MigrationWiz Errors - 401 Unauthorized Error Suite

​​Error Message

This error can take several different forms. Some of the most common versions are listed below but not all versions are covered below. If you have received one not listed below, contact Support.

Your migration failed while checking destination credentials. Http POST request to 'autodiscover-s.outlook.com' failed - 401 Unauthorized: The credentials used to access the configured mailbox are invalid, or the credentials specified do not have access to the configured mailbox, or you may have overutilized resources.

DatabaseNotFoundException - 401 Unauthorized - Http POST request to 'autodiscover-s.outlook.com' failed: MigrationWiz was not able to locate/access the mail database.

401 Unauthorized - Http POST request to 'autodiscover-s.outlook.com' failed - Basic Auth Disabled: MigrationWiz has detected that Basic Authentication is not enabled for the tenant.

Resolution

This is a common suite of errors that may be referencing several endpoint issues. The most common instances are listed below, with suggested resolutions. Note that there may be variations which are not listed here, or are errors from your source or destination environments.

This error most commonly occurs in Office 365 or On-Prem Exchange migrations. You can determine from the error message itself whether this is occurring on the source or destination environment.

Troubleshooting 401 Unauthorized

401 Unauthorized is an authentication error and is generally the result of MigrationWiz being unable to connect to the specified environment using either the admin credentials within your endpoint or the end-user credentials. The following steps will go through each of the most common causes of this error.

Troubleshooting Steps

  1. Identify which endpoint is failing authentication by reviewing the MigrationWiz project user line item error history. Often either the source or destination is called out in the error text itself, but should also be located in a box in the bottom left corner of the error.
  2. Log in to the environment using the endpoint admin information and password.
  3. When logging in, check for any unexpected input. Any requirements other than username and password can cause this issue.
  4. If there are no issues found during login, ensure that the Admin account has the necessary permissions.
  5. If the login attempt succeeds on both endpoints but the migration continues to fail, attempt to login using the EWS URL: Example: https://webmail.sample.com/EWS/Exchange.asmx. Additionally, testing EWS access using Microsoft’s Connectivity Analyzer will often reveal the exact point of failure.

For newly created accounts within Office 365, it will sometimes take up to 24 hours for the accounts/mailboxes to fully provision. During this period, everything may look good within the Office 365 UI, but MigrationWiz will still fail when attempting to access them programmatically.

Modern Authentication has not been configured for your project

To configure Modern Authentication on your protect, check the steps listed in the Obtain Client and Tenant ID Settings for Mailbox and Exchange Online Migrations section of the Authentication Methods Migrations KB apply. These steps apply to both the source and destination tenant when they are Exchange Online, in regards to Exchange Web Services (EWS) in mailbox, archive mailbox, and public folder projects. Use a Global Administrator for the configuration steps.

Username and/or Password incorrect

One of the most common causes of this is that the username or password (or both) has been entered incorrectly into the project. This can be caused by a typo or a recently changed password. The best way to check this is to attempt to log into your environment using the credentials you have entered. If you can successfully log in, please re-enter the username and password into your endpoint settings, ensuring that they are the same as what you were able to log in with.

You can update the endpoint settings by clicking on Edit Project > Edit Project and then selecting either the Source or Destination Settings tab. Once there, click on “Edit Endpoint”.

If you are using end-user credentials, these can be checked and edited by clicking on the icon next to the user within your project.

Unexpected Input During Login

When logging into the environment, be aware of any input requirements. You should only be prompted for the username and password when logging in. If there are any other requirements, it would cause a 401 error since MigrationWiz is not prepared for such requirements.

These requirements can include:

  • 2-Factor Authentication or Multi-Factor Authentication: MigrationWiz is not able to connect to any accounts that have such authentication enabled.
  • Expired Password or Requirement to Change Password: Since MigrationWiz is not able to make these types of changes to the environment, any requirement to update or change the password will cause the migration to fail.
  • Prompt to Select Which Account: It is possible to link different accounts to the same login (such as work, home, and school accounts). If you are prompted to select which account you want to log into, it can cause this error.

