-
タイトル
ODMAD - Required accounts and permissions explained -
説明
The On Demand Migration (ODM) Active Directory family of products, Domain Rewrite, Domain Move, Directory Sync, and Active Directory, require additional accounts and permissions. -
対策
When creating a new Active Directory project, you will need to "Connect" to both the source and target tenant. This process is completely independent of the "consent granting" process that may have been completed for the ODM tenant to tenant data migration. The account used for this connect/consent granting process will need to have Global Administrator rights and can have MFA enabled. However, much like the ODM data migration "consent granting" admin account, Global Administrator rights can be removed from this account after consent is granted. You could use the same account to connect/grant consent to Domain Rewrite that was used for the ODM data migration, if desired. The only time Global Administrator rights would be needed again if if you needed to "re-connect" the tenants due to token expiry at some point in the future.
During the Domain Rewrite setup process, three new accounts will be created in both the source and target tenants:
1 - BinaryTreePowerShellUser.xxxxxxxx - This user is automatically given Exchange Admin rights and an M365 license during the setup process. This account is used for the initial Discovery of the source and target environments. This user account cannot have MFA enabled and needs to be excluded from any Conditional Access Policies that require MFA.
2 - BinaryTreeCDSPowerShell.xxxxxxx - These two accounts are given Teams Admin, Exchange Admin and User Admin rights during the setup process. These are the workhorse accounts that will actually modify mail-enabled object attributes in the cloud to support Domain Rewrite. These two accounts cannot have MFA enabled and will need to be excluded from any Conditional Access Policies that require MFA.