The topic of account credentials and access permissions is central to migrations. For example, to migrate large numbers of mailboxes, the migration engine must access each selected mailbox for the migration on the source. When migrating hundreds, or even thousands of mailboxes, manually providing individual credentials is impractical.
The solution is creating an administrative account for the migration, which then uses techniques such as impersonation or delegation to apply a common set of credentials for all the migrating accounts.
The exact technique for achieving this varies with the Source and Destination endpoints. Different systems provide different opportunities and constraints. Each of our BitTitan migration guides is Endpoint-specific and guides how best to accomplish your migration goals for the desired Endpoints.
You may verify the credentials of items in MigrationWiz without migrating data or consuming any licenses.
This article provides instructions for testing mailbox access, verifying credentials, and requesting credentials, besides answers to common questions about credentials and authentication.
Credentials
MigrationWiz will accept two credential types, which are outlined below.
- Administrative Credentials: You can configure a single set of administrative credentials to access all mailboxes. This is configured at the project level and will apply to all line items (mailboxes) within that specific project.
- End User Credentials: We accept end-user credentials to be configured on each mailbox configuration.
Creating an Administrator Account for Login
This article provides detailed steps to create an administrator account for the services listed below.
Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration. This does not apply to Exchange Online (Office 365).
If the Hosted Exchange provider does not provide administrative credentials, or the admin account does not have sufficient permissions to log in to user mailboxes, see below.
Once this administrator account has been created, then you can test access to the mailboxes.
Exchange 2003
To create an account, perform the following from the Exchange Server 2003 machine:
- Open the Active Directory Users and Computers snap-in.
- Navigate to the organizational unit (OU) in which the administrative account will be created.
- Right-click on the OU and select New > User.
- Enter "MigrationWiz" as the first name.
- Enter "MigrationWiz" as the user login name, and optionally select a user principal name (UPN) domain.
- Click Next.
- Enter a password and confirm the password.
- Uncheck User must change password at next login.
- Click Next.
- Click Next to assign a mailbox.
- Click Finish.
- Right-click on the MigrationWiz user in the Active Directory Users and Computers snap-in, and select Properties.
- Click on the Exchange Advanced tab.
- Click Hide from Exchange address lists.
- Click OK.
To grant the account access, perform the following from the Exchange Server 2003 machine:
- Open the Exchange System Manager snap-in.
- Expand the Server node.
Important
In some Exchange System Manager consoles, the Server node may be under Administrative Groups. - Right-click on the server that administrative access will be granted access to, and select Properties.
- Click on the Security tab.
- Click on Add.
- Enter "MigrationWiz".
- Click on OK.
- Ensure Allow Send As is selected.
- Ensure Allow Receive As is selected.
- Click on OK.
- Repeat Step 3 until permissions have been set on each mailbox server (if there is more than one).
Exchange 2007
If the Hosted Exchange provider does not provide administrative credentials, or rather the admin account does not have sufficient permissions to log in to user mailboxes, click here.
To create an account, perform the following from the Exchange Server 2007 machine:
- Open the Exchange Management Console.
- Expand Recipient Configuration node.
- Right-click on the Mailbox node.
- Click New Mailbox.
- Click Next.
- Click Next again.
- Enter "MigrationWiz" as the first name.
- Enter "MigrationWiz" as the user login name and optionally select a user principal name (UPN) domain.
- Enter a password and confirm the password.
- Click Next.
- Click Browse to select a Mailbox database.
- Click Next.
- Click New.
- Click Finish.
To grant the account access, perform the following from the Exchange Server 2007 machine:
- Open the Exchange Management Shell.
- Enter the following command:
Get-Mailbox -server <server> -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -User MigrationWiz
The command must be applied each time a new mailbox is created since permissions are set directly on each mailbox. The administrative account will not have access until the permissions are applied.
In the script above, the username "MigrationWiz" should be replaced with the name of the administrative account that was set up by following the instructions in this article.
This username is the Administrative Username that needs to be entered under the project's Source or Destination settings, within MigrationWiz, when checking the box labeled Use Administrative Login.
Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes, no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration.