Azure Security Default Settings

The Azure Security Defaults are required to be disabled in Office 365 to work with MigrationWiz. Sometimes the 401 error occurs days after a pre-stage or full migration. In this case, the security default policy in favor of 2-factor authentication is getting triggered, which causes the servers to fail authentication.

Logging into the destination Office 365 admin portal during migration setup triggers a pop-up prompting you to set up 2-factor authentication. You may skip to continue without 2-factor authentication, but this is only valid for 14 days. After that, the migration project still fails to verify the credentials, triggering the error.

To resolve this, disable the Enable Security Defaults option, following the steps below, to allow MigrationWiz servers to authenticate without triggering the 2-factor authentication setup.

To disable security defaults

  1. Log into Azure using the destination admin account and password by going to https://portal.azure.com.
  2. Click on Microsoft Entra ID.
  3. Click Properties.
  4. Make sure "Access management for Azure resources" is set to No.
  5. Click Manage Security Defaults and set Enable Security Defaults to No.
  6. Save the settings and log off.
  7. Run verify credentials for the user again.

Insufficient Permission

If you are using an administrator login for migration, and have verified that the credentials are correct, but are still encountering the 401 Unauthorized issue, you may need to look into the administrator account's permission.

Follow the directions outlined in the grant the administrator permission article. This should solve the issue. Note that if you are using Impersonation, you will want to follow the steps in the Impersonation Guide as well.

If Microsoft Entra Connect is used to create the mailboxes

If you have used AD Connect or AD Sync to create the mailboxes on the destination, it is sometimes the case that the mailboxes were not created properly, or with the settings that are needed for MigrationWiz to connect.

Identification Steps

  1. Attempt to log in to the Office 365 OWA portal as the mailbox. 
  2. Verify the user is in the Microsoft EntraConnect state (admin > users > active users > open user > Mail setting > "user mailbox has not been migrated" is present. If that is not the case, the mailbox is not instantiated on provisioning, the user can contact Microsoft or recreate the object.

Cause

Either:

  1. Mailbox is not instantiated (Microsoft Entra Connect GUID not set to NULL).

OR

  1. The mailbox is not fully provisioned or is corrupt in the tenant.

Resolution

  • For item 1 above, set the needed Azure for MigrationWiz.
  • For item 2 above, delete and recreate mailbox objects or users in Office 365.

OneDrive Migrations

401 Unauthorized errors may occur if OneDrive has not been provisioned by the user.

  1. Create a user in Office 365 and assign a license that includes OneDrive for Business. For step-by-step instructions, see the Microsoft article Add users individually or in bulk to Office 365.
  2. Set the administrator privileges. Grant one of the permission levels listed below. 
    • Global Administrator. Microsoft has instructions to set these permissions here: Assign admin roles.
    • Site Collection Administrator. For specific permissions and project settings to be used with a Site Collection Administrator, see MigrationWiz Permission Requirements.

After you perform these steps, the specified user will be visible in the Office 365 administrator center. Full provisioning of the user account can take up to 24 hours.

 

If the 401 error is for the source OneDrive. Check to ensure that the user is not blocked or disabled and that they are licensed to use OneDrive in the source tenant and have logged into their OneDrive recently.

Overutilized Resources

This is often the result of an outdated server. If you have validated that your credentials are working properly, and are on a platform such as Exchange 2010, Lotus Notes, or another older system, it may not have the resources necessary for the current migration.

To check resource utilization, first attempt to open your OWA URL from an external network from a system that is not joined to your domain. If OWA loads on time, check your server resources:

  1. Check server CPU usage.
  2. Check memory usage.
  3. Check disk I/O usage using a performance monitor.
  4. Check for overutilization of the network resources.
  5. Lower the number of mailboxes you are migrating simultaneously and try again.
Was this article helpful?
1 out of 39 found this helpful