MigrationWiz - Credentials & Authentication - FAQ

This article provides instructions for testing mailbox access, verifying credentials, and requesting credentials, and answers common questions about credentials and authentication. 

Credentials 

MigrationWiz will accept two forms of credentials, which are outlined below.  

  1. Administrative Credentials: You can configure a single set of administrative credentials to access all mailboxes. This is configured at the project level and will apply to all line items (mailboxes) within that specific project. 
  1. End User Credentials: We accept end user credentials to be configured on each individual mailbox configuration. 

Creating an Administrator Account for Login

This article provides detailed steps to create an administrator account for the services listed below. Click a link to jump to the steps for that service. 

Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration. This does not apply to Exchange Online (Office 365). 

If the Hosted Exchange provider does not provide administrative credentials, or rather the admin account does not have sufficient permissions to log in to user mailboxes, click here. 

Once this administrator account has been created, then you can test access to the mailboxes.

 

Exchange 2003 

To create an account, perform the following from the Exchange Server 2003 machine: 

  1. Open the Active Directory Users and Computers snap-in. 
  2. Navigate to the organizational unit (OU) in which the administrative account will be created. 
  3. Right-click on the OU and select New > User. 
  4. Enter "MigrationWiz" as the first name. 
  5. Enter "MigrationWiz" as the user login name, and optionally select a user principal name (UPN) domain. 
  6. Click Next. 
  7. Enter a password and confirm the password. 
  8. Uncheck User must change password at next login. 
  9. Click Next. 
  10. Click Next to assign a mailbox. 
  11. Click Finish. 
  12. Right-click on the MigrationWiz user in the Active Directory Users and Computers snap-in, and select Properties. 
  13. Click on the Exchange Advanced tab. 
  14. Click Hide from Exchange address lists. 
  15. Click OK. 

To grant the account access, perform the following from the Exchange Server 2003 machine: 

  1. Open the Exchange System Manager snap-in. 
  2. Expand the Servers node. 
    Note: In some Exchange System Manager consoles, the Servers node may be under Administrative Groups. 
  3. Right-click on the server that administrative access will be granted access to, and select Properties. 
  4. Click on the Security tab. 
  5. Click on Add. 
  6. Enter "MigrationWiz". 
  7. Click on OK. 
  8. Ensure Allow Send As is selected. 
  9. Ensure Allow Receive As is selected. 
  10. Click on OK. 
  11. Repeat from Step 3 until permissions have been set on each mailbox server (if there is more than one). 

Exchange 2007 

If the Hosted Exchange provider does not provide administrative credentials, or rather the admin account does not have sufficient permissions to log in to user mailboxes, click here. 

To create an account, perform the following from the Exchange Server 2007 machine: 

  1. Open the Exchange Management Console. 
  2. Expand Recipient Configuration node. 
  3. Right click on Mailbox node. 
  4. Click New Mailbox. 
  5. Click Next. 
  6. Click Next again. 
  7. Enter "MigrationWiz" as the first name. 
  8. Enter "MigrationWiz" as the user login name and optionally select a user principal name (UPN) domain. 
  9. Enter a password and confirm the password. 
  10. Click Next. 
  11. Click Browse to select a Mailbox database. 
  12. Click Next. 
  13. Click New. 
  14. Click Finish. 

To grant the account access, perform the following from the Exchange Server 2007 machine: 

  1. Open the Exchange Management Shell. 
  2. Enter the following command: 

Get-Mailbox -server <server> -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -User MigrationWiz 

 

The command needs to be applied each time a new mailbox is created since permissions are set directly on each mailbox. The administrative account will not have access until the permissions are applied. 

In the script above, the username "MigrationWiz" should be replaced with the name of the administrative account that was set up by following the instructions in this article. 

This username is the Administrative Username that needs to be entered under the project's Source or Destination settings, within MigrationWiz, when checking the box labeled Use Administrative Login. 

Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes, no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration. 

 

Exchange 2010 

 If your Hosted Exchange provider does not provide administrative credentials, or rather if the admin account does not have sufficient permissions to log in to user mailboxes, click here. 

Preferred: To create an account with Impersonation Rights.

Delegation: Although this method is not recommended, you may also use delegation. To create an account with delegation, perform the following from the Exchange Server 2010 machine: 

  1. Open the Exchange Management Console. 
  2. Expand Recipient Configuration node. 
  3. Right-click on the Mailbox node. 
  4. Click New Mailbox. 
  5. Click Next. 
  6. Click Next again. 
  7. Enter "MigrationWiz" as the first name. 
  8. Enter "MigrationWiz" as the user login name and optionally select a user principal name (UPN) domain. 
  9. Enter a password and confirm the password. 
  10. Click Next. 
  11. Click Browse to select a Mailbox database. 
  12. Click Next. 
  13. Click New. 
  14. Click Finish. 

