Chatee ahora con Soporte
Chat con el soporte

On Demand Migration Current - User Guide

About On Demand Migration Working with On Demand Migration Account Migration Mailbox Migration OneDrive Migration Microsoft Teams Migration Microsoft 365 Groups Migration SharePoint Migration Public Folders Migration Power BI Migration Troubleshooting Finalizing the Migration Appendix A: Using PowerShell Appendix B: How Queuing Works

Consents and Permissions

The ability for On Demand service principals to access and operate with tenant assets requires explicit permissions. The Tenant Administrator grants these permissions through consents. Multi-factor authentication (MFA) is supported for tenant administrators when granting consents.

When a tenant is added, the initial Core - Basic permission set is granted consent to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration

While consents allow Quest On Demand Migrationto access tenant assets that are exposed to the application, you can selectively restrict access to specific assets in your tenant and allow access to the other assets in the environment. Granting selective access requires additional configuration in your tenant as described below.

In this topic:

Restricting access scope

You can use the following resource-scoped access control methods in your tenant:

Role Based Access Control for Exchange Online

RBAC for Applications in Exchange Online allows admins to grant permissions to Quest On Demand Migration for Mailboxes which migrates data in Exchange Online. Exchange Online RBAC permissions must be set up in the tenant for Exchange Web Services (EWS) to ensure that Quest On Demand Migration for Mailboxes can migrate mailbox data for users within the scope of the RBAC configuration. See the Knowledge Base for more details or contact Quest Technical Support for assistance.

Sites.Selected permission for specific SharePoint Online site collections

You can enhance the security of SharePoint Online (SPO), by ensuring that On Demand Migration for SharePoint has access only to specific SharePoint sites, preventing unnecessary exposure to other sites in the environment. To achieve selected access, you must configure the Sites.Selected permission which is part of the permissions model for controlling access to specific SharePoint sites or site collections.

This permission can also be used to restrict On Demand Migration for Teams for migrating Teams and M365 Groups within the scope of the specific SharePoint sites that are exposed to the application.

Here’s a breakdown of what Sites.Selected means:

Purpose: The Sites.Selected permission is used primarily in the context of Microsoft Graph API or Azure AD permissions, where you want to restrict access to only specific SharePoint sites. It is part of the delegated or application permissions model, which allows a service or app to interact with SharePoint on behalf of the user (in delegated permissions) or as itself (in application permissions).

What it does: This permission gives an application or user the ability to access only selected SharePoint sites, instead of granting broader access to all sites in the tenant. This is more granular compared to other permissions like Sites.FullControl.All, Sites.Read.All, or Sites.Manage.All, which grant broader access.

Key Permissions in Comparison:

  • Sites.FullControl.All: This allows full control of all SharePoint sites across the tenant.
  • Sites.Read.All: This provides read access to all sites in the tenant.
  • Sites.Selected: Access is restricted to a specific set of sites (only the ones specified).

NOTE: When implemented, Site.Selected replaces the Sites.FullControl.All and Sites.Read.All permissions.

Example Scenarios:

  • Admin-level control: An administrator can use Sites.Selected to configure apps that need specific access to particular sites for functions like document management, workflow integration, or customized solutions.
  • Granular control: You could use it for limiting access to a few department-specific sites or a small set of collaborative sites, instead of granting Quest On Demand access to the entire SharePoint Online environment.

How it's implemented: The Sites.Selected permission, is typically granted during the registration of an Azure AD app, or when configuring API permissions to interact with SharePoint via Graph API. It requires specifying the sites the app will have access to, and this can be done by defining a list of URLs or site identifiers. This permission requires implementation through the Azure portal, PowerShell scripts and Graph explorer. See the Knowledge Base for more details or contact Quest Technical Support for assistance with this implementation.

Granting Consents
  1. Click Tenants from the navigation pane.
  2. Select a tenant and click Edit Consents from the tenant tile.
  3. Click Grant Consent or Regrant Consent for the permissions type.
  4. Log in as the tenant administrator of the source or target tenant. Then click Accept in the Microsoft consents dialog.

This section lists the minimum consents and roles required by the various On Demand Migration service principals for managing tenants, Microsoft 365 objects and other migration services.

NOTE: The following permission sets are legacy and not available for new Quest® On Demand Migration subscribers. If you already use them, they should be replaced with either the corresponding Minimal or Full permission sets.

