BitTitan uses application permissions for SharePoint Online (including Microsoft 365 Groups), OneDrive for Business, and Teams migrations. This provides greater security and reduces the potential of Microsoft throttling. It replaces the previous Microsoft 365 authentication, which has been subject to increased throttling by Microsoft. However, it is sometimes the case that you will want to use delegated permissions to limit better the access granted to your tenant.
Excluding Teams projects, delegated permissions can be used on either the source, destination, or both tenants for SharePoint Online and OneDrive migration projects. However, you will not use Delegated Application permissions AND Full-Control Application permissions within the same tenant.
Create a Service Account as a Delegate and Add Permissions
The service account used as the delegated user must meet the following requirements:
-
The Delegated Account must have the Application Administrator Role as minimum to perform the Delegated consent for your project as shown in the Project Summary screenshot below. For more information on the steps of the Project Summary section, refer to the following article.
Important
This process must be repeated for every project, even if multiple projects use the same endpoint. The Application Administration role is only required for the consent process and can be removed after consenting.
- An Office 365 license that includes SharePoint/OneDrive.
- A minimum of a SharePoint Administrator role. For Alternate Steps on the Source tenant, refer to the following section.
-
Site Collection Permissions for each OneDrive and/or SharePoint site you want to migrate.
Important
MigrationWiz will only be able to have access to OneDrive or Sites to which the service account has site collection rights. No other sites will be visible to MigrationWiz.
-
The Delegated Account must have the Application Administrator Role as minimum to perform the Delegated consent for your project as shown in the Project Summary screenshot below. For more information on the steps of the Project Summary section, refer to the following article.
Important
This process must be repeated for every project, even if multiple projects use the same endpoint. The Application Administration role is only required for the consent process and can be removed after consenting.
- An Office 365 license that includes Teams.
- A minimum of a Teams Administrator role. For Alternate Steps on the Source tenant, refer to the following section.
- Ownership of any Team that you want to migrate.
- Ensure the admin account shows as an owner of the source Team, owner in Private Channels for the Team, and Owner or Site Collection Admin for the SharePoint site associated with the Team.
- If Teams are pre-existing for the destination tenant, ensure the same for those Teams as with the source.
Advanced Options
SharePoint and OneDrive Migrations
For the steps on selecting Delegated Permissions in your MigrationWiz Project, review the following article.
Alternate Steps for OneDrive and SharePoint Migrations as the Source
For OneDrive and SharePoint Migrations, you can attempt to use delegated account without the SharePoint Administrator role for the Source. But keep in mind that the account must still be a Site Collection admin of the SharePoint site or OneDrive and you have to use delegated permissions for the source. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.
- ForceOneDriveNonGlobalAdminAuthExport=1
Please keep in mind that this option may still result in errors that could require you to use a SharePoint Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.
GCC High Migrations
If you are migrating to/from a GCC High tenant (SharePoint, OneDrive, or Teams), you will also need to add these advanced options.
- If the source is GCC High - OneDriveProExportEnvironment=AzureUSGovernment
- If the destination is GCC High - OneDriveProImportEnvironment=AzureUSGovernment
Teams Migrations
For the steps on selecting Delegated Permissions in your MigrationWiz Project, review the following article.
Alternate Steps for Teams Migrations as the Source
For Teams Migrations, you can attempt to use a delegated account without the Teams Administrator role for the Source. But keep in mind that the account must still be the owner of the source Team, the owner in Private Channels for the Team, and the owner or Site Collection Admin for the SharePoint site associated with the Team. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.
- TeamsSkipAdminCheck=1
Please keep in mind that this option may still result in errors that could require you to use a Teams Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.
Post Migration Steps
Remove the BitTitan Enterprise app by performing the following steps:
- Launch PowerShell.
- Ensure that you have the Azure PowerShell Module installed
- Connect PowerShell to Microsoft 365.
-
Enter the command:
Connect-AzureAD - Enter the admin credential in the prompt.
-
Enter the command:
Get-AzureADServicePrincipal -SearchString Migration -
Look for the ObjectId of the app you want to remove and enter the following command:
Remove-AzureADServicePrincipal -objectId <the object id>