Quest On Demand uses the Role-based Access Control (RBAC) security policy that restricts information system access to authorized users. Subscribers can create specific roles based on job functions, with the permissions to perform needed operations on the assets of the organization. When users are assigned to On Demand roles, they inherit the authorizations or permissions defined for those roles. RBAC simplifies permission administration for subscribers because permissions are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments.
The following are some key Quest On Demand and tenant roles that you will need to work with On Demand Migration.
On Demand Administrator
This role is assigned to users who have full access to the Quest On Demand application. They can manage organizations and tenants, initiate the migration of tenant assets, manage licenses, audit records and perform many other functions through the Quest On Demand application. Some of the key permissions associated with this role are as follows:
Can Export Data |
Permission to export data as well as download the premigration report, comparison report and error report. |
On Demand Migration |
Create, Rename and Delete projects |
Required permission to create, rename and delete migration projects from the Projects Dashboard |
On Demand Migration |
View projects and manage selected services |
This permission must be selected to activate the individual permissions to view and manage services. Services selected for this permission will be inherited by all child permissions. |
On Demand Migration |
View projects |
Required permission to be able to view objects tasks and events for the selected services. Only the tiles for the selected services will be shown in the project dashboards.
Always inherited from parent permission |
On Demand Migration |
Edit project properties |
Permission to edit properties associated with project services. For example, this permission enables access to Accounts Configure Connections and SharePoint Configure Project. |
On Demand Migration |
Run a full discovery |
Permission to enable the action that allows users to run the task that will discover all available objects. |
Accounts, Teams, SharePoint, Public Folders, Power BI |
Run a scoped discovery with CSV file |
Permission to enable the actions that allows users to run the task that will discover objects based on a list contained in a prepared CSV file. |
Accounts, Teams, SharePoint |
Run a scoped discovery from security group |
Permission to enable the actions that allows users to run the task that will discover objects based on selected security group. |
Accounts |
Run content discovery tasks |
Permission to enable the actions that allows users to discover content and statistics about selected objects. |
Mailboxes, OneDrive, SharePoint, Power BI |
Run match and map tasks |
Permission to enable the actions that allows users to find matching objects on the target for selected objects and to map objects on source and target based on prepared CSV file. |
Accounts, Teams, SharePoint, Power BI |
Run provision and migration tasks |
Permission to enable the actions that allow user to provision and migrate selected objects to the target. |
On Demand Migration |
Manage collections |
Permission to enable actions for creating and manage the Collection feature. |
On Demand Migration |
Update and delete migration objects |
Permission to enable the action that allows the user to remove selected objects form the list of services object grid. |
On Demand Migration |
Acknowledge and clear task events |
Permission to enable the action that allows the user to acknowledge and clear events from the Events grid. |
On Demand Migration |
Manage Desktop Update Agent |
Permission to enable all management actions in Desktop Update Agent. |
Desktop Update Agent |
View Reporting Dashboard |
Permission to view reports from the project dashboard |
On Demand Migration |
On Demand predefined roles
Quest On Demand is shipped with many predefined roles. On Demand Administrator, Migration Administrator, Audit Administrator, License Management Administrator and Recovery Administrator are some examples.
On Demand custom roles
You can create more roles with specific permissions to allow other users to work with On Demand Migration. See the On Demand Global Settings Current User Guide for more information about setting up roles.
Tenant Administrator
In this document the term Tenant Administrator refers to the Azure active directory user account for the source or target tenant that is assigned the Global administrator security role and has full access to the tenant. Each tenant that you add to a project requires the credentials of the Tenant Administrator. The Tenant Administrator may require additional roles to grant the necessary consents to various On Demand service principals that are created in the tenant to access various assets in the tenant during the migration lifecycle. See Consents and Permissions for more details. For more information about user and service principals see the Microsoft article Application and service principal objects in Azure Active Directory.
Tenant Administrator accounts must have a mailbox with a valid Microsoft Exchange Online license.
To use On Demand Migration, the Tenant Administrator for each tenant in a project must grant Azure consents and permissions to the On Demand Migration service principals.
Migration Manager
You can use a temporary tenant user account to operate on tenant assets. In this document the term Migration Manager refers to the source or target Azure active directory user account that has temporary access to the tenant through the Global administrator security role. Depending on the tenant asset that is being migrated, this temporary user account must grant specific consents. For example, when teams are migrated, the account that is assigned the Migration Manager role is added to the team. This temporary role is required for migrating teams by the by the On Demand Migration service.
If you choose to work with this temporary account, you must login to the tenant as the Migration Manager and grant the consents and permissions to the On Demand service principal.
When you are done with the migration, it is recommended that you delete the temporary account for security reasons. See Finalizing the Migration for more details.