To grant the account access, perform the following from the Exchange Server 2010 machine: 

  1. Open the Exchange Management Shell. 
  2. Enter the following command: 

Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -User MigrationWiz 

The command needs to be applied each time a new mailbox is created since permissions are set directly on each mailbox. The administrative account will not have access until the permissions are applied. 

In the script above, the username "MigrationWiz" should be replaced with the name of the administrative account that was set up by following the instructions in this article. 

This username is the Administrative Username that needs to be entered under the project's Source or Destination settings, within MigrationWiz, when checking the box labeled Use Administrative Login. 

Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes, no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these group. This is why we recommend creating a new user account specific for migration. 

Office 365 

Use Impersonation and Modern Authentication.

Zimbra 

Zimbra installation comes with an administrator account, which is admin@domain.com. 

To create an extra one, or to turn an existing account into an administrator, follow these instructions. 

 

Testing Mailbox Access for Migration 

In addition to all the specific steps detailed below, Microsoft provides a very useful tool too: Microsoft Remote Connectivity Tool. 

Exchange Server 2003 

To test mailbox access on the Exchange Server 2003, perform the following: 

  1. Open the browser to https://mail.example.com/exchange 
    1. Ideally, we recommend opening this URL from a non-domain-joined machine on a different network than the Exchange Server. 
    2. com is the DNS name of the OWA server. 
  2. When prompted for credentials, enter the username and password of the account to be used to access the mailbox. 
    1. This can be either the credentials of the end user mailbox itself or administrative credentials.
    2. To migrate using administrative credentials, enter administrative credentials into OWA. 
    3. The Inbox of the end user's mailbox or administrator's mailbox should be visible once logged in. 
  3. If using administrative credentials, change the URL to https://mail.example.com/exchange/user@example.com
    1. user@example.com is the primary SMTP address of the mailbox being accessed. 
    2. The result is that the Inbox of the mailbox user@example.com should be visible. 

Exchange Server 2007+ 

​To test mailbox access on Exchange Server 2007+, perform the following: 

  1. Open the browser to https://mail.example.com/owa 
    1. Ideally, we recommend opening this URL from a non-domain-joined machine on a different network than the Exchange Server. 
    2. example.com is the DNS name of the OWA server. 
  2. When prompted for credentials, enter the username and password of the account to be used to access the mailbox. 
    1. This can be either the credentials of the end user mailbox itself or administrative credentials.
    2. If you want to migrate using administrative credentials, enter administrative credentials into OWA.
    3. The Inbox of the end user's mailbox or administrator's mailbox should be visible once logged in. 
  3. If using administrative credentials, confirm that they have sufficient permissions to log in to the end users' mailboxes: 
    1. Click on the name in the top right corner. 
    2. Click on Open mailbox. 
    3. Enter the primary SMTP address of the mailbox being accessed. 
    4. Click on Open. 
    5. Make sure it is possible to view the Inbox of the end user's mailbox. 
    6. If it fails: 
    7. Make sure the email address is resolved to an end user by clicking on the Check Names button when composing a new message. 
  4. Grant permissions to the administrative account​ 

​Microsoft Office 365 

Use Microsoft's access test tool

IMAP Server​​ 

Please use this third-party tool to test the IMAP mailbox credentials: https://pingability.com/mailtest.jsp. 

Verifying Credentials 

You may verify the credentials configured on your MigrationWiz projects without migrating data or consuming any licenses. 

  1. ​Sign in to your MigrationWiz account​. 
  2. Open the Project containing items you wish to validate​. 
  3. Select the items you wish to validate. 
  4. Click on the Start button in your dashboard. 
  5. Select Verify Credentials from the drop-down list. 

Once complete, the results of the verification will be shown in the Status section. 

Running a Migration without Administrative Access 

There are two ways to set up a migration in cases where you either do not have an administrator account to use or the environment does not support an administrator account. Both options are listed below with links to the steps to use for a migration project. 

Automatically requesting user credentials 

This option allows you to set up the project and tell MigrationWiz that you do not know the username or passwords for the users. MigrationWiz will then send an email to each user in the project with a link to grant access. 

Requesting Credentials 

  1. Sign in to your MigrationWiz account. 
  2. Open your Project to see its items. 
  3. Click on the name of the mailbox you wish to request credentials for. 
  4. Click on the Edit Item icon (this is the pencil icon on the far right). 
  5. Select don't know the username or password for the Source or Destination. 
  6. Click on Save Item. 

If you need to re-request credentials and don’t know the password, follow the steps above. 

If you do know the password, follow steps 1-4, then Uncheck “I don’t know the username or password to this mailbox” and enter the username and password. 

