
Delegated Permissions at the source only
Below you can find the mandatory AO at the source.
- UseApplicationPermission=1
- UseApplicationPermissionAtSource=0
There are not any AOs at the destination.
-
Delegated Permissions at the destination only
Below you can find the mandatory AO at the source.
- UseApplicationPermission=1
Below you can find the mandatory AO at the destination.
- UseApplicationPermissionAtDestination=0
OneDrive and SharePoint Migrations
For OneDrive and SharePoint Migrations, you can use a user without admin rights for the source. But keep in mind that the account must still be a Site Collection admin of the SharePoint site or OneDrive and you have to use delegated permissions for the source. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.
Please keep in mind that this option may still result in errors that could require you to use a SharePoint Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.
- ForceOneDriveNonGlobalAdminAuthExport=1
GCC High Migrations
If you are migrating to/from a GCC High tenant (SharePoint, OneDrive, or Teams), you will also need to add these advanced options.
- If the source is GCC High - OneDriveProExportEnvironment=AzureUSGovernment
- If the destination is GCC High - OneDriveProImportEnvironment=AzureUSGovernment
Teams Migrations
You should add the following advanced options for Teams migrations and use a Global Admin or SharePoint Admin along with the delegated app.
-
Delegated Permissions at the source and destination
Below you can find the mandatory AO at the source and destination.
- UseDelegatePermission=1
-
Delegated Permissions at the source only
Below you can find the mandatory AO at the source.
- UseDelegatePermission=1
Below you can find the mandatory AO using Full Control permissions at the destination.- UseApplicationPermissionAtDestination=1
-
Delegated Permissions at the destination only
Below you can find the mandatory AO using Full Control permissions at source.
- UseDelegatePermission=1
- UseApplicationPermissionAtSource=1
There is no mandatory AO at the destination.
Teams Migrations
For Teams Migrations, you can use a user without admin rights for the source. But keep in mind that the account must still be the owner of the source Team, the owner in Private Channels for the Team, and the owner or Site Collection Admin for the SharePoint site associated with the Team. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.
Please keep in mind that this option may still result in errors that could require you to use a Teams Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.
- TeamsSkipAdminCheck=1
Post Migration Steps
Remove the BitTitan Enterprise app by performing the following steps:
- Launch PowerShell.
- Ensure that you have the Azure PowerShell Module installed
- Connect PowerShell to Microsoft 365.
- Enter the command:
Connect-AzureAD
- Enter the admin credential in the prompt.
- Enter the command:
Get-AzureADServicePrincipal -SearchString Migration
- Look for the ObjectId of the app you want to remove and enter the following command:
Remove-AzureADServicePrincipal -objectId <the object id>