In this topic:
- On-Premise connectivity requirements
- On-Premise Exchange admin account requirements
- Consents for Quest On Demand
On-Premise connectivity requirements
ODMHE uses EWS and PowerShell for mailbox migration. EWS is used for the mailbox content migration (folders and messages), PowerShell is used to migrate Delegates, Auto-replies, Forwarding. Both endpoints must be configured and enabled on Exchange on-premises server.
EWS endpoint
EWS endpoint URL must be provided during project creation or through the connection dialog in form of http(s)://server-name/EWS/Exchange.asmx.
PowerShell endpoint
PowerShell endpoint address is derived from the EWS URL http(s)://server-name/EWS/Exchange.asmx > http(s)://server-name/powershell
Protocols and Ports
The decision which protocol to use: HTTP or HTTPS, is made when providing the EWS endpoint. The same protocol will be used for PowerShell. To connect to a remote computer, the remote computer must be listening on the port that the connection uses.
For EWS, the default ports are is
- 80 - HTTP
- 443 - HTTPS
For PowerShell, the default ports are
- 5985 - WinRM port for HTTP
- 5986- WinRM port for HTTPS
Authentication
ODMHE currently supports two authentication methods for Exchange on-premises.
Basic Authentication
Requires to provide Exchange admin credentials as described in the On-Premise connectivity requirements section.
Hybrid Modern Authentication (HMA)
Available for Office 365 hybrid deployments where Microsoft Exchange 2010-2019 on-premises server is linked to a M365 tenant. The tenant must be added to Quest On Demand, and the necessary consents must be granted as described in the Consents for Quest On Demand section.
When HMA is configured then modern authentication (OAuth2) is used for connection to the EWS endpoint for content migration.
Since HMA does not support the remote PowerShell protocol, you must also provide basic authentication credentials (username/pasword) if you want to migrate features like Delegates, Auto-replies, and Forwarding.
IP Addresses
ODMHE uses a predefined range of IP addresses which should be allowed in your environment. The following OnDemand components use these IP ranges:
- ODMHE Worker function - connects to EWS endpoint for source mailbox validation and retrieving mailbox ID.
- ODMHE API function - validates EWS connectivity.
- ODM Migration engine - connects to EWS endpoint for source mailbox content migration
- ODM PowerShell API - connects to remote PowerShell to migrate or configure some mailbox settings (e-mail forwarding, folder permissions, etc.)
Contact Quest Technical Support for the list of IP addresses.
On-Premise Exchange admin account requirements
ODMHE requires an Exchange admin account for exchange on-premises. It can be specified in the project creation wizard and later updated with the connection dialog.
|
NOTE: The Exchange admin account does NOT need to have a mailbox on Exchange on-premise. |
ODMHE uses the explicit credentials of an administrator account to:
- migrate the mailbox content (folders and messages) with EWS, and migrate Delegates, Auto-replies, Forwarding with PowerShell when basic authentication is used.
- migrate Delegates, Auto-replies, Forwarding with Powershell when HMA (Hybrid Modern Authentication) is used.
Permissions needed
For content migration from or to Exchange on-prem these exchange roles must be assigned to migration user:
- ApplicationImpersonation
For PowerShell based migrations (Delegates, Auto-replies, Forwarding) from or to Exchange on-premise, these Exchange roles must be assigned to the migration user.
- Active Directory Permissions
- ApplicationImpersonation
- Mail Recipients
Consents for Quest On Demand
The ability for On Demand service principals to access and operate with assets requires explicit permissions. The Tenant Administrator grants these permissions through consents. Multi-factor authentication (MFA) is supported for tenant administrators when granting consents.
Each tenant that is added has granted consent to the initial Core - Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration for Hybrid Exchange.
Granting Consent
- Click Tenants from the navigation pane.
- Select a tenant and click Edit Consents from the tenant tile.
- Click Grant Consent or Regrant Consent for the permissions type. Then click Accept in the Microsoft consents dialog.
This section lists the minimum consents and roles required by the On Demand Migration service principals.
NOTE: Consents are required only for M365 or HMA tenants. They are not required for on-premise Microsoft Exchange Server.
For initial tenant setup
Task Minimum consents and permissions Add and configure tenants, and grant consent Core-Basic consent from both Source and Target tenant administrator accounts.
Global Administrator role from both source and target tenant administrator accounts.
For Mailbox migration
Task Minimum consents and permissions All tasks Migration - Basic - Minimal consent from Source tenant administrator accounts.
Migration - Basic - Full consent from Target tenant administrator accounts.
Migration - Basic is a legacy permission set and should be replaced with either the Minimal or Full permission sets.
Migrate mailboxes Migration - Mailbox Migration - Minimal consent from Source tenant administrator accounts.
Migration - Mailbox Migration - Full consent from Target tenant administrator accounts.
Migration - Mailbox Migration is a legacy permission set and should be replaced with either the Minimal or Full permission sets.
When you have granted the consents, verify that the service principals were successfully created in the target tenant as described in the steps below:
- Log in to the Azure admin portal.
- Open the Microsoft Entra ID service page.
- Click Manage > Enterprise applications from the navigation pane. Then click All applications.
- Filter the list if necessary and verify the list of service principals. Your list may differ from the image below.