Starting October 1, 2025, Microsoft will begin enforcing Multi-Factor Authentication (MFA) across its cloud services—marking a significant shift in how organizations must approach identity, access, and migration strategies. This policy change introduces new compliance requirements that directly impact IT operations, automation, and cloud governance. For businesses leveraging migration tools to transition Microsoft workloads, adapting to this new security standard is not optional—it’s essential for continuity, security, and long-term success.

MigrationWiz, built to support such transitions across Microsoft products and beyond, is evolving to meet these new standards. This article outlines the key MFA enforcement changes, their implications for migration planning, and how our solution ensures your organization remains secure, compliant, and agile in cloud security policies while migrating your services.

For more information on the Microsoft Mandatory Multi-Factor Authentication for Azure and other admin portals, please visit the following Microsoft article. 

Mailbox Projects

Some mailbox type migration projects now require a more secure and structured setup. and you will need to create an application within Azure/Entra ID, configure a Client Secret and in some cases assign the Exchange Administrator role for this application.

The following scenarios apply for these changes:

• Tenant to Tenant Migrations (M365 to M365) with Coexistence enabled 
• Google Groups to Shared mailbox Migrations
• Google Groups to Microsoft 365 Groups Migrations
• Microsoft 365 Groups mailbox to Microsoft 365 Groups mailbox (Conversations)

Application Permissions for Tenant-to-Tenant Migration (M365 to M365) with Coexistence enabled Projects 

The following steps include new API permissions that must be used in the Entra ID App for a Tenant-to-Tenant Migration (M365 to M365) migration with Coexistence Projects.

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

1. Log in to the Microsoft Entra admin center with a Global Administrator login.
2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
4. Select New Registration at the top of the screen.
   
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in this organizational directory ('Tenant name only' - Single tenant) radio button.
7. Click Register.
   
8. Under the Manage menu, select Authentication (preview).
9. Select the Settings tab.
10. Set the option Allow public client flows to Enabled. 
11. Under the Supported Account types, select Accounts in this organizational directory ('Tenant name only' - Single tenant).
12. Click Save.
    

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

1. From the Manage menu, select API permissions.
2. Click Add a Permission.
   
3. Select APIs my organization uses.
4. Scroll down or search for the following permissions Office 365 Exchange Online.
   
5. Select Application Permissions.
6. Check the box under Other Permissions for full_access_as_app.
7. Check the box under Exchange for Exchange.ManageAsApp.
8. Click Add Permissions.
   
9. Repeat Step 2 and select Delegated Permissions.
10. Check the box under Directory for EWS.AccessAsUser.All.
11. Click Add Permissions.
    
12. Now repeat Step 2 and select Microsoft APIs > Microsoft Graph.
13. Select Application Permissions.
14. Check the box under Directory for Directory.ReadWrite.All.
15. Click Add Permissions.
    
16. Click Grant admin consent.
    
17. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain. Your API scopes should look like the following:
    

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.
   

Step Four - Create a Client Secret

Create a Client Secret for the application by following the steps below.

1. Go to Manage > Certificates & secrets from the left sidebar.
2. Create a new secret client by clicking + New client secret.
3. Copy and save the client secrets' value on a notepad or other preferred tool.
   

Step Five - Grant Exchange Administrator Role

Grant the Exchange Administrator Role to your app by following the steps below.

1. Go to Entra ID> Roles & admins from the left sidebar.
2. In the search bar, type Exchange Administrator and click on it.
   
3. On the Assignments page, click the button to Add assignments.
   
4. In the search bar, enter the name of the app or its Application ID.
5. Select your app from the list.
6. Add to confirm the assignment. A confirmation message will appear after the permission is granted.
   
   

   Warning

   This role process might take up to 30 minutes to take effect. 

Application Permissions for Google Groups to M365 Shared Mailbox Projects

The following steps include new API permissions that must be used in the Entra ID App for a Google Groups to M365 Shared Mailbox Projects.

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

1. Log in to the Microsoft Entra admin center with a Global Administrator login.
2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
4. Select New Registration at the top of the screen.
   
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in this organizational directory ('Tenant name only' - Single tenant) radio button.
7. Click Register.
   
8. Under the Manage menu, select Authentication (preview).
9. Select the Settings tab.
10. Set the option Allow public client flows to Enabled. 
11. Under the Supported Account types, select Accounts in this organizational directory ('Tenant name only' - Single tenant).
12. Click Save.
    

