OAuth support for GCC and GCC High tenants
You may experience an issue where it is claimed that OAuth is not supported with GCC and GCC High tenants. This issue can be resolved using the Credentials Editor.
1.Go the the Credentials Editor, then the Office 365 Auth tab.
2.Click Edit.
3.On the Azure cloud drop down list, select:
a.AzureCloud for GCC tenants
b.AzureUSGovernment for GCC High tenants.
4.Click OK.
Using Microsoft Graph
Use of Microsoft Graph is enabled automatically from Archive Shuttle 11.0.
If using Microsoft Graph, ensure that the Azure App Registration section has been filled in the Credentials Editor, regardless if OAuth is being used. If Azure App Registration is left empty, an error will occur.
Microsoft Graph commands and permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
User.ReadBasic.All, User.Read.All, Directory.Read.All |
|
Delegated (personal Microsoft account) |
Not supported. |
|
Application |
User.Read.All, Directory.Read.All |
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
User.Read, User.ReadBasic.All, User.Read.All, Directory.Read.All |
|
Delegated (personal Microsoft account) |
User.Read |
|
Application |
User.Read.All, Directory.Read.All |
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
Organization.Read.All, Directory.Read.All |
|
Delegated (personal Microsoft account) |
Not supported. |
|
Application |
Organization.Read.All, Directory.Read.All |
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
User.ReadWrite.All, Directory.ReadWrite.All |
|
Delegated (personal Microsoft account) |
Not supported. |
|
Application |
User.ReadWrite.All, Directory.ReadWrite.All |
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
User.ReadWrite, User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All |
|
Delegated (personal Microsoft account) |
User.ReadWrite |
|
Application |
User.ReadWrite.All, User.ManageIdentities.All, Directory.ReadWrite.All |
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
User.ReadWrite.All |
|
Delegated (personal Microsoft account) |
Not supported. |
|
Application |
User.ReadWrite.All |
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
For applications:
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
Application.ReadWrite.All, Directory.ReadWrite.All |
|
Delegated (personal Microsoft account) |
Not supported. |
|
Application |
Application.ReadWrite.OwnedBy, Application.ReadWrite.All |
The requestor needs to have one of the following roles: Global Administrator or Application Administrator.
For users:
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
User.ReadWrite.All |
|
Delegated (personal Microsoft account) |
Not supported. |
|
Application |
Not supported. |
The signed-in user needs to have one of the following roles: Global Administrator or User Administrator.
For groups:
|
Permission type |
Permissions (from least to most privileged) |
|---|---|
|
Delegated (work or school account) |
Group.ReadWrite.All |
|
Delegated (personal Microsoft account) |
Not supported. |
|
Application |
Not supported. |
The requestor needs to have one of the following roles: Global Administrator or Groups Administrator.
Global Administrator consent for app-only permissions
Any app-only permission requires a global administrator of the directory to give consent to the application. Select one of the following options, depending on the role:
Global tenant administrator
For a global tenant administrator:
1.Go to Enterprise applications in the Azure portal
2.Select the app registration, and select Permissions from the Security section of the left pane.
3.Select the button labeled Grant admin consent for {Tenant Name} (where {Tenant Name} is the name of the directory)
Standard user
For a standard user of your tenant, ask a global administrator to grant admin consent to the application. To do this, provide the following URL to the administrator:
In the URL:
·Replace Enter_the_Tenant_Id_Here with the tenant ID or tenant name (for example, contoso.microsoft.com)
·Enter_the_Application_Id_Here is the application (client) ID for the registered application
|
|
NOTE: The error 'AADSTS50011: No reply address is registered for the application' may be displayed after you grant consent to the app by using the preceding URL. This error occurs because the application and the URL do not have a redirect URI. This can be ignored. |
Automated lifting of throttling restrictions
Microsoft has made it possible to easily lift EWS throttling limits for up to 90 days during a migration. Archive Shuttle uses EWS to communicate with Office 365.
To request that Microsoft relax the throttling limits, follow these steps:
1.Go to the Help (?) section of the Microsoft 365 admin center.
2.Click the Need Help icon.
3.Enter EWS throttling as the search phrase.
4.Click Run tests when asked to check your environment. The tests check what EWS throttling applies to the tenant.
5.The support assistant checks the tenant settings and should normally conclude that EWS is throttled. You will then be offered the chance to update the settings to the tenant EWS policy to lift throttling for 30, 60, or 90 days.
6.Select the number of days you would like to adjust the policy for and then Update Settings.
7.After a short delay, the support assistant should confirm that the settings have been changed.
8.The new setting will be effective for the tenant in about 15 minutes and you should then be able to start migration transfers at full speed.
Planning for migrations to PST
In order to perform a migration of Enterprise Vault data to PST, a PST File Name policy can be defined. The file name policy is defined with tokens, as shown in the table below:
|
Token |
Description |
|---|---|
|
*username* |
Username of the owning user (sAMAccount Name) |
|
*firstname* |
First name of the owning user |
|
*lastname* |
Last name of the owning user |
|
*fullname* |
Full name of the owning user |
|
*email* |
E-mail address of the owning user |
|
*upn* |
User principal name of the owning user |
|
*pstid* |
ID of the PST file; continuous integer over all PST files |
|
*pstnumber* |
Number of PST file; continuous integer per user |
|
*archivename* |
Name of the archive |
|
*archiveID* |
The Enterprise Vault Archive ID associated with the archive |
The tokens can be used to construct filenames and paths.