Migrating mailbox is failing with error: "Error creating source session. The request failed. The remote server returned an error: (403) Forbidden" (4263261)

When trying to migrate a mailbox, it is failing with error: "Error creating source session. The request failed. The remote server returned an error: (403) Forbidden". Source account is GA, and MFA is not enabled for it. However access is given by the Service Principal. Service Account is PIM-enabled. Source is hybrid and accounts are synced from the onprem AD.

Note: the issue can also happen with the cloud-only tenant, where service account was created through Microsoft PIM.

Cause 1: Application Access Policy Limiting application permissions to specific Exchange Online mailboxes - Microsoft Graph | Microsoft Docs

Cause 2: Minimal and Full consents both granted

Cause 3: RBAC consent granted and not configured for use

Cause 4: Conditional Policy or Application Policy (Group Mailbox for Teams or M365 Group)

Resolution 1

Since source EXO mailboxes are controlled by the Application Access policy, verify what group this policy is applied to, then add affected users as members of the said group onprem. After ADconnect syncs user's membership to the cloud, mailbox migration should work for them.

It may be required to remove Application Access Policy using PowerShell as there's no convenient way to see them using Microsoft Azure GUI

To retrieve a list of Application Access Policies and test ability to access a specific mailbox, please do the following command in bold:

Connect-ExchangeOnline -UserPrincipalName <admin_account using onmicrosoft UPN> -ShowProgress $true

Get-ApplicationAccessPolicy | Select-Object Identity, AppId, AccessRight, ScopeIdentity, PolicyScopeGroupId

Note: <AppId> is the id that come from output of 2nd cmdlet.

Test-ApplicationAccessPolicy -Identity "<email of user's account>" -AppId <AppId>

Result of Test-ApplicationAccessPolicy will indicate whether AppID has access to the mailbox. Quest ODM AppId are listed in Microsoft AzureAD -> Enterprise Application, search for "quest" in the search bar on the right pane.

Note: The error could also be "error creating target session". This should pinpoint what tenant exactly is experiencing an issue.

Resolution 2

1. Making sure there are only 1 type of consent being granted for mailbox migration. For more information please refer to this KB if "Mailbox Migration - Custom RBAC" is being utilize.
   1. Source tenant (if not using "Mailbox Migration - Custom RBAC")
   2. Navigate to Microsoft Entra Enterprise Application
   3. Search for the application name 'Mailbox Migration - Full' and 'Mailbox Migration - RBAC', and delete it. Ensure Mailbox Migration - Minimal remains, if missing it should be consented from ODM.
   4. Target tenant (if not "Mailbox Migration - Custom RBAC")
   5. Navigate to Microsoft Entra Enterprise Application
   6. Search for the application name 'Mailbox Migration - Minimal' and 'Mailbox Migration - RBAC', and delete it.  Ensure Mailbox Migration - Full remains, if missing it should be consented from ODM.

3. Making sure that  all the other prerequisites are met by referring to this document
4. Start the Email migration again and the issue shall not be persist. 

** Please find the below Microsoft document reference of how to delete enterprise applications.
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/delete-application-portal?pivots=portal

Resolution 3

If it is not intended to use RBAC, follow the steps below to revoke RBAC consent.  Otherwise if RBAC is intended, review this article to ensure it is configured correctly.

• Logon to the  Azure AD/Entra admin portal - https://entra.microsoft.com/
• Click Applications from the left navigation bar
• Click Enterprise Applications,
• Search for "Quest On Demand Mailbox Migration - Custom RBAC" and click to open details for this application
• Click Properties on the left 
• In the center window click Delete. 
• If this was granted for each tenant follow the above on the other tenants
• Once removed create and run a new Mail Migration task

Resolution 4

Add the temporary migration account (or account which granted consent) to the application/conditional access policy to avoid the error.