Bulk Access Request 

  1. Sign in to your MigrationWiz account. 
  2. Create a MigrationWiz mailbox migration project. When entering the Source information, do not click on the checkbox to enter admin credentials. 
  3. Click on the green bar for Bulk Add. 
  4. Click on the checkbox labeled don't know the login name and password for the Source mailboxes. 
  5. Click on the Upload 
  6. Click on the Choose File Select and upload your CSV file that contains the list of mailbox names. 
  7. Click on the Save 

After following the steps above, submit the migration. MigrationWiz will perform the following steps automatically. 

  • You submit the item for migration. 
  • Email is sent to the email address configured with a secure link to provide the credentials. 
  • The end user clicks on the provided link, which opens a secure web page. 
  • The end user provides their credentials directly to our system. 
  • The credentials are verified. 
  • The item is immediately submitted for migration. 

The status of the migration will remain as "Waiting for End User" until the end user provides their credentials to the system. 

You cannot directly delete the mailbox from your dashboard while it is in the "Waiting for End User" state. If you want to delete the mailbox, you need to select the mailbox(by clicking on the checkbox next to the username), and then click on the Stop button at the top of your dashboard. This will restore the mailbox license to your account. You can then delete the mailbox in the normal manner (by clicking on the checkbox next to the username and then clicking on the Delete Items icon at the top of your dashboard). 

 

To Resubmit Credentials 

If the user enters​ the password incorrectly, the link will no longer be available for them to enter their password again. 

To send another email to the user, you will need to: 

  1. Go back to MigrationWiz. 
  2. Select the user. 
  3. At the top of the dashboard, select  Clear Credentials. 
  4. Authenticate again. 

Manually entering user credentials 

This option is to manually enter the user credentials. The easiest way to do this is to use the Bulk Add option for adding users to your project. It is also possible to edit each user to add user logins and passwords individually. This option does require you to either gather the passwords from users or reset the user mailboxes to something that you know and control. 

MigrationWiz allows you to bulk import mailboxes into the system.

To bulk import:

  1. Sign in to your MigrationWiz account.
  2. Select the Project for which you want to perform the bulk import.
  3. Click on Add .
  4. Click on Bulk Add .
  5. Follow the instructions on the page.

The sample CSV file looks like this:

Source Email,Source Login Name,Source Password,Destination Email,Destination Login Name,Destination Password,Flags

 

Columns that are allowed within the import file:

Column Description
Source Email Primary SMTP email address of the Source mailbox. This column is required.
Source Login Name The user name used to access the Source mailbox. This column is required only if the administrative credentials are not specified. If administrative credentials are specified, this column is ignored.
Source Password The password used to access the Source mailbox. This column is required only if administrative credentials are not specified. If administrative credentials are specified, this column is ignored.
Destination Email Primary SMTP email address of the Destination mailbox. This column is required.
Destination Login Name The user name used to access the Destination mailbox. This column is required only if administrative credentials are not specified. If administrative credentials are specified, this column is ignored.
Destination Password The password used to access the Destination mailbox. This column is required only if administrative credentials are not specified. If administrative credentials are specified, this column is ignored.
Flags Optional flags to apply to the mailbox. This column is optional.

 

Mailbox Flags

This table provides a list of possible flags that may be set. Specifying a flag value of zero (0) will not enable any flags.

Column Description
0 No flags are set.
1 Send an email to the administrator (you) when migration is complete.
2 Send an email to the administrator (you) if the migration fails.
4 Send an email to the Source mailbox when migration is complete
8 Send an email to the Source mailbox if the migration fails
16 Send an email to the Destination mailbox when migration is complete
32 Send an email to the Destination mailbox if the migration fails
192 Request the user name and password from the Source mailbox
768 Request the user name and password from the Destination mailbox
1024 Do not search Destination for duplicates
2048 Remigrate previously successful items
4096 Do not migrate calendars.
8192 Do not migrate contacts.
16384 Do not migrate mail.
262144 Do not migrate journals.
524288 Do not migrate notes.
1048576 Do not migrate tasks.
2097152 Remigrate previously failed items.
4194304 Do not retry errors.
8388608 Log subjects of failed items​

Add the flag values together to enable multiple items. For example, to enable the following:

  1. Send an email to the administrator (you) when migration is complete;
  2. Send an email to the administrator (you) if the migration fails; and
  3. Remigrate previously failed items​​

The only columns required in the Bulk Add CSV are the Source Email and Destination Email. For adding user credentials, you will only need to include the Login Name and Password for the environment that you will not be using an administrator account for. This may be just the Source or just the destination, or both. 

Individually add users

To add user logins and passwords individually follow these steps: 

  1. Open your Project to see the list of items to be migrated. 
  2. For each account that you wish to edit, click on the Edit Items button (the pencil icon on the far-right side of the screen). 
  3. Add the user login and password for the environments that need them. This may be the Source or the Destination or both. 
  4. Click on Save Items. 

