Once the account migration is complete, you might want to grant target accounts access to source tenant’s resources and applications.
Basic resource processing workflow consists of the following steps:
IMPORTANT: Resource processing does not copy resources to the target tenant. It simply provides the access to source resources by creating a linked guest user in the source for each migrated / matched target account. These guest users are granted the same permissions as the corresponding source accounts and become members of the same SharePoint groups.
Only permissions directly granted to the source account are transferred.
See the Processing Resources for step by step instruction how to configure resource processing.
On Demand Migration can process the following resources on the source tenant:
- Resource roles related to selected accounts
- Applications assigned to selected accounts.
NOTE: Resource Processing is not available when GCC High tenants are used. Resource Processing is only available with commercial tenants. Resource Processing is not available when credentials are not provided.
To create a new processing task:
- Go to the migration project Dashboard in case you use new migration UI. In case you are using classic experience or you are already on the account migration Dashboard, go to step 3.
- Click Accounts widget.
- Select accounts for which you want to process the resources on Accounts tab.
- Click Process Resources
- Specify the affected resources:
- Process SharePoint
Provide the root URL of the SharePoint site. See Processing SharePoint for details on site configuration and required permissions.
- Process resource roles
Process Role-Based Access Control (RBAC) roles for current Azure subscription.
- Process application assignment
See the Processing Application Assignments for details.
- Process azure group membership
Select this option so target users are granted access to source systems when an Active Directory group they are a part of is granted access. The process identifies the Active Directory groups the selected users (on the source) are part of and adds the target users to those groups.
- Click Next to proceed.
- Schedule when the task will be started. See Task Scheduling for details. Click Next to view the task summary.
- Check selected options and name the task. Click Finish to save or start the task depending on schedule option selected.
The task is created. You can track its progress in the Tasks, view the summary on the Dashboard or monitor alerts and notifications in the Events.
Processing SharePoint Online
Processing SharePoint allows target users access sites, libraries, lists, and other content on the source tenant by creating a linked guest user in the source for each migrated / matched target account. Then the guest user is granted the same direct permissions as the corresponding source account to access source SharePoint resources. It can take time for these guest accounts to replicate to SharePoint, which can result in an User not found error message for a guest account that has not yet been replicated during granting permissions. In this case, retry the SharePoint processing later.
In order to process SharePoint resources, you must perform the following:
- Turn on external sharing in SharePoint admin center. For details, see Turn external sharing on or off for SharePoint.
- Grant consent for On Demand Migration to process SharePoint resources.
See Required Consents and Permissions section for the minimum permissions required to perform this task.
Processing Application Assignments
Application assignments processing ensures that the target users see the same list of cloud applications on http://myapps.microsoft.com/ as their source counterparts. See Processing Resources for more details.
NOTE: On Demand Migration assigns applications to the target users, but it’s up to each particular application how to check the access level. Some applications may have their own account databases and permission assignments, thus their access rights must be provisioned manually.
See Required Consents and Permissions section for the minimum user account permissions required to perform this task.