Chat now with support
Chat mit Support

On Demand Migration Current - Hybrid Exchange User Guide

Consents and Permissions

In this topic:

On-Premise connectivity requirements

ODMHE uses EWS and PowerShell for mailbox migration. EWS is used for the mailbox content migration (folders and messages), PowerShell is used to migrate Delegates, Auto-replies, Forwarding. Both endpoints must be configured and enabled on Exchange on-premises server.

EWS endpoint

EWS endpoint URL must be provided during project creation or through the connection dialog in form of http(s)://server-name/EWS/Exchange.asmx.

PowerShell endpoint

PowerShell endpoint address is derived from the EWS URL http(s)://server-name/EWS/Exchange.asmx > http(s)://server-name/powershell

Protocols and Ports

The decision which protocol to use: HTTP or HTTPS, is made when providing the EWS endpoint. The same protocol will be used for PowerShell. To connect to a remote computer, the remote computer must be listening on the port that the connection uses.

For EWS, the default ports are is

  • 80 - HTTP
  • 443 - HTTPS

For PowerShell, the default ports are

  • 5985 - WinRM port for HTTP
  • 5986- WinRM port for HTTPS
Authentication

ODMHE currently supports two authentication methods for Exchange on-premises.

Basic Authentication

Requires to provide Exchange admin credentials as described in the On-Premise connectivity requirements section.

Hybrid Modern Authentication (HMA)

Available for Office 365 hybrid deployments where Microsoft Exchange 2010-2019 on-premises server is linked to a M365 tenant. The tenant must be added to Quest On Demand, and the necessary consents must be granted as described in the Consents for Quest On Demand section.

When HMA is configured then modern authentication (OAuth2) is used for connection to the EWS endpoint for content migration.

Since HMA does not support the remote PowerShell protocol, you must also provide basic authentication credentials (username/pasword) if you want to migrate features like Delegates, Auto-replies, and Forwarding.

IP Addresses

ODMHE uses a predefined range of IP addresses which should be allowed in your environment. The following OnDemand components use these IP ranges:

  • ODMHE Worker function - connects to EWS endpoint for source mailbox validation and retrieving mailbox ID.
  • ODMHE API function - validates EWS connectivity.
  • ODM Migration engine - connects to EWS endpoint for source mailbox content migration
  • ODM PowerShell API - connects to remote PowerShell to migrate or configure some mailbox settings (e-mail forwarding, folder permissions, etc.)

Contact Quest Technical Support for the list of IP addresses.

On-Premise Exchange admin account requirements

ODMHE requires an Exchange admin account for exchange on-premises. It can be specified in the project creation wizard and later updated with the connection dialog.

NOTE: The Exchange admin account does NOT need to have a mailbox on Exchange on-premise.

ODMHE uses the explicit credentials of an administrator account to:

  • migrate the mailbox content (folders and messages) with EWS, and migrate Delegates, Auto-replies, Forwarding with PowerShell when basic authentication is used.
  • migrate Delegates, Auto-replies, Forwarding with Powershell when HMA (Hybrid Modern Authentication) is used.
Permissions needed

For content migration from or to Exchange on-prem these exchange roles must be assigned to migration user:

  • ApplicationImpersonation

For PowerShell based migrations (Delegates, Auto-replies, Forwarding) from or to Exchange on-premise, these Exchange roles must be assigned to the migration user.

  • Active Directory Permissions
  • ApplicationImpersonation
  • Mail Recipients

Consents for Quest On Demand

The ability for On Demand service principals to access and operate with assets requires explicit permissions. The Tenant Administrator grants these permissions through consents. Multi-factor authentication (MFA) is supported for tenant administrators when granting consents.

Each tenant that is added has granted consent to the initial Core - Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration for Hybrid Exchange.

Granting Consent
  1. Click Tenants from the navigation pane.
  2. Select a tenant and click Edit Consents from the tenant tile.
  3. Click Grant Consent or Regrant Consent for the permissions type. Then click Accept in the Microsoft consents dialog.

    This section lists the minimum consents and roles required by the On Demand Migration service principals.

    NOTE: Consents are required only for M365 or HMA tenants. They are not required for on-premise Microsoft Exchange Server.

    For initial tenant setup

    Task Minimum consents and permissions
    Add and configure tenants, and grant consent

    Core-Basic consent from both Source and Target tenant administrator accounts.

    Global Administrator role from both source and target tenant administrator accounts.

    For Mailbox migration

    Task Minimum consents and permissions
    All tasks

    Migration - Basic - Minimal consent from Source tenant administrator accounts.