  • Migration - Basic
  • Migration - Mailbox Migration
  • Migration - SharePoint
  • Migration - Teams

For more details about the permissions granted through consents for each service principal, see the On Demand Migration Permissions Reference Guide.

For initial tenant setup
Task Minimum consents and permissions
Add and configure tenants, and grant consent

Core-Basic consent from both Source and Target tenant administrator accounts.

Global Administrator role from both source and target tenant administrator accounts.

Each tenant that is added is granted consent to the initial Core - Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration.

For Sensitivity Label migration
Task Minimum consents and permissions
All tasks

AIP protected content migration - Read consent from Source tenant administrator accounts.

AIP protected content migration - Write consent from Target tenant administrator accounts.

For Account migration
Task Minimum consents and permissions
All tasks including discover and migrate accounts

Migration - Basic - Minimal consent from Source tenant administrator accounts.

Migration - Basic - Full consent from Target tenant administrator accounts.

Migrate hybrid accounts

Global Administrator role for both Source and Target tenant administrator accounts.

Migrate Guest Users

Guest Inviter role for both Source and Target tenant administrator accounts.

For Mailbox migration
Task Minimum consents and permissions
All tasks

Migration - Basic - Minimal consent from Source tenant administrator accounts.

Migration - Basic - Full consent from Target tenant administrator accounts.

Migrate mailboxes

Migration - Mailbox Migration - Minimal consent from Source tenant administrator accounts or Migration - Mailbox Migration - Custom RBAC with additional consentsfrom Source tenant administrator accounts.

and

Migration - Mailbox Migration - Full consent from Target tenant administrator accounts or Migration - Mailbox Migration - Custom RBAC with additional consents from Target tenant administrator accounts.

For Public Folder migration
Task Minimum consents and permissions
All tasks

Migration - Basic - Minimal consent from Source tenant administrator accounts.

Migration - Basic - Full consent from Target tenant administrator accounts.

Migrate Public Folders

Migration - Mailbox Migration - Minimal consent from Source tenant administrator accounts.

Migration - Mailbox Migration - Full consent from Target tenant administrator accounts.

Owner permission for the root Public Folder of the target tenant must also be granted to the target tenant administrator account.

IMPORTANT: You must explicitly provide the username of the root Public Folder owner using Configure Connections.

For OneDrive migration
Task Minimum consents and permissions
All tasks

Migration - Basic - Minimal consent from Source tenant administrator accounts.

Migration - Basic - Full consent from Target tenant administrator accounts.

Migrate OneDrive

Migration - OneDrive - Minimal consent from Source tenant administrator accounts.

Migration - OneDrive - Full consent from Target tenant administrator accounts.

Provision OneDrive

SharePoint Administrator role for provisioning OneDrive on the target tenant.

IMPORTANT: You must provide explicit credentials using Configure Connections. Multi-factor authentication (MFA) is not supported for accounts whose credentials are entered explicitly.

For SharePoint migration
Task Minimum consents and permissions
All tasks

Migration - Basic - Minimal consent from Source tenant administrator accounts.

Migration - Basic - Full consent from Target tenant administrator accounts.

Migrate SharePoint

Migration - SharePoint - Minimal consent from Source tenant administrator accounts.

Migration - SharePoint - Full consent from Target tenant administrator accounts.

For Teams migration
Task Minimum consents and permissions
All tasks

Migration - Basic - Minimal consent from Source tenant administrator accounts.

Migration - Basic - Full consent from Target tenant administrator accounts.

Migrate Teams and Microsoft 365 Groups with Teams functionality

Migration - Mailbox Migration - Minimal for the Source tenant

Migration - Mailbox Migration - Full for the Target tenant

Migration - SharePoint - Minimal for the Source tenant

Migration - SharePoint - Full for the Target tenant.

Migration - Teams - Minimal for the Source tenant

Migration - Teams - Full for the Target tenant.

Global Administrator Entra ID role or both the Teams Administrator and Exchange Administrator Entra ID roles for Source and Target tenant administrator accounts. In addition to these roles, the tenant administrator account that grants the consents to the Migration -Teams service also requires the following:

  • an active Microsoft 365 license
  • Microsoft Teams app enabled within the Microsoft 365 license
  • the account must remain active for the duration of the migration
For Power BI migration
Task Minimum consents and permissions
All tasks

Migration - Basic - Minimal consent from Source tenant administrator accounts.