Exchange 2010
If your Hosted Exchange provider does not provide administrative credentials, or rather if the admin account does not have sufficient permissions to log in to user mailboxes, click here.
Preferred: To create an account with Impersonation Rights.
Delegation: Although this method is not recommended, you may also use delegation. To create an account with delegation, perform the following from the Exchange Server 2010 machine:
- Open the Exchange Management Console.
- Expand Recipient Configuration node.
- Right-click on the Mailbox node.
- Click New Mailbox.
- Click Next.
- Click Next again.
- Enter "MigrationWiz" as the first name.
- Enter "MigrationWiz" as the user login name and optionally select a user principal name (UPN) domain.
- Enter a password and confirm the password.
- Click Next.
- Click Browse to select a Mailbox database.
- Click Next.
- Click New.
- Click Finish.
To grant the account access, perform the following from the Exchange Server 2010 machine:
- Open the Exchange Management Shell.
- Enter the following command:
Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -User MigrationWiz
The command must be applied each time a new mailbox is created since permissions are set directly on each mailbox. The administrative account will not have access until the permissions are applied.
In the script above, the username "MigrationWiz" should be replaced with the name of the administrative account that was set up by following the instructions in this article.
This username is the Administrative Username that needs to be entered under the project's Source or Destination settings, within MigrationWiz, when checking the box labeled Use Administrative Login.
Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes, no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration.
Office 365
Use Impersonation and Modern Authentication.
Zimbra
Zimbra installation comes with an administrator account, which is admin@domain.com.
To create an extra one, or to turn an existing account into an administrator, follow these instructions.
Testing Mailbox Access for Migration
In addition to all the specific steps detailed below, Microsoft provides a very useful tool too: Microsoft Remote Connectivity Tool.
Exchange Server 2003
To test mailbox access on the Exchange Server 2003, perform the following:
- Open the browser to https://mail.example.com/exchange
- Ideally, we recommend opening this URL from a non-domain-joined machine on a different network than the Exchange Server.
- com is the DNS name of the OWA server.
- When prompted for credentials, enter the username and password of the account to be used to access the mailbox.
- This can be either the credentials of the end user mailbox itself or administrative credentials.
- To migrate using administrative credentials, enter administrative credentials into OWA.
- The Inbox of the end user's mailbox or administrator's mailbox should be visible once logged in.
-
If using administrative credentials, change the URL to https://mail.example.com/exchange/user@example.com
- user@example.com is the primary SMTP address of the mailbox being accessed.
- The result is that the Inbox of the mailbox user@example.com should be visible.
Exchange Server 2007+
To test mailbox access on Exchange Server 2007+, perform the following:
- Open the browser to https://mail.example.com/owa
- Ideally, we recommend opening this URL from a non-domain-joined machine on a different network than the Exchange Server.
- example.com is the DNS name of the OWA server.
- When prompted for credentials, enter the username and password of the account to be used to access the mailbox.
- This can be either the credentials of the end user mailbox itself or administrative credentials.
- If you want to migrate using administrative credentials, enter administrative credentials into OWA.
- The Inbox of the end user's mailbox or administrator's mailbox should be visible once logged in.
- If using administrative credentials, confirm that they have sufficient permissions to log in to the end users' mailboxes:
- Click on the name in the top right corner.
- Click on Open mailbox.
- Enter the primary SMTP address of the mailbox being accessed.
- Click on Open.
- Make sure it is possible to view the Inbox of the end user's mailbox.
- If it fails:
- Make sure the email address is resolved to an end user by clicking on the Check Names button when composing a new message.
- Grant permissions to the administrative account
Microsoft Office 365
Use Microsoft's access test tool.
IMAP Server
Please use this third-party tool to test the IMAP mailbox credentials: https://pingability.com/mailtest.jsp.
Verifying Credentials
You may verify the credentials configured on your MigrationWiz projects without migrating data or consuming any licenses.
- Sign in to your MigrationWiz account.
- Open the Project containing items you wish to validate.
- Select the items you wish to validate.
- Click on the Start button in your dashboard.
- Select Verify Credentials from the drop-down list.
