Archive Shuttle 11.0 - Planning Guide

Introduction Modules Planning for migrations

Planning for migrations to Amazon S3 Planning for migrations to Azure Blob Planning for migrations to Enterprise Vault Planning for migrations to Exchange Planning for Office 365 migrations

Size limits when ingesting into Office 365 Using OAuth Authentication

Required API permissions for to use modern authentication (oAuth) Using Exchange Online PowerShell module Scoping the application access policy (creating scoped accounts)

Using Microsoft Graph

Planning for migrations to PST Planning for migrations to UNC

Planning component installation Planning for the Archive Shuttle databases Planning export/import storage Permissions/access requirements for complex deployments Sizing the PST output location How to change folder translations Preserving the Chain of Custody Migrating leavers data and journal archives Naming conventions for leaver archives Tuning a Migration About Us Contacting Quest

Scoping the application access policy (creating scoped accounts)

info

NOTE: This process can only be used when configuring Archive Shuttle using a certificate.

Creating an application registration using a certificate

1.Create a new registered application with Azure using a certificate. Use the instructions as seen in step 1, under the Configuring OAuth with a certificate section here.

2.Upload a certificate by going to Certificates & secrets, and under Certificates, click Upload certificate.

3.Select the required certificate, enter a description if needed, and click Add.

4.On API Permissions, click Add a permission, and enter the API permissions as seen under the For Exchange Online section here. Do NOT grant admin consent at this time.

Adding administrative roles

5.On the Roles and administrators tab in the Azure Active Directory admin center, and in the text field, search for the role titled Exchange recipient administrator or global reader. Click on its name.

info

NOTE: The global reader role will allow you to read any attribute, but not update attributes.

6.Click Add assignments, then search for the application registration you created earlier, then click Add.

Creating an Exchange security group

7.You now need to create an Exchange security group. Go to the Exchange admin center.

8.Under Recipients > Groups, click Add a group.

9.On the Group type page, select Mail-enabled security, and click Next.

10.On the Basics page, enter a group name and, optionally, a description. Once created, this is the group where you will need to add the mailboxes that you want the app registration to have write access to write to. Once this is done, click Next.

11.On the Settings page, enter a group email address. This could be the same name as the group name, and click Next.

12.Review the group you have created. Once you are satisfied, click Create group. It may take a few minutes for the group to appear in the group list.

info

NOTE: You may want to remove access to emails being sent to the group directly. To do this, click on the group name under Mail-enabled security, and under Settings, check the Hide this group from the global address list.

13.You will now need to add users to the group. Select the group under Mail-enabled security, and under Members, select View all and manage members. Enter the members by selecting their checkbox, and click Add until all your desired members have been added.

Connecting to the tenant

14.Open the PowerShell module, and connect to the Exchange module using the following command: Connect-ExchangeOnline. Then click the Run Selection button.

15.Sign into the module using a global administration account. Connecting may take up to a minute.

Creating the application access policy

16. Use the following command in PowerShell to create the application policy. Replace the fields in bold with your own credentials:

New-ApplicationAccessPolicy -Description Policy Name -AppId OAuth App Registration ID -AccessRight RestrictAccess -PolicyScopeGroupId Mail Enabled Security Group Email Address

Then click Run Selection. The output to the command should appear below.

info

NOTES:

·Once the command has been ran, it may take up to one hour for the command to take effect. It is recommended that you wait this full period to ensure application of this command. Click here for more information.

·You can test whether the application of the command has been successful by using the following command. Replace the fields in bold with your own credentials:

Test-ApplicationAccessPolicy -Identity SMTP address -AppId Outh App Registration ID

Grant admin consent

17.Go back to the API permissions for your application registration, and click Grant admin consent for <tenant>, and click Yes.

info

NOTE: Using this process may result in certain features not functioning as expected, such as leavers and virtual journal migrations. If this occurs, please contact support.

Using Microsoft Graph

Use of Microsoft Graph is enabled automatically from Archive Shuttle 11.0.

If using Microsoft Graph, ensure that the Azure App Registration section has been filled in the Credentials Editor, regardless if OAuth is being used. If Azure App Registration is left empty, an error will occur.

Microsoft Graph commands and permissions

List users