Migration - Basic - Full consent from Target tenant administrator accounts.

View Power BI

Migration - Power BI consent from Source and Target tenant administrator accounts.

Global Administrator role from both source and target tenant administrator accounts.

Migrate Power BI Additional manual setup is required for both source and target tenants through the Azure portal. The steps required to grant additional permissions are described below.

Granting additional permissions for the source and target tenants

This is a two part process as described below:

Part 1: Azure Portal Security Group Setup

In this part, a new security group is created in Microsoft Entra ID for each source and target tenant, to associate the service principal of the Quest On Demand - Migration - Power BI enterprise application. Additional permissions can be then be granted to the service principal to access and operate on Power BI objects.

  1. Login to https://portal.azure.com with your tenant credentials.
  2. Open the Microsoft Entra ID service page.
  3. Click Manage > Groups from the navigation panel. Then click New Group.

  4. In the New Group page, setup the group as described below:
    1. Group type = Security
    2. Group name = name of the group. For example, ODMPBI
    3. Group description = short description about the group. For example, ODM Power BI Migration.
    4. Under Members, click No members selected
    5. In the Add members list that opens, search and select Quest On Demand - Migration - Power BI. Then click Select at the bottom of the page.

    6. Click Create. The group is created with the Quest On Demand - Migration - Power BI service principal as a member.
  5. Follow all the above steps to create a security group in both source and target tenants.

Part 2: Power BI Setup

In this part, the security group created in each tenant is configured to allow the service principals to use Power BI APIs and create and use Power BI profiles.

  1. Log into the Power BI service portal at https://app.powerbi.com with your tenant credentials.
  2. Click the Settings icon in the top bar and then click Admin portal.
  3. From the navigation panel, click Tenant settings.
  4. Scroll down to the Developer Settings section.
    1. Expand the Embed content in apps option.
      1. Set the slider to Enabled.
      2. For the Apply to option, select Specific security groups, and specify the group name created in Part 1 above. For example, enter ODMPBI.
      3. Click Apply to save the changes.

    2. Under Developer Settings, expand following options. Then enable each option and repeat the above steps to associate the security group:
      • Service principals can create workspaces, connections, and deployment pipelines
      • Service principals can call Fabric public APIs
      • Allow service principals to create and use profiles
  5. Scroll down to the Admin API settings section.
  6. Expand following options. Then enable each option and repeat the above steps to associate the security group:
    • Service principals can access read-only admin APIs
    • Enhance admin APIs responses with detailed metadata
    • Enhance admin APIs responses with DAX and mashup expressions

  7. For the source tenant, expand Export and sharing settings and verify the Download reports option is Enabled and the option is either set to The entire organization or Specific security groups with the group name created in Part 1 above.

  8. For the target tenant expand Workspace settings and verify the Create workspaces option is Enabled and the option is either set to The entire organization or Specific security groups with the group name created in Part 1 above.

To migrate Power BI data, the security group must also be granted explicit rights in all tenant Power BI objects like Connections, Gateways and Workspaces.

For Connections and Standard Gateways

  1. Click the Settings icon in the top bar and then click Manage connections and gateways.
  2. Under Manage connections and gateways, select each On-premises gateway and give Admin rights to the group, created in Part 1.
  3. Repeat the above steps for source and target tenant.

NOTE: The Service Principal in the source tenant must be assigned the Admin permission.

  • For each Workspace that you want to migrate (Source tenant only)
    1. Open the Workspace and click Manage Access.
    2. In the Add people page that opens, add the security group created in part 1 and assign the Admin role to the group.

    NOTE: The Service Principal in the source tenant must be assigned the Owner/Admin permission.

    • Verifying Service Principals

    When you have granted the consents, you can verify that the service principals were successfully created in the tenant. You must verify both source and target tenants.

    1. Log in to Microsoft Entra Admin Center.
    2. Go to Identity > Applications > Enterprise applications from the navigation panel. Then click All applications. Filter the list if necessary and verify the list of Quest On Demand service principals. Your list depends on the subscriptions and consents that you have granted, and may differ from the image below.

    Throttling

    Microsoft service throttling limits the number of concurrent calls to a Microsoft service to prevent overuse of resources. These limits are set by the Microsoft services and are dependent on the service type along with the operations that are being completed by On Demand for the service. In addition, any throttling limits are subject to change by Microsoft.

