MigrationWiz – Permission Requirements

This article provides a list of permissions required for all administrator accounts used to perform migrations with MigrationWiz. Whenever possible, we recommend using a Global Administrator, or equivalent, account. When that is not possible, this list can be used to provide the strictest possible level of permissions required to migrate data.

Mailbox Migrations:

Exchange 2003 or 2007:

Source:

  • Hosted Exchange: Create an account to be used as an administrator account for the migration. Grant full control of all migrating users to that administrator account.
  • On-Premises: Configure an administrator account to have full access to user mailboxes. For specific instructions, select the correct Exchange version here: How do I create an administrator account for login? This requires that the throttling policy, if one is in effect, be removed or reduced on the administrator account being used for the migration.

 

Exchange 2010+:

Source or Destination:

  • Hosted Exchange: Create an account to be used as an administrator account for the migration. Grant full control of all migrating users to that administrator account.
  • On-Premises: Configure an administrator account to have full access to user mailboxes. For specific instructions, select the correct Exchange version here: How do I create an administrator account for login? This requires that the throttling policy, if one is in effect, be removed or reduced on the administrator account being used for the migration.

 

G Suite:

Source:

Destination:

Lotus Notes/Lotus Domino:

Source:

 

Office 365 Exchange Online (Mailbox and Archive):

Source:

  • An administrator account with read-only access to the migrating users mailboxes.

Destination:

Document Migrations:

Google Drive:

Source or Destination: 

  • Enable OAuth 2.0. This allows the required authorizations to be set within the Google Admin Console. For specific instructions on enabling the OAuth protocol, see Enable access to G Suite (IMAP) using OAuth 2.0.
    Note: Google Drive Document Migrations require that the Enable API access setting in the Google Admin Portal be enabled.

OneDrive or Sharepoint:

Source:

  • OneDrive Migration only: An administrator account with Site Collection permissions. If using this level of permission, the following Advanced Option will need to be added to the Support Options in the project:
    ForceOneDriveNonGlobalAdminAuthExport=1

Read-Only Application Permissions for SharePoint and OneDrive Migrations  are now available! 

Read Only permissions granted:

  • SharePoint API:
    • Sites.Read.All
    • User.Read.All
  • Graph API:
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)

Full Control permissions granted:

  • SharePoint API:
    • Sites.FullControl.All
    • User.ReadWrite.All
  • Graph API:
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)

Destination:

  • Use App-based Authentication. This allows the required permissions to be set for a specific App ID. If the users have not yet been provisioned on the Destination, a Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication
    •  MicrosoftGraphAPI
      • Directory.Read.All
      • Files.Read
      • Files.ReadWrite
      • Files.Read.All
      • Files.ReadWrite.All
      • Sites.Read.All
      • Sites.ReadWrite.All
    • Azure AD
      • User.Read
    • SharePoint
      • AllSites.FullControl
      • User.ReadWrite.All

Note: For more information on the available permissions for OneDrive and SharePoint, see Permissions for OneDrive API.

 

Collaboration Migrations:

Microsoft Teams:

Source:

Read-Only Application Permissions for Teams Migrations 

Read Only permissions granted:

    • SharePoint API

      • Sites.Read.All,

      • User.Read.All

    • Graph API

      • Files.Read.All,

      • Group.ReadWrite.All
        (This is to add the user to the team as a owner first before being able to read conversations)

      • User.Read.All

      • Group.Read.All (delegate permission)
        (This is to be able to read all the conversations as a user after being added)

      • User.Read (delegate permission)

Full Control permissions granted:

  • SharePoint API:

    • Sites.FullControl.All

    • User.ReadWrite.All

  • Graph API:

    • Files.Read.All,

    • Group.ReadWrite.All

    • User.Read.All

    • Group.ReadWrite.All (delegate permission)

    • User.Read (delegate permission)

 

Source or Destination:

  • Use App-based Authentication. This allows the required permissions to be set for a specific App ID. 
    A Global Administrator account will also be required when setting up the endpoint. The App ID is automatically granted the permissions below. For more information on setting up the App ID, see Using App-based Authentication
    • Azure AD
      • User.Read
    • Microsoft Graph API
      • Directory.Read.All
      • Group.ReadWrite.All
      • Sites.Read.All
      • User.ReadWrite.All
    • SharePoint
      • AllSites.FullControl
      • User.ReadWrite.All

 

 

Was this article helpful?
0 out of 1 found this helpful