Once complete, the verification results will be shown in the Status section.
Running a Migration without Administrative Access
There are two ways to set up a migration in cases where you either do not have an administrator account to use or the environment does not support an administrator account. Both options are listed below with links to the steps to use for a migration project.
Important
For Exchange Online mailbox, archive mailbox, and public folder endpoints, additional required Modern Authentication steps must be performed in the tenant before end-user credentials can be used to migrate. A global administrator will be needed to perform the configuration steps in the tenant. Instructions can be found in the following KB under Enabling Modern Authentication for EWS between MigrationWiz and your Exchange Online Tenant.Authentication Methods for Microsoft 365 (All Products) Migrations
Automatically Requesting User Credentials
This option allows you to set up the project and tell MigrationWiz that you do not know the username or passwords of the users. MigrationWiz will then send an email to each user in the project with a link to grant access.
Warning
This option is only supported when the connectors are one of the following: Exchange Server 2003+, GroupWise 7+, IMAP, Microsoft 365, and Zimbra 6+.Requesting Credentials
- Sign in to your MigrationWiz account.
- Open your Project to see its items.
- Click on the name of the mailbox you wish to request credentials for.
- Click on the Edit Item icon (this is the pencil icon on the far right).
- Select I don't know the username or password for the Source or Destination.
- Click on Save Item.
If you need to re-request credentials and don’t know the password, follow the steps above.
If you do know the password, follow steps 1-4, then Uncheck “I don’t know the username or password to this mailbox” and enter the username and password.
Bulk Access Request
- Sign in to your MigrationWiz account.
- Create a MigrationWiz mailbox migration project. When entering the Source information, do not click on the checkbox to enter admin credentials.
- Click on the green bar for Bulk Add.
- Click on the checkbox labeled I don't know the login name and password for the Source mailboxes.
- Click on the Upload
- Click on the Choose File Select and upload your CSV file that contains the list of mailbox names.
- Click on the Save
After following the steps above, submit the migration. MigrationWiz will perform the following steps automatically.
- You submit the item for migration.
- Email is sent to the email address configured with a secure link to provide the credentials.
- The end user clicks on the provided link, which opens a secure web page.
- The end user provides their credentials directly to our system.
- The credentials are verified.
- The item is immediately submitted for migration.
The status of the migration will remain as "Waiting for End User" until the end user provides their credentials to the system.
You cannot directly delete the mailbox from your dashboard while it is in the "Waiting for End User" state. If you want to delete the mailbox, you must select the mailbox (by clicking on the checkbox next to the username), and then click on the Stop button at the top of your dashboard. This will restore the mailbox license to your account. You can then delete the mailbox in the normal manner (by clicking on the checkbox next to the username and then clicking on the Delete Items icon at the top of your dashboard).
If the status is "Waiting for User":
Option 1: Have the mailbox user enter their credentials to begin the migration from the original email that was sent to them
Ask the mailbox user to find the original email and follow the instructions in the email. The subject of this email will be: "ACTION REQUIRED: Information required for your migration". This will contain a link to click on, which will then open up a secured access form in which the mailbox user can securely enter their credentials in order to begin their migration.
Option 2: Resend the email requesting credentials to the mailbox user
To have the email requesting credentials to be resent to the user, while the status shows: "Waiting for User" follow these directions:
- Select the mailbox (by clicking the checkbox next to the username).
- Click on the Stop button at the top of the dashboard.
- Click on the Clear Credentials icon at the top of the dashboard.
- Click on the checkbox for Clear Source Credentials or Clear Destination Credentials (depending on the reason for migration failure).
- Click on the Clear Credentials button.
- Select the mailbox and start the migration again. Another email will then be sent to the mailbox user, requesting their credentials. The mailbox user will then need to open this new email and follow the instructions in the email.
Option 3. Delete the mailbox user from the MigrationWiz dashboard.
Care should be taken before deleting any users from the MigrationWiz dashboard. If any prior migration passes have been made for the user, then, at the time that the user is deleted from the dashboard, the migration statistics will be deleted. This will not, however, remove the migrated items from the Destination mailbox.