Removing Administrative Access After Migration 

To automatically remove administrative access after migration is complete, perform these steps (no licenses will be used): 

  1. Edit your Project and click on Advanced Options. 
  2. Click on Show Advanced Options. 
  3. In Support Only Options, set RevokeAdminPermissions=1. 
  4. Select mailboxes from which you want to revoke permissions. 
  5. Click on Start. 
  6. Select Verify Credentials. 
  7. Click on Start. 

Do not remove the permissions until the migration is complete. If this is done during the migration process, the migration will fail and not all items will be migrated over to the new mailbox. 

 

Two-Factor & Multifactor Authentication 

MigrationWiz will not work directly with any account that is set up to use two-factor or multi-factor authentication. However, a workaround for migration is to migrate using an admin account that is set up without the extra authentication requirements. 

  • When creating your MigrationWiz Mailbox project, enter the credentials for this admin account under Use Administrator Login. 
  • This account needs to be set up with full access permissions to each mailbox. 
  • Add your user mailboxes in the normal manner. 

DeploymentPro will not work when two-factor or multi-factor authentication is in place. We advise disabling two-factor or multi-factor authentication during profile configuration. If disabling MFA is not a viable option, please contact Support.

 

Modern Authentication

BitTitan now supports Modern Authentication for Office 365 endpoints used for Mailbox migrations. Modern Authentication provides a more secure authentication mechanism for registered applications to connect to Azure Active Directory and Office 365. 

The Autodiscovery of items option will not work with Modern Authentication in place.

Prerequisites

  • A Global Administrator account with access to Azure Active Directory.
  • MigrationWiz® Mailbox project(s) created and ready for configuration.
  • The application will require administrator consent
  • For OneDrive/SharePoint migrations: The Administrator account will require access to legacy authentication in order to retrieve the Site URL. For this reason, the administrator account will need to be excluded from any baseline security policies, or have Conditional Access granted using a Conditional Access Policy
    Important note: The Administrator account will need to be added to the Exclude option.

Process

  1. Log in to the Azure AD admin console with a Global Administrator login.
  2. Select Azure Active Directory in the Azure Active Directory Admin Center.
  3. Select App Registrations, which is found under Manage.
  4. Select New Registration at the top of the screen.
  5. Give the app a distinct name. You can change this later if necessary.
  6. Select the Accounts in any organizational directory button.
  7. Under Redirect Uri, select Public Client (mobile & desktop) and set it to urn:ietf:wg:oauth:2.0:oob
  8. Click Register.
  9. Go back to App registrations.
  10. Select the App you just created.
  11. In the Overview, you will find a ClientId (aka Application) and Directory (Tenant) ID.
  12. Copy both of these to another application, such as Notepad, for use later in this process.
  13. Under the Manage menu, select Authentication.
  14. Set the option Treat application as a public client to Yes. This does not open public access; it indicates that the client is not capable of protecting the Open Authorization client secrets. A different authentication mechanism will be needed.
  15. Click Save.
  16. From the Manage menu, select API permissions.
  17. Select Add a Permission.
  18. Select Exchange from Supported Legacy APIs.
  19. When asked “What type of permissions does your application require?” click Delegated permissions.
  20. Check the box under EWS for EWS.AccessAsUser.All.
  21. Click Add permissions. This permission only allows the OAuth application (MigrationWiz) to be associated with EWS. This does not grant access to all mailbox data.
  22. Click Grant admin consent.
  23. Click Yes to confirm the settings.
  24. In MigrationWiz, select the project that needs to be configured for Modern Authentication.
  25. Click the Edit Project menu.
  26. Select Advanced Options.
  27. Under Support Options enter the ClientID and TenantID information you saved earlier in the following format:
    • If enabling Modern Authentication for the Source:
      • ModernAuthClientIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • ModernAuthTenantIdExport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    • If enabling Modern Authentication for the Destination:
      • ModernAuthClientIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      • ModernAuthTenantIdImport=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 
        • Enter the specific ClientID and TenantID for your tenant in place of the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
        • These options can be entered for either the Source or the Destination, or both, depending on the settings on the tenants.
        • These options need to be configured for each MigrationWiz project that needs to have Modern Authentication enabled.

  28. Run a Verify Credentials to confirm that MigrationWiz can connect using Modern Authentication. 
  29. Click on the item that was verified. There will be a message in the MigrationWiz Migration Information page that Modern Authentication is being used. This message will show in the “Migration Errors” box; however, it is not an error. This is just a message confirming that Modern Authentication is now active and being used for connection.
Was this article helpful?
0 out of 1 found this helpful