On Demand Migration provides intuitive project management for migrating accounts and content from one tenant to another. You can create a migration project that provides a full range of migration features, and track accounts and content migration in one comprehensive migration project dashboard. You can create multiple migration projects and use the My Projects list view for a summarized list of all your migration projects.
Migration steps
References to common migration steps are provided in the table below. There are many more activities that are required to prepare and migrate Office 365 assets, and these are described in detail in the subsequent topics.
Each On Demand migration project needs a source and target tenant. These are Commercial tenants. Commercial tenants are exclusively hosted and managed by Microsoft. For users in the United States deployment region, On Demand Migration offers two options depending on the type of Microsoft 365 tenant that you want to add:
- Commercial or GCC Tenant - choose this option if you want to add either a Microsoft 365 commercial tenant hosted on the Azure public cloud or a Microsoft 365 GCC (Government Community Cloud) tenant with moderate cyber-security and compliance standards hosted on the Azure Government cloud. For more information about worldwide endpoints, see Microsoft 365 Worldwide endpoints.
- GCC High Tenant - choose this option if you want to add a Microsoft 365 GCC High tenant with advanced cyber-security and compliance standards like NIST 800-171, FedRAMP High and ITAR hosted on the Azure Government cloud. For more information, see Microsoft 365 U.S. Government GCC High endpoints.
|
NOTE: When you create a migration project, a GCC or GCC High tenant can be used as the target tenant only. Currently, only the On Demand Migration module supports GCC and GCC High tenants. |
For more information about adding, removing and managing tenants, see Managing your Azure tenants and on-premises domains in the On Demand Global Settings Current User Guide.
Adding a tenant
- Log in to On Demand using the credentials you used to sign up for On Demand.
- If you have multiple organizations you must select an organization. If you have a single organization it will be automatically selected.
- If there are no tenants in your organization, click Add Tenant.
-or-
In the navigation panel on the left, click Tenants. The Office 365 Tenants page opens. Then click Add Tenant.
- The Add Tenant page opens.
- Enter your Azure AD Global Administrator credentials for the source tenant and click Next. A page opens with the list of permissions that you are granting.
- Click Accept to grant consent to the initial Core - Basic permission set to the On Demand service principal.
- The Office 365 Tenants page opens with the tenant added as a new tile.
- Repeat the steps to add a target tenant.
The ability for On Demand service principals to access and operate with tenant assets requires explicit permissions. The Tenant Administrator grants these permissions through consents. Multi-factor authentication (MFA) is supported for tenant administrators when granting consents.
When a tenant is added the initial Core - Basic permission set is granted consent to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration
In this topic:
Granting Consents
- Click Tenants from the navigation pane.
- Select a tenant and click Edit Consents from the tenant tile.
- Click Grant Consent or Regrant Consent for the permissions type.
- Log in as the tenant administrator. Then click Accept in the Microsoft consents dialog.
This section lists the minimum consents and roles required by the various On Demand Migration service principals for managing tenants, Microsoft 365 objects and other migration services. For more details about the permissions granted through consents for each service principal, see the On Demand Migration Permissions Reference Guide.
For initial tenant setup
Add and configure tenants, and grant consent |
Core-Basic consent from both Source and Target tenant administrator accounts.
Global Administrator role from both source and target tenant administrator accounts. |
Each tenant that is added is granted consent to the initial Core - Basic permission set to the On Demand service principal. Additional consents are required to work with different features of On Demand Migration.
For Account migration
All tasks including discover and migrate accounts |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate hybrid accounts |
Global Administrator role for both Source and Target tenant administrator accounts. |
Migrate Guest Users |
Guest Inviter role for both Source and Target tenant administrator accounts. |
For Mailbox migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate mailboxes |
Migration - Mailbox Migration consent from both Source and Target tenant administrator accounts. |
Migrate Public Folders |
Migration - Mailbox Migration consent from both Source and Target tenant administrator accounts.
Owner permission for the root Public Folder of the target tenant must also be granted to the target tenant administrator account.
|
IMPORTANT: You must explicitly provide the username of the root Public Folder owner using Configure Connections. | |
For OneDrive migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate OneDrive |
Migration - OneDrive - Minimal consent from Source tenant administrator accounts. Migration - OneDrive - Full consent from both Source and Target tenant administrator accounts. |
Provision OneDrive |
SharePoint Administrator role for provisioning OneDrive on the target tenant.
|
IMPORTANT: You must provide explicit credentials using Configure Connections. Multi-factor authentication (MFA) is not supported for accounts whose credentials are entered explicitly. | |
For SharePoint migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate SharePoint |
Migration - SharePoint - Minimal consent from Source tenant administrator accounts. Migration - SharePoint - Full consent from both Source and Target tenant administrator accounts. |
For Teams migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
Migrate Teams and Microsoft 365 Groups with Teams functionality |
Mailbox Migration
Migration - SharePoint - Minimal for the source tenant and Migration - SharePoint - Full for the target tenant. Migration - SharePoint is a legacy permission set and should be replaced with either the Minimal or Full permission sets.