If you delete the mailbox user, you will also be deleting any licenses that have been consumed by that user in any previous mailbox migration passes.
It is not possible to directly delete the mailbox from the dashboard while it is in the state: "Waiting for User".
To delete the mailbox, follow these directions:
- Select the mailbox (by clicking on the checkbox next to the username).
- Click on the Stop button at the top of the dashboard. This will restore the mailbox license to the account.
- Select the mailbox (by clicking on the checkbox next to the username).
- Click on the Delete Items icon at the top of the dashboard.
If the user enters invalid credentials in the secured access form, the status will change from "Waiting for User" to Failed. Click on Failed to see if the Source or Destination credentials are incorrect. In order to resubmit the migration with the correct credentials, follow these directions:
- Select the mailbox (by clicking on the checkbox next to the username).
- Click on the Clear Credentials icon at the top of the dashboard.
- Click on the checkbox for Clear Source Credentials or Clear Destination Credentials (depending on the reason for migration failure).
- Click on the Clear Credentials button.
- Select the mailbox and start the migration again. Another email will then be sent to the mailbox user, requesting their credentials. The mailbox user will then need to open this new email and follow the instructions in the email.
To Resubmit Credentials
If the user enters the password incorrectly, the link will no longer be available for them to enter their password again.
To send another email to the user, you will need to:
- Go back to MigrationWiz.
- Select the user.
- At the top of the dashboard, select Clear Credentials.
- Authenticate again.
Manually entering user credentials
This option is to manually enter the user credentials. The easiest way to do this is to use the Bulk Add option for adding users to your project. It is also possible to edit each user to add user logins and passwords individually. This option does require you to either gather the passwords from users or reset the user mailboxes to something that you know and control.
MigrationWiz allows you to bulk import mailboxes into the system.
To bulk import:
- Sign in to your MigrationWiz account.
- Select the Project for which you want to perform the bulk import.
- Click on Add .
- Click on Bulk Add .
- Follow the instructions on the page.
The sample CSV file looks like this:
Source Email,Source Login Name,Source Password,Destination Email,Destination Login Name,Destination Password,Flags |
Columns that are allowed within the import file:
Column | Description |
Source Email | Primary SMTP email address of the Source mailbox. This column is required. |
Source Login Name | The user name used to access the Source mailbox. This column is required only if the administrative credentials are not specified. If administrative credentials are specified, this column is ignored. |
Source Password | The password used to access the Source mailbox. This column is required only if administrative credentials are not specified. If administrative credentials are specified, this column is ignored. |
Destination Email | Primary SMTP email address of the Destination mailbox. This column is required. |
Destination Login Name | The user name used to access the Destination mailbox. This column is required only if administrative credentials are not specified. If administrative credentials are specified, this column is ignored. |
Destination Password | The password used to access the Destination mailbox. This column is required only if administrative credentials are not specified. If administrative credentials are specified, this column is ignored. |
Flags | Optional flags to apply to the mailbox. This column is optional. |
Mailbox Flags
This table provides a list of possible flags that may be set. Specifying a flag value of zero (0) will not enable any flags.
Column | Description |
0 | No flags are set. |
1 | Send an email to the administrator (you) when migration is complete. |
2 | Send an email to the administrator (you) if the migration fails. |
4 | Send an email to the Source mailbox when migration is complete |
8 | Send an email to the Source mailbox if the migration fails |
16 | Send an email to the Destination mailbox when migration is complete |
32 | Send an email to the Destination mailbox if the migration fails |
192 | Request the user name and password from the Source mailbox |
768 | Request the user name and password from the Destination mailbox |
1024 | Do not search Destination for duplicates |
2048 | Remigrate previously successful items |
4096 | Do not migrate calendars. |
8192 | Do not migrate contacts. |
16384 | Do not migrate mail. |
262144 | Do not migrate journals. |
524288 | Do not migrate notes. |
1048576 | Do not migrate tasks. |
2097152 | Remigrate previously failed items. |
4194304 | Do not retry errors. |
8388608 | Log subjects of failed items |
Add the flag values together to enable multiple items. For example, to enable the following:
- Send an email to the administrator (you) when migration is complete;
- Send an email to the administrator (you) if the migration fails; and
- Remigrate previously failed items
The only columns required in the Bulk Add CSV are the Source Email and Destination Email. For adding user credentials, you will only need to include the Login Name and Password for the environment which you will not be using an administrator account for. This may be only the Source, the destination, or both.
