Does ODM Supports PIM Roles for Service Accounts ? (4380468)

During migrations in Quest On Demand Migration (ODM), customers may encounter consent failures or be repeatedly prompted to re-grant consents. This issue often interrupts migration tasks

The service admin account is configured with temporary Privileged Identity Management (PIM) roles instead of a permanent Global Admin role. Since PIM roles are time-bound, they can expire mid-migration. Once expired, the service principal loses the required permissions, which results in consent failures and triggers re-grant prompts.

Use a permanent service admin account with Global Admin rights to grant consent and ensure uninterrupted migration. No PIM accounts are not supported.

Details from the Quest User Guide

Roles Overview
Quest On Demand Migration uses RBAC (Role-Based Access Control), where users' authorization depends on the roles assigned to them 

Tenant Administrator Requirements

A Tenant Administrator is the Azure AD user assigned the Global Administrator role, with full access to the tenant 

These accounts must also have a licensed mailbox.

Tenant Admins must grant Azure consents to the On Demand Migration service principal to access various tenant assets Quest Support.

Migration Service Account (Avoid Using PIM Temporary Roles)

A Migration Service (temporary) account is an Azure AD user assigned the Global Admin role temporarily for migration Quest Support.

If PIM roles are used, they can expire during the migration pipeline, leading to failure to grant or maintain consent.

Best Practice: Use Permanent Admin Roles.

For seamless migration, the service admin account should not rely on PIM or Temporary Access Pass; instead, it should be assigned permanent admin roles.

This avoids mid-migration role expiration that triggers consent regrant flows, which can stall or break the migration process.

How to Create a Suitable Service Admin Account

Quest provides guidance on creating a Global Administrator account specifically for On Demand Migration.