MigrationWiz supports Application Permissions for SharePoint and OneDrive migrations in addition to full control permissions using the support option UseApplicationPermission=1. The source and destination tenants will always require FullControl permissions.

This app is similar to the Microsoft 365 Authentication App previously deployed, which utilized delegate permissions. This app uses application permissions. 

All BitTitan applications are fully verified and accepted by Microsoft. 

We strongly suggest the use of FullControl permissions for the proper migration of files.

All AMR migrations require full-control permission. If you have a specific need to not allow full-control permissions, you can use MigrationWiz-SharePoint-ReadOnly (only for the source). However, please note that with read-only permissions, MigrationWiz will not export document permissions, versioning, or metadata, and cannot use AMR. Additionally, OneNote files will be migrated, but will not contain content, due to lack of permissions when preparing the files to migrate.

Enable Application Permissions

Permissions Granted

Read Only permissions granted:

• SharePoint API:
  • Sites.Read.All
  • User.Read.All
• Graph API:
  • Directory.Read.All
  • Files.Read.All
  • Group.Read.All (delegate permission)
  • User.Read (delegate permission)

Full Control permissions granted:

• SharePoint API:
  • Sites.FullControl.All
  • User.ReadWrite.All
• Graph API:
  • Directory.Read.All
  • Files.Read.All
  • Group.Read.All (delegate permission)
  • User.Read (delegate permission)

Setting up Source Permissions

These are the steps to enable permission level at the source only. This authentication process gives you control over who is entitled to use the source.

1. Ensure you are signed in as a Global Admin.
2. Go to MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
3. Create a new Security Group named “MigrationWiz” on the Microsoft 365 Admin Portal. 
4. Create a new user.
5. Add a new user to the previously created security group as a member.
6. Create MigrationWiz project.
7. When creating the endpoints, enter the new user credentials.
8. Add support option UseApplicationPermission=1

Setting up Destination Permissions

Steps to enable permission level at the destination:

1. Ensure you are signed in as a Global Admin.
2. Go to MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
3. Create a new Security Group named “MigrationWiz” on the Microsoft 365 Admin Portal.
4. Create a new user.
5. Add a new user to the previously created security group as a member.
6. Create MigrationWiz project.
7. When creating the endpoints, enter the new user credentials.

MigrationWiz-SharePoint-FullControl may be used on both source and destination tenants and will export document permissions, versions, and metadata. 

The permissions granted by using Full Control are as follows:

• SharePoint API:
  • Sites.FullControl.All
  • User.ReadWrite.All
• Graph API:
  • Directory.Read.All
  • Files.Read.All
  • Group.Read.All (delegate permission)
  • User.Read (delegate permission)

Post-Migration Steps

1. Remove the newly created user.
2. Remove the MigrationWiz Security Group created in Step 3.

To remove the app from the source or destination, perform the following steps:

1. Sign in to Microsoft Entra admin center.
2. Select Microsoft Entra ID.
3. Go to Identity > Applications > Enterprise applications, in the left bar of the window.
4. In the Manage section, select All applications.
5. Search for the application permission you configured and select it.
6. Go to Manage > Properties, and select Delete from the properties bar.