Individually add users
To add user logins and passwords individually follow these steps:
- Open your Project to see the list of items to be migrated.
- For each account that you wish to edit, click on the Edit Items button (the pencil icon on the right side of the screen).
- Add the user login and password for the environments that need them. This may be the Source, the Destination, or both.
- Click on Save Items.
Update Submitted/Requested Credentials
Your migration will fail if you previously requested credentials and the password(s) have changed since your original request. The requested credentials are stored in an encrypted format within your MigrationWiz portal, and your migration will be using the old username and password if not updated. There are two ways to update the previously requested credentials:
If you know the new password and want to enter it directly:
- Sign in to your MigrationWiz account.
- Open your Project to see its items.
- Click on the name of the mailbox you wish to edit.
- Click on Edit Item (this is the pencil icon on the far right-hand side).
- Uncheck I don't know the username or password to this mailbox for the Source or Destination mailbox that you know the credentials for.
- Enter the User Name and Password.
- Click on Save Item.
If you do not know the new password and want to request credentials again:
- Sign in to your MigrationWiz account.
- Open your Project to see its items.
- Click on the name of the mailbox you wish to request credentials for.
- Click on Edit Item (this is the pencil icon on the far right-hand side).
- Select I don't know the username or password for the Source or Destination.
- Click on Save Item.
This will activate the request for the credentials to be retrieved from the user again, via email and in an encrypted format.
Administrative Credentials are Not Supported
MigrationWiz supports several ways to access mailboxes. If you do not have administrative access to the mailbox, there are several ways you can access the contents:
Gather mailbox passwords
This is simple. You can gather passwords from users. In most cases, this approach is not practical nor very secure, and therefore we do not recommend it.
Reset mailbox passwords
You can always reset the passwords to mailboxes to something that you know and control. The problem with this method is that your end user is locked out of his/her mailbox as their password has changed. You may optionally give them the password you have set but end users are prone to changing the passwords to something they can remember, which may cause your migration to fail mid-way. If you do not plan on giving the end users the passwords, this may be a viable option if you do not mind locking them out of the mailbox.
Request mailbox passwords from each mailbox
MigrationWiz offers a unique feature that allows the system to request the user name and passwords directly from each end user. This gives you the ability to access the mailbox while the end user is using it. Learn more about the request credentials process.
Removing Administrative Access After Migration
To automatically remove administrative access after the migration is complete, perform these steps (no licenses will be used):
- Edit your Project and click on Advanced Options.
- Click on Show Advanced Options.
- In Support Options, set RevokeAdminPermissions=1.
- Select mailboxes from which you want to revoke permissions.
- Click on Start.
- Select Verify Credentials.
- Click on Start.
Do not remove the permissions until the migration is complete. If this is done during the migration process, the migration will fail and not all items will be migrated over to the new mailbox.
Two-Factor & Multifactor Authentication
MigrationWiz will not work directly with any account that is set up to use two-factor or multi-factor authentication. However, you do not need to disable MFA for all users within your environment. You can use a service account that is set up without the extra authentication requirements.
- When creating your MigrationWiz Mailbox project, enter the credentials for this service account under Use Administrator Login.
- This account will still need the access required for your specific migration scenario.
- Add your user mailboxes in the normal manner.
DeploymentPro can still work when two-factor or multi-factor authentication is in place for your users. The "Installing DeploymentPro with MFA or 2-Factor Authentication Enabled" section of the DeploymentPro guide will outline how that can be set up.
Enabling Modern Authentication
MigrationWiz lists the steps for enabling Modern Authentication in the Obtain Client and Tenant ID Settings for Mailbox and Exchange Online Migrations section of the Authentication Methods Migrations KB.
For more information on that, please check that documentation.