Using Delegated Permissions for OneDrive, SharePoint, and Teams migrations

BitTitan uses application permissions for SharePoint, OneDrive for Business, Microsoft 365 Groups (Documents), and Teams migrations. This provides greater security and reduces the potential of Microsoft throttling. It replaces the previous Microsoft 365 authentication, which has been subject to increased throttling by Microsoft. However, it is sometimes the case that you will want to use delegated permissions to limit better the access granted to your tenant.

Delegated permissions can be used on either the source, destination, or both tenants with a migration.  However, you will not use delegated application permissions AND full-control application permissions within the same tenant.

Warning

Please consider the following information when configuring your permissions:

  • You will need a global admin to install the delegated app in the tenant.
  • The account being used as admin in the project needs to have MFA disabled and must be exempt from any conditional access policies that may prevent access to the migrated environment.
  • App password usage, MFA/2FA, and ADFS are not supported for the migration admin account/service account being used by this endpoint.
  • For SharePoint and OneDrive migrations, the account used as admin in the project needs to be a Global Admin or SharePoint Admin (alternate admin options for the source tenant can be found later in this document).
  • For the SharePoint/OneDrive Delegated App, the account being used as administrator should have a license assigned to the tenant with SharePoint/OneDrive active.
  • For Teams migrations, the account being used as admin in the project needs to be a Global Admin or Teams (alternate admin options for the source tenant can be found later in this document).
  • For the Teams Delegated App, the account being used as administrator should have a license assigned to the tenant with Teams active.

Add the App to the Tenant

Visit the following URL and sign in as the administrator user:

Perform this for both Source and Destination tenants (as needed).  When authorizing the app, you will see something similar to the below screenshot.  You can expand the permissions to see exactly what is being granted for the application.

Add_App_2.png

Create a Service Account and Add Permissions

To add the necessary permissions to the tenants, you will need a service account that you will use for the migration. When creating the account please consider the following:

  • The account is preferable to be a Global Admin account, but it is not required.
  • The account needs to have MFA disabled and needs to be exempt from any conditional access policies that may prevent access to the migrated environment.

Once created, this account will need to meet the following requirements:

SharePoint and OneDrive migrations Teams migrations
  • An Office 365 license that includes SharePoint/OneDrive
  • Site Collection Permissions for each OneDrive and/or SharePoint site you want to migrate. 

    Important

    MigrationWiz will only be able to have access to OneDrive or Sites to which the service account has site collection rights.  No other sites will be visible to MigrationWiz.

Warning

Please confirm that the migration account is the site admin for all the SharePoint sites (Shared Documents, Site Assets) that you are migrating. Otherwise, you might encounter issues.

Advanced Options

You will need to add Advanced Options to your project to tell MigrationWiz that you are using delegated permissions for your migration.  Depending on whether the permissions you are using on the source, destination, or both tenants you will need different options described below.

SharePoint and OneDrive Migrations

You should add the following advanced options for OneDrive and SharePoint migrations when using a Global Admin or SharePoint Admin along with the delegated app.

  • Delegated Permissions at the source and destination
    Source Destination

    Below you can find the mandatory AO at the source.

    • UseApplicationPermissionAtSource=0 
  • Delegated Permissions at the source only
    Source Destination

    Below you can find the mandatory AO at the source.

    • UseApplicationPermission=1
    • UseApplicationPermissionAtSource=0
  • Delegated Permissions at the destination only
    Source Destination

    Below you can find the mandatory AO at the source.

    • UseApplicationPermission=1

OneDrive and SharePoint Migrations

For OneDrive and SharePoint Migrations, you can use a user without admin rights for the source. But keep in mind that the account must still be a Site Collection admin of the SharePoint site or OneDrive and you have to use delegated permissions for the source. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.

Please keep in mind that this option may still result in errors that could require you to use a SharePoint Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.

  • ForceOneDriveNonGlobalAdminAuthExport=1 

GCC High Migrations

If you are migrating to/from a GCC High tenant (SharePoint, OneDrive, or Teams), you will also need to add these advanced options.

  • If the source is GCC High - OneDriveProExportEnvironment=AzureUSGovernment
  • If the destination is GCC High - OneDriveProImportEnvironment=AzureUSGovernment

Teams Migrations

You should add the following advanced options for Teams migrations and use a Global Admin or SharePoint Admin along with the delegated app.

  • Delegated Permissions at the source and destination
    Source and Destination
    Below you can find the mandatory AO at the source and destination.
    • UseDelegatePermission=1
  • Delegated Permissions at the source only
    Source Destination
    Below you can find the mandatory AO at the source.
    • UseDelegatePermission=1
  • Delegated Permissions at the destination only
    Source Destination
    Below you can find the mandatory AO using Full Control permissions at source.
    • UseDelegatePermission=1
    • UseApplicationPermissionAtSource=1

Teams Migrations

For Teams Migrations, you can use a user without admin rights for the source. But keep in mind that the account must still be the owner of the source Team, the owner in Private Channels for the Team, and the owner or Site Collection Admin for the SharePoint site associated with the Team. To use this option, add the following advanced option in addition to the ones used for a delegated app used at the source tenant.

Please keep in mind that this option may still result in errors that could require you to use a Teams Admin instead for the source tenant and it is highly recommended you test this option in your environment before using it for your primary migration.

  • TeamsSkipAdminCheck=1

Post Migration Steps

Remove the BitTitan Enterprise app by performing the following steps:

  1. Launch PowerShell.
  2. Ensure that you have the Azure PowerShell Module installed
  3. Connect PowerShell to Microsoft 365.
  4. Enter the command:

    Connect-AzureAD

  5. Enter the admin credential in the prompt.
  6. Enter the command:

    Get-AzureADServicePrincipal -SearchString Migration

  7. Look for the ObjectId of the app you want to remove and enter the following command:

    Remove-AzureADServicePrincipal -objectId <the object id>

Was this article helpful?
5 out of 16 found this helpful