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

1. From the Manage menu, select API permissions.
2. Click Add a Permission.
   
3. Select APIs my organization uses.
4. Scroll down or search for the following permissions Office 365 Exchange Online.
   
5. Select Application Permissions.
6. Check the box under Other Permissions for full_access_as_app.
7. Check the box under Exchange for Exchange.ManageAsApp.
8. Click Add Permissions.
   
9. Repeat Step 2 and select Delegated Permissions.
10. Check the box under Directory for EWS.AccessAsUser.All.
11. Click Add Permissions.
    
12. Now repeat Step 2 and select Microsoft APIs > Microsoft Graph.
13. Select Application Permissions.
14. Check the box under Directory for Directory.ReadWrite.All.
15. Click Add Permissions.
    
16. Click Grant admin consent.
    
17. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain. Your API scopes should look like the following:
    

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.
   

Step Four - Create a Client Secret

Create a Client Secret for the application by following the steps below.

1. Go to Manage > Certificates & secrets from the left sidebar.
2. Create a new secret client by clicking + New client secret.
3. Copy and save the client secrets' value on a notepad or other preferred tool.
   

Step Five - Grant Exchange Administrator Role

Grant the Exchange Administrator Role to your app by following the steps below.

1. Go to Entra ID> Roles & admins from the left sidebar.
2. In the search bar, type Exchange Administrator and click on it.
   
3. On the Assignments page, click the button to Add assignments.
   
4. In the search bar, enter the name of the app or its Application ID.
5. Select your app from the list.
6. Add to confirm the assignment. A confirmation message will appear after the permission is granted.
   
   

   Warning

   This role process might take up to 30 minutes to take effect. 

Application Permissions for Google Groups to Microsoft 365 Groups Projects

The following steps include new API permissions that must be used in the Entra ID App for Google Groups to Microsoft 365 Groups Projects.

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

1. Log in to the Microsoft Entra admin center with a Global Administrator login.
2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
4. Select New Registration at the top of the screen.
   
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in this organizational directory ('Tenant name only' - Single tenant) radio button.
7. Click Register.
   
8. Under the Manage menu, select Authentication (preview).
9. Select the Settings tab.
10. Set the option Allow public client flows to Enabled. 
11. Under the Supported Account types, select Accounts in this organizational directory ('Tenant name only' - Single tenant).
12. Click Save.
    

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

1. From the Manage menu, select API permissions.
2. Click Add a Permission.
   
3. Select APIs my organization uses.
4. Scroll down or search Office 365 Exchange Online.
5. Select Application permissions and add:
   • full_access_as_app
   • Exchange_ManageAsApp
     
6. Repeat Step 2 and search Office 365 Exchange Online.
7. Now select Delegated permissions, check the box of EWS.AccessAsUser.All under EWS.
8. Repeat Step 2 and now Select Microsoft Graph.
9. Select Application permissions and under Group select Group.ReadWrite.All.
10. Click Add Permissions.
    
    
11. Click Grant admin consent.
    
12. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain.
    Your API permissions should look like the below:
    

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.
   

Step Four - Create a Client Secret

Create a Client Secret for the application by following the steps below.

1. Go to Manage > Certificates & secrets from the left sidebar.
2. Create a new secret client by clicking + New client secret.
3. Copy and save the client secrets' value on a notepad or other preferred tool.
   

Step Five - Grant Exchange Administrator Role

Grant the Exchange Administrator Role to your app by following the steps below.

1. Go to Entra ID> Roles & admins from the left sidebar.
2. In the search bar, type Exchange Administrator and click on it.
   
3. On the Assignments page, click the button to Add assignments.
   
4. In the search bar, enter the name of the app or its Application ID.
5. Select your app from the list.
6. Add to confirm the assignment. A confirmation message will appear after the permission is granted.
   
   

   Warning

   This role process might take up to 30 minutes to take effect. 

Public Folders Projects

Some Public Folders type migration projects now require a more secure and structured setup. and you will need to create an application within Azure/Entra ID and configure a Client Secret.

The following scenarios apply for these changes:

• Public Folder Migration Guide From On-Premises Exchange 2007+ to Microsoft 365 (Hybrid Mode)
• Exchange or Microsoft 365 Public Folder to Exchange or Microsoft 365 Shared Mailbox Migration Guide
• Public Folder from Microsoft 365 to Microsoft 365 - Migration Guide
• Public Folder Migration Guide From Hosted Exchange To Microsoft 365
• Public Folder Migration Guide From On-Premises Exchange 2007+ to Microsoft 365

Delegated Permissions for Public Folders Projects

This section details the changes for API Permissions applications in Public Folders Projects.

