App based authentication using Application Permissions for SharePoint and OneDrive Migrations

MigrationWiz supports Application Permissions for SharePoint and OneDrive migrations in addition to full control permissions using the support option UseApplicationPermission=1. The source and destination tenants will always require FullControl permissions.

This app is similar to the Microsoft 365 Authentication App previously deployed, which utilized delegate permissions. This app uses application permissions. 

All BitTitan applications are fully verified and accepted by Microsoft. 

We strongly suggest the use of FullControl permissions for the proper migration of files.

All AMR migrations require full-control permission. If you have a specific need to not allow full-control permissions, you can use MigrationWiz-SharePoint-ReadOnly (only for the source). However, please note that with read-only permissions, MigrationWiz will not export document permissions, versioning or metadata, and cannot use AMR. Additionally, OneNote files will be migrated, but will not contain content, due to lack of permissions when preparing the files to migrate.

Source or Destination?

Read-only permissions can only be used at the source to enhance security. The destination will always require FullControl permissions.

Enable Application Permissions

Sharepoint_Full_Permissions.PNG

Permissions Granted

Read Only permissions granted:

  • SharePoint API:
    • Sites.Read.All
    • User.Read.All
  • Graph API:
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)

Full Control permissions granted:

  • SharePoint API:
    • Sites.FullControl.All
    • User.ReadWrite.All
  • Graph API:
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)

Setting up source permissions

These are the steps to enable permission level at the source only. This authentication process gives you control over who is entitled to use the source.

  1. Ensure you are signed in as a Global Admin.
  2. Go to MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
  3. Create new Security Group named “MigrationWiz” on the Microsoft 365 Admin Portal. 
  4. Create new user.
  5. Add new user to previously created security group as a member.
  6. Create MigrationWiz project.
  7. When creating the endpoints, enter the new user credentials.
  8. Add support option UseApplicationPermission=1

Setting up destination permissions

Steps to enable permission level at the destination:

  1. Ensure you are signed in as a Global Admin.
  2. Go to MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
  3. Create new Security Group named “MigrationWiz” on the Microsoft 365 Admin Portal.
  4. Create new user.
  5. Add new user to previously created security group as a member.
  6. Create MigrationWiz project.
  7. When creating the endpoints, enter the new user credentials.

MigrationWiz-SharePoint-FullControl may be used on both source and destination tenant and will export document permissions, versions, and metadata. 

The permissions granted by using Full Control are as follows:

  • SharePoint API:

    • Sites.FullControl.All

    • User.ReadWrite.All

  • Graph API:

    • Directory.Read.All

    • Files.Read.All

    • Group.Read.All (delegate permission)

    • User.Read (delegate permission)

Post-Migration Steps

  1. Remove the newly created user.

  2. Remove the MigrationWiz Security Group created in Step 3. 

  3. To remove the app from the source or destination, perform the following steps:

    1. Launch PowerShell.
    2. Connect PowerShell to Microsoft 365.
    3. Enter the command: Connect-AzureAD
    4. Enter the admin credentials in the prompt.
    5. Enter the command:Get-AzureADServicePrincipal -SearchString Migration
    6. Look for the ObjectId of the app you want to remove and enter the following command: Remove-AzureADServicePrincipal -objectId <the object id>
Was this article helpful?
0 out of 1 found this helpful