Using Delegated Permissions for OneDrive, SharePoint, and Teams migrations

BitTitan uses application permissions for SharePoint, OneDrive for Business, Microsoft 365 Groups (Documents) migrations, and Teams migrations. This provides greater security and reduces the potential of Microsoft throttling. It replaces the previous Microsoft 365 authentication, which has been subject to increased throttling by Microsoft. However, it is sometimes the case that you will want to use delegated permissions in order to better limit the access granted to your tenant.

Delegated permissions can be used on either the source, destination, or both tenants with a migration.  However, you will not use delegated permissions AND application permissions within the same tenant.

For the Teams Delegated App, the account being used as administrator should have a license assigned in the tenant with Teams active

For the SharePoint/OneDrive Delegated App, the account being used as administrator should have a license assigned in the tenant with SharePoint/OneDrive active

 

Add the App to the tenant

Visit the following URL and sign in as the administrator user:

For Teams migrations

For Teams Government migrations

For SharePoint and/or OneDrive migrations

For SharePoint and/or OneDrive Government migrations

Do this for both Source and Destination tenants (as needed).  When authorizing the app, you will see something similar to the below screenshot.  You can expand the permissions to see exactly what is being granted for the application.

Add_App_2.png

 

Delegated_App_permissions.png

 

Create Service account and add permissions

You will need a service account that you will use for the migration.  It is preferable that this be a Global Admin account, but is not required.  This account will need to have MFA disabled and will need to be exempt from any conditional access policies which may prevent access to the environment.

 

Once created, this account will need to the following:

  • An Office 365 license
  • Site Collection Permissions for each OneDrive and/or SharePoint site that you want to migrate.  MigrationWiz will only be able to have access to OneDrive or Sites which the service account has site collection rights for.  No other sites will be visible to MigrationWiz.
  • Ownership of any Team that you want to migrate
  • Added as an owner any private channel that you want to migrate.  This is needed even if the account is an owner of the Team itself.

Add Advanced Options to your project

You will need to add Advanced Options to your project in order to tell MigrationWiz that you are using delegated permissions for your migration.  Depending on whether you are using delegated permissions on the source, destination, or both tenants you will need different options.

To use delegated permissions on source and application permissions on destination

  • UseDelegatePermission=1

  • UseApplicationPermissionAtDestination=1

To use delegated permissions on the destination and application permissions on the source

  • UseDelegatePermission=1

  • UseApplicationPermissionAtSource=1

To use delegated permissions on both the source and destination environment

  • UseDelegatePermission=1

Additionally, if you are not using a Global Admin for the migration, you will need to add the following options to your project.  Note that the first is only needed for OneDrive migrations and the second only for Teams.

  • ForceOneDriveNonGlobalAdminAuthExport=1 

  • TeamsSkipAdminCheck=1

If you are migrating to/from a GCC High tenant, you will also need these

  • OneDriveProExportEnvironment=AzureUSGovernment
    If the source is GCC High

  • OneDriveProImportEnvironment=AzureUSGovernment
    If the destination is GCC High

Post Migration Steps

To remove the BitTitan Enterprise app, perform the following steps:

  1. Launch PowerShell.
  2. Ensure that you have the Azure PowerShell Module installed
  3. Connect PowerShell to Microsoft 365.
  4. Enter the command:

    Connect-AzureAD

  5. Enter the admin credential in the prompt.
  6. Enter the command:

    Get-AzureADServicePrincipal -SearchString Migration

  7. Look for the ObjectId of the app you want to remove and enter the following command:

    Remove-AzureADServicePrincipal -objectId <the object id>

Was this article helpful?
4 out of 14 found this helpful