Application Permissions for SharePoint and OneDrive Migrations using ReadOnly or FullControl

MigrationWiz now supports read-only Application Permissions for SharePoint and OneDrive migrations, via use of the support option UseApplicationPermission=1, in addition to full control permissions. This new app, with ReadOnly permissions, can only be used at the source to enhance security. The destination permissions will always require FullControl permissions.

This allows for a secure migration without the use of Global Admin or Site Collection Admin permissions on the source and destination.

This app is similar to the Office 365 Authentication App previously deployed, which utilized delegate permissions. This app uses application permissions. 

BitTitan applications are fully verified and accepted by Microsoft. 

Enable Application Permissions

SharePoint_Read_Only.PNG

 

Sharepoint_Full_Permissions.PNG

 

These are the steps to enable permission level at the source only. This authentication process gives you control over who is entitled to use the source.

  1. Ensure you are signed in as a Global Admin.
  2. Go to either MigrationWiz-SharePoint-ReadOnly or to MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
  3. Create new Security Group named “MigrationWiz” on the Office 365 Admin Portal. 
  4. Create new user.
  5. Add new user to previously created security group as a member.
  6. Create MigrationWiz project.
  7. When creating the endpoints, enter the new user credentials.
  8. Add support option UseApplicationPermission=1

 

Steps to enable permission level at the destination:

  1. Ensure you are signed in as a Global Admin.
  2. Go to MigrationWiz-SharePoint-FullControl and consent to the app access when prompted.
  3. Create new Security Group named “MigrationWiz” on the Office 365 Admin Portal.
  4. Create new user.
  5. Add new user to previously created security group as a member.
  6. Create MigrationWiz project.
  7. When creating the endpoints, enter the new user credentials.

 

MigrationWiz-SharePoint-FullControl may be used on both source and destination tenant and will export document permissions. MigrationWiz-SharePoint-ReadOnly can only be used on the source tenant, will not export document permissions, and cannot use AMR.

 

Post-Migration Steps

  1. Remove the newly created user.

  2. Remove the MigrationWiz Security Group created in Step 3. 

  3. To remove the app from the source or destination, perform the following steps:

    1. Launch PowerShell.
    2. Connect PowerShell to Office 365.
    3. Enter the command: Connect-AzureAD
    4. Enter the admin credentials in the prompt.
    5. Enter the command:Get-AzureADServicePrincipal -SearchString Migration
    6. Look for the ObjectId of the app you want to remove and enter the following command: Remove-AzureADServicePrincipal -objectId <the object id>

Permissions Granted

Read Only permissions granted:

  • SharePoint API:
    • Sites.Read.All
    • User.Read.All
  • Graph API:
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)

Full Control permissions granted:

  • SharePoint API:
    • Sites.FullControl.All
    • User.ReadWrite.All
  • Graph API:
    • Directory.Read.All
    • Files.Read.All
    • Group.Read.All (delegate permission)
    • User.Read (delegate permission)
Was this article helpful?
0 out of 0 found this helpful