Application Permissions for Teams Migrations - New Endpoint

MigrationWiz now supports read-only Application Permissions for Teams migrations, in addition to full-control permissions. This new app, with ReadOnly permissions, can only be used at the source to enhance security, and will not export document permissions. The destination permissions will always require FullControl permissions.

This allows for a secure migration without the use of Global Admin or Site Collection Admin permissions on the source and destination.

This app is similar to the Office 365 Authentication App previously deployed, which utilized delegate permissions. This app uses application permissions. If you are not using application permissions, go to the Authentication App article and follow those steps.

Enable Application Permissions

These are the steps to enable permission level at the source only. This authentication process gives you control over who is entitled to use the source.

  1. Ensure you are signed in as a Global Admin in the Office 365 Admin Portal.

  2. Go to either Teams-ReadOnlyApp or to Teams-FullControlApp and consent to the app access when prompted. If choosing the Teams-ReadOnlyApp option, you will need to disable AMR via "DisableAsynchronousMetadataRead=1", due to Microsoft API limitation.

  3. Create new Security Group named “MigrationWiz” on the Office 365 Admin Portal. If you have not created a security group before, follow Microsoft's instructions.

  4. Create new user. This user must have an active Teams license applied.

  5. Add new user to previously created security group as a member. Important: ADFS and MFA must be turned off for this user.

  6. Create MigrationWiz project.

  7. When creating the endpoints, enter the new user credentials.

Steps to enable permission level at the destination:

  1. Ensure you are signed in as a Global Admin.

  2. Go to Teams-FullControlApp and consent to the app access when prompted.

  3. Create new Security Group named “MigrationWiz” on the Office 365 Admin Portal.

  4. Create new user. Important: ADFS and MFA must be turned off for this user.

  5. Add new user to previously created security group as a member.

  6. Create MigrationWiz project.

  7. When creating the endpoints, enter the new user credentials.

 

Teams-FullControlApp may be used on both source and destination tenant and will export document permissions. Teams-ReadOnly can only be used on the source tenant, and will not export document permissions.

 

Post-Migration Steps

  1. Remove the newly created user.

  2. Remove the MigrationWiz Security Group created in Step 3.

  3. To remove the app from the source or destination, perform the following steps:

    1. Launch PowerShell.

    2. Connect PowerShell to Office 365.

    3. Enter the command: Connect-AzureAD

    4. Enter the admin credentials in the prompt.

    5. Enter the command:Get-AzureADServicePrincipal -SearchString Migration

    6. Look for the ObjectId of the app you want to remove and enter the following command: Remove-AzureADServicePrincipal -objectId <the object id>

 

Permissions Granted

  Teams ReadOnly Teams FullControl
Conversations Y Y
Teams Permissions Y Y
Documents Y Y
Document Permissions N Y

 

Read Only permissions granted:

    • SharePoint API

      • Sites.Read.All,

      • User.Read.All

    • Graph API

      • Files.Read.All,

      • Group.ReadWrite.All
        (This is to add the user to the team as a owner first before being able to read conversations)

      • User.Read.All

      • Group.Read.All (delegate permission)
        (This is to be able to read all the conversations as a user after being added)

      • User.Read (delegate permission)

Full Control permissions granted:

  • SharePoint API:

    • Sites.FullControl.All

    • User.ReadWrite.All

  • Graph API:

    • Files.Read.All,

    • Group.ReadWrite.All

    • User.Read.All

    • Group.ReadWrite.All (delegate permission)

    • User.Read (delegate permission)

Was this article helpful?
0 out of 1 found this helpful