Limitations

• App password usage, MFA/2FA, SSO, and ADFS are not supported for the migration service account when using Application Permissions. However, users being migrated to your project can have these security features enabled.
• Client Secret is now a mandatory field when configuring the application registration.

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

1. Log in to the Microsoft Entra admin center with a Global Administrator login.
2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
4. Select New Registration at the top of the screen.
   
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in this organizational directory ('Tenant name only' - Single tenant) radio button.
7. Click Register.
   
8. Under the Manage menu, select Authentication (preview).
9. Select the Settings tab.
10. Set the option Allow public client flows to Enabled.
11. Under the Supported Account types, select Accounts in this organizational directory ('Tenant name only' - Single tenant).
12. Select Save.
    

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

1. From the Manage menu, select API permissions.
2. Click Add a Permission.
   
3. Select APIs my organization uses.
4. Scroll down or search Office 365 Exchange Online.
5. Select Application permissions.
6. Check the box under Other Permissions and add full_access_as_app.
7. Click Add Permissions.
8. Scroll down or search Office 365 Exchange Online.
9. Select Delegated permissions and add EWS.AccessAsUser.All
10. Click Add Permissions.
    
11. Click Grant admin consent.
    
12. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain.
    Your API permissions should look like the below:
    

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.
   

Step Four - Create a Client Secret

Create a Client Secret for the application by following the steps below.

1. Go to Manage > Certificates & secrets from the left sidebar.
2. Create a new secret client by clicking + New client secret.
3. Copy and save the client secrets' value on a notepad or other preferred tool.
   

Microsoft 365 Groups mailbox to Microsoft 365 Groups mailbox (Conversations)

Certain M365 Group migration projects now require a more secure and structured configuration. This includes creating an application in Azure/Entra ID, configuring a Client Secret, and, in some cases, assigning the Exchange Administrator role to the application.

The following scenarios apply to these changes:

• Microsoft 365 Groups mailbox to Microsoft 365 Groups mailbox (Conversations)

Delegated Permissions for Microsoft 365 Groups Projects

This section details the changes for API Permissions applications Microsoft 365 Groups Projects.

Limitations

• App password usage, MFA/2FA, SSO, and ADFS are not supported for the migration service account when using Application Permissions. However, users being migrated to your project can have these security features enabled.
• Client Secret is now a mandatory field when configuring the application registration.

Step One - Create a New Application Registration

Create a new Application Registration in the Microsoft 365 tenant source or destination.

1. Log in to the Microsoft Entra admin center with a Global Administrator login.
2. Click View all products and select Microsoft ID (Azure AD) in the Microsoft Entra Admin Center.
3. In the left sidebar, open the Applications dropdown list and select App Registrations, which is found under the Identity dropdown list.
4. Select New Registration at the top of the screen.
   
5. Give the app a distinct name. You can change this later if necessary.
6. Select the Accounts in this organizational directory ('Tenant name only' - Single tenant) radio button.
7. Click Register.
   
8. Under the Manage menu, select Authentication (preview).
9. Select the Settings tab.
10. Set the option Allow public client flows to Enabled. 
11. Under the Supported Account types, select Accounts in this organizational directory ('Tenant name only' - Single tenant).
12. Click Save.
    

Step Two - Assign the API Permissions and Grant Admin Consent

The following steps allow you to assign the API permission and grant consent to the necessary M365 components.

1. From the Manage menu, select API permissions.
2. Click Add a Permission.
   
3. Select APIs my organization uses.
4. Scroll down or search Office 365 Exchange Online.
5. Select Application permissions.
6. Check the box under Other Permissions and add full_access_as_app.
7. Click Add Permissions.
8. Scroll down or search Office 365 Exchange Online.
9. Select Delegated permissions and add EWS.AccessAsUser.All
10. Click Add Permissions.
    
11. Click Grant admin consent.
    
12. Click Yes to confirm the settings. Under the Status column, you should see a message that permission has been granted for the domain.
    Your API permissions should look like the below:
    

Step Three - Obtain the AppID and TenantID from the Application Registration

Follow the steps below to obtain the AppID and TenantID from the Application Registration.

1. Navigate to the App Registrations item as shown below. In the Overview tab, you will find the Application (client) ID and the Directory (Tenant) ID.
2. Copy both of these to another application, such as Notepad, for use later in this process. This is needed for the MigrationWiz Project Setup.
   

Step Four - Create a Client Secret

Create a Client Secret for the application by following the steps below.

1. Go to Manage > Certificates & secrets from the left sidebar.
2. Create a new secret client by clicking + New client secret.
3. Copy and save the client secrets' value on a notepad or other preferred tool.