Migration - Teams - Minimal for the source tenant and Migration - Teams - Full for the target tenant. Migration - Teams is a legacy permission set and should be replaced with either the Minimal or Full permission sets.
Global Administrator or Teams Administrator Entra ID role for both Source and Target tenant administrator accounts. In addition to these roles, the tenant administrator account that grants the consents to the Migration -Teams service also requires the following:
- an active Microsoft 365 license
- Microsoft Teams app enabled within the Microsoft 365 license
- the account must remain active for the duration of the migration
|
If the Teams license check fails, verify that the source and target tenants are valid. Then run the PowerShell commands in Quest KB article 337302 to confirm that the tenant administrator account used to grant consent has TeamspaceAPI activated.
For Power BI migration
All tasks |
Migration - Basic consent from both Source and Target tenant administrator accounts. |
View Power BI |
Migration - Power BI consents.
Global Administrator role from both source and target tenant administrator accounts. |
Migrate Power BI |
Additional manual setup is required for both source and target tenants through the Azure portal. The steps required to grant additional permissions are described below. |
Granting additional permissions for the source and target tenants
This is a two part process as described below:
Part 1: Azure Portal Security Group Setup
In this part, a new security group is created in Microsoft Entra ID for each source and target tenant, to associate the service principal of the Quest On Demand - Migration - Power BI enterprise application. Additional permissions can be then be granted to the service principal to access and operate on Power BI objects.
- Login to https://portal.azure.com with your tenant credentials.
- Open the Microsoft Entra ID service page.
- Click Manage > Groups from the navigation panel. Then click New Group.
- In the New Group page, setup the group as described below:
- Group type = Security
- Group name = name of the group. For example, ODMPBI
- Group description = short description about the group. For example, ODM Power BI Migration.
- Under Members, click No members selected
- In the Add members list that opens, search and select Quest On Demand - Migration - Power BI. Then click Select at the bottom of the page.
- Click Create. The group is created with the Quest On Demand - Migration - Power BI service principal as a member.
- Follow all the above steps to create a security group in both source and target tenants.
Part 2: Power BI Setup
In this part, the security group created in each tenant is configured to allow the service principals to use Power BI APIs and create and use Power BI profiles.
- Log into the Power BI service portal at https://app.powerbi.com. with your tenant credentials.
- Click the Settings icon in the top bar and then click Admin portal.
- From the navigation panel, click Tenant settings.
- Scroll down to the Developer Settings section.
- Expand the Embed content in apps option.
- Set the slider to Enabled.
- For the Apply to option, select Specific security groups, and specify the group name created in Part 1 above. For example, enter ODMPBI.
- Click Apply to save the changes.
- Under Developer Settings, expand following options. Then enable each option and repeat the above steps to associate the security group:
- Service principals can use Fabric APIs
- Allow service principals to create and use profiles
- Scroll down to the Admin API settings section.
- Expand following options. Then enable each option and repeat the above steps to associate the security group:
- Service principals can access read-only admin APIs
- Enhance admin APIs responses with detailed metadata
- Enhance admin APIs responses with DAX and mashup expressions
To migrate Power BI data, the security group must also be granted explicit rights in all tenant Power BI objects like Connections, Gateways and Workspaces.
For Connections and Standard Gateways
- Click the Settings icon in the top bar and then click Manage connections and gateways.
- Under Manage connections and gateways, select each On-premises gateway and give Admin rights to the group, created in Part 1.
- Repeat the above steps for source and target tenant.
|
NOTE: The Service Principal in the source tenant must be assigned the Admin permission. |
For each Workspace that you want to migrate (Source tenant only)
- Open the Workspace and click Manage Access.
- In the Add people page that opens, add the security group created in part 1 and assign the Admin role to the group.
|
NOTE: The Service Principal in the source tenant must be assigned the Owner/Admin permission. |
Verifying Service Principals
When you have granted the consents, you can verify that the service principals were successfully created in the tenant. You must verify both source and target tenants.
- Log in to Microsoft Entra Admin Center.
- Go to Identity > Applications > Enterprise applications from the navigation panel. Then click All applications. Filter the list if necessary and verify the list of Quest On Demand service principals. Your list depends on the subscriptions and consents that you have granted, and may differ from the image below.