    Microsoft Graph

    Microsoft Graph is designed to handle a high volume of requests. If an overwhelming number of requests occurs, throttling helps maintain optimal performance and reliability of the Microsoft Graph service. For more information, see https://learn.microsoft.com/en-us/graph/throttling. Microsoft enforce throttling limits for Microsoft Graph based on tenant size, including requests-per-minute and requests-per-day. Microsoft does not provide a method for modifying these limits.

    Microsoft Power BI REST API

    The Microsoft Power BI REST API (Admin API) may experience throttling during usage, as concurrent API access is monitored for any ongoing tasks within a tenant. Discovery tasks are likely to be the most affected by this throttling. We recommend that discovery or statistics collection be run as standalone tasks to minimize potential impacts.

    For more information, please reference the following documentation from Microsoft: https://learn.microsoft.com/en-us/rest/api/power-bi/#throttling

    Handling ODM Throttling

    Quest On Demand Migration follows best practices provided by Microsoft when experiencing throttling. These include reducing the number of operations of requests, reducing the frequency of calls and avoiding immediate retries, since all requests accrue against the usage limits for the application.

    For requests that an application makes, such as On Demand Migration, including Microsoft Graph, CSOM, or REST calls, Microsoft can return error codes including HTTP status code 429 ("Too many requests") or 503 ("Server Too Busy") which result in the requests to fail. In both cases, a Retry-After header is included in the response indicating how long the calling application should wait before retrying or making a new request.

    Upgrading Throttling Policies

    Exchange Web Services (EWS) are throttled by Microsoft whenever large quantities of data flows through the EWS platform. The On Demand Migration service throughput can be improved by upgrading the following throttling policy parameter setting to Unlimited:

    • EwsMaxBurst - Defines the amount of time that an EWS user can consume an elevated amount of resources before being throttled. This is measured in milliseconds. This value is set separately for each component.
    • EwsRechargeRate - Defines the rate at which an EWS user's budget is recharged (budget grows by) during the budget time.
    • EwsCutoffBalance - Defines the resource consumption limits for EWS user before that user is completely blocked from performing operations on a specific component.

    Tenant administrators can upgrade the throttling policies by making a service request with Microsoft.

    Desktop Update Agent

    To complete a migration project, a lightweight user desktop application called Desktop Update Agent (DUA) must be configured and deployed by administrators and run on users workstations. DUA provides enhanced support, helps ensure the success of cross-tenant migration projects, makes agent delivery easier, and status reporting more informative.

    DUA features:

    • Ability to manage user’s application reconfigurations activities from a single view within On Demand Migration.
    • Support for OneDrive for Business and Microsoft Teams.
    • Support for Microsoft 365 application license reset.
    • Support for various client authentication mechanisms.

    For more information about downloading, administration and use of DUA, see the Quest On Demand Migration Update Agent Guide.

    Test and Pilot Migrations

    Any full scale migration should be preceded by test and pilot migrations, to confirm that your migration processes and procedures will accommodate the organization requirements.

    • A test migration uses real users and real data in a segregated test environment, or dummy users and dummy data in your live production environment.
    • A pilot migration uses a small portion of real users and real data in the live production environment.

    In either case - a test or pilot migration - the data to be migrated should be a representative sample of the production data, and the test or pilot migration should be run with the Quest applications set for the same configuration and process options that you intend to use for the production migration. it is recommended to select test or pilot users whose usage and data types make them representative of the total user population. Then create and run matching / migration tasks for those accounts, including all range of tasks you are planning to perform. When the tasks are completed, review errors and warnings, if any. See Event Management section for more information.

    Quest recommends that you use both test and pilot migrations:

    Perform one or more test migrations in a separate test environment, migrating test copies of real users and their real data. The separate test environment ensures that no test process will affect the data or configurations of your production environment. If a test exposes any problems under migration, you can make amendments and then repeat the test by simply dumping the test environment and recreating it from scratch.

    When you are confident that your test migrations have sufficiently refined your planned migration, perform a pilot migration for 20 or 30 users to verify if your planned migration is satisfactory for your "real world."

    Documentos relacionados

    The document was helpful.

    Seleccionar calificación

    I easily found the information I needed.

    Seleccionar calificación