BitTitan uses application permissions for SharePoint Online (including Microsoft 365 Groups), OneDrive for Business, and Teams migrations. This provides greater security and reduces the potential of Microsoft throttling. It replaces the previous Microsoft 365 authentication, which has been subject to increased throttling by Microsoft. However, it is sometimes the case that you will want to use delegated permissions to limit better the access granted to your tenant.
Excluding Teams projects, delegated permissions can be used on either the source, destination, or both tenants for SharePoint Online and OneDrive migration projects. However, you will not use Delegated Application permissions AND Full-Control Application permissions within the same tenant.
Create a Service Account as a Delegate and Add Permissions
To add the necessary permissions to the tenants, you will need a service account that you will use for the migration. When creating the account please consider the following:
- Delegated Permissions. Granted when an application acts on behalf of a signed-in user. The service account used as the delegated user must complete the consent process. This account must have, at minimum, the Application Administrator role to perform the consent.
- This must be the account to perform Delegated consent for your project as shown in the Project Summary below.
-
The Delegated Account must have the Application Administrator Role as minimum the role to perform the Delegated consent. This role is only required for the consent process and can be removed after consenting.
Important
This process must be repeated for every project, even if multiple projects use the same endpoint.
Once created, this account will need to meet the following requirements:
- The Delegated account must have a minimum of a SharePoint Administrator Role.
- An Office 365 license that includes SharePoint/OneDrive.
-
Site Collection Permissions for each OneDrive and/or SharePoint site you want to migrate.
Important
MigrationWiz will only be able to have access to OneDrive or Sites to which the service account has site collection rights. No other sites will be visible to MigrationWiz.
- The Delegated account must have a minimum of a Teams Administrator Role.
- An Office 365 license that includes Teams.
- Ownership of any Team that you want to migrate.
- Ensure the admin account shows as an owner of the source Team, owner in Private Channels for the Team, and Owner or Site Collection Admin for the SharePoint site associated with the Team.
- If Teams are pre-existing for the destination tenant, ensure the same for those Teams as with the source.
Warning
Please confirm that the migration account is the site admin for all the SharePoint sites (Shared Documents, Site Assets) that you are migrating. Otherwise, you might encounter issues.
Advanced Options
SharePoint and OneDrive Migrations
For the steps on selecting Delegated Permissions in your MigrationWiz Project, review the following article.
OneDrive and SharePoint Migrations
For OneDrive and SharePoint Migrations, you can use a user without admin rights for the source. But keep in mind that the account must still be a Site Collection admin of the SharePoint site or OneDrive and you have to use delegated permissions for the source. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.
Please keep in mind that this option may still result in errors that could require you to use a SharePoint Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.
- ForceOneDriveNonGlobalAdminAuthExport=1
GCC High Migrations
If you are migrating to/from a GCC High tenant (SharePoint, OneDrive, or Teams), you will also need to add these advanced options.
- If the source is GCC High - OneDriveProExportEnvironment=AzureUSGovernment
- If the destination is GCC High - OneDriveProImportEnvironment=AzureUSGovernment
Teams Migrations
For the steps on selecting Delegated Permissions in your MigrationWiz Project, review the following article.
Teams Migrations
For Teams Migrations, you can use a user without admin rights for the source. But keep in mind that the account must still be the owner of the source Team, the owner in Private Channels for the Team, and the owner or Site Collection Admin for the SharePoint site associated with the Team. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.
Please keep in mind that this option may still result in errors that could require you to use a Teams Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.
- TeamsSkipAdminCheck=1
Post Migration Steps
Remove the BitTitan Enterprise app by performing the following steps:
- Launch PowerShell.
- Ensure that you have the Azure PowerShell Module installed
- Connect PowerShell to Microsoft 365.
-
Enter the command:
Connect-AzureAD - Enter the admin credential in the prompt.
-
Enter the command:
Get-AzureADServicePrincipal -SearchString Migration -
Look for the ObjectId of the app you want to remove and enter the following command:
Remove-AzureADServicePrincipal -objectId <the object id>