    Migration - Basic - Full consent from Target tenant administrator accounts.

    Migration - Basic is a legacy permission set and should be replaced with either the Minimal or Full permission sets.

    Migrate mailboxes

    Migration - Mailbox Migration - Minimal consent from Source tenant administrator accounts.

    Migration - Mailbox Migration - Full consent from Target tenant administrator accounts.

    Migration - Mailbox Migration is a legacy permission set and should be replaced with either the Minimal or Full permission sets.

When you have granted the consents, verify that the service principals were successfully created in the target tenant as described in the steps below:

  1. Log in to the Azure admin portal.
  2. Open the Microsoft Entra ID service page.
  3. Click Manage > Enterprise applications from the navigation pane. Then click All applications.
  4. Filter the list if necessary and verify the list of service principals. Your list may differ from the image below.

Throttling

Microsoft service throttling limits the number of concurrent calls to a Microsoft service to prevent overuse of resources. These limits are set by the Microsoft services and are dependent on the service type along with the operations that are being completed by On Demand for the service. In addition, any throttling limits are subject to change by Microsoft.

Microsoft Graph

Microsoft Graph is designed to handle a high volume of requests. If an overwhelming number of requests occurs, throttling helps maintain optimal performance and reliability of the Microsoft Graph service. For more information, see https://learn.microsoft.com/en-us/graph/throttling. Microsoft enforce throttling limits for Microsoft Graph based on tenant size, including requests-per-minute and requests-per-day. Microsoft does not provide a method for modifying these limits.

Handling ODM Throttling

Quest On Demand Migration follows best practices provided by Microsoft when experiencing throttling. These include reducing the number of operations of requests, reducing the frequency of calls and avoiding immediate retries, since all requests accrue against the usage limits for the application.

For requests that an application makes, such as On Demand Migration, including Microsoft Graph, CSOM, or REST calls, Microsoft can return error codes including HTTP status code 429 ("Too many requests") or 503 ("Server Too Busy") which result in the requests to fail. In both cases, a Retry-After header is included in the response indicating how long the calling application should wait before retrying or making a new request.

Upgrading Throttling Policies

Exchange Web Services (EWS) are throttled by Microsoft whenever large quantities of data flows through the EWS platform. The On Demand Migration service throughput can be improved by upgrading the following throttling policy parameter setting to Unlimited:

  • EwsMaxBurst - Defines the amount of time that an EWS user can consume an elevated amount of resources before being throttled. This is measured in milliseconds. This value is set separately for each component.
  • EwsRechargeRate - Defines the rate at which an EWS user's budget is recharged (budget grows by) during the budget time.
  • EwsCutoffBalance - Defines the resource consumption limits for EWS user before that user is completely blocked from performing operations on a specific component.

Tenant administrators can upgrade the throttling policies by making a service request with Microsoft.

Desktop Update Agent

To complete a migration project, a lightweight user desktop application called Desktop Update Agent (DUA) must be configured and deployed by administrators and run on users workstations. DUA provides enhanced support, helps ensure the success of cross-tenant migration projects, makes agent delivery easier, and status reporting more informative.

DUA features:

  • Ability to manage user’s application reconfigurations activities from a single view within On Demand Migration.
  • Support for Microsoft 365 application license reset.
  • Support for various client authentication mechanisms.

For more information about downloading, administration and use of DUA, see the Quest On Demand Migration Update Agent Guide.

Test and Pilot Migrations

Any full scale migration should be preceded by test and pilot migrations, to confirm that your migration processes and procedures will accommodate the organization requirements.

  • A test migration uses real users and real data in a segregated test environment, or dummy users and dummy data in your live production environment.
  • A pilot migration uses a small portion of real users and real data in the live production environment.

In either case - a test or pilot migration - the data to be migrated should be a representative sample of the production data, and the test or pilot migration should be run with the Quest applications set for the same configuration and process options that you intend to use for the production migration. it is recommended to select test or pilot users whose usage and data types make them representative of the total user population. Then create and run matching / migration tasks for those accounts, including all range of tasks you are planning to perform. When the tasks are completed, review errors and warnings, if any. See Event Management section for more information.

Quest recommends that you use both test and pilot migrations:

Perform one or more test migrations in a separate test environment, migrating test copies of real users and their real data. The separate test environment ensures that no test process will affect the data or configurations of your production environment. If a test exposes any problems under migration, you can make amendments and then repeat the test by simply dumping the test environment and recreating it from scratch.

When you are confident that your test migrations have sufficiently refined your planned migration, perform a pilot migration for 20 or 30 users to verify if your planned migration is satisfactory for your "real world."

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen