Migrating mailbox is failing with error: "Error creating source session. The request failed. The remote server returned an error: (403) Forbidden" (4263261)

When trying to migrate a mailbox, it is failing with error: "Error creating source session. The request failed. The remote server returned an error: (403) Forbidden". Source account is GA, and MFA is not enabled for it. However access is given by the Service Principal. Service Account is PIM-enabled. Source is hybrid and accounts are synced from the onprem AD.

Note: the issue can also happen with the cloud-only tenant, where service account was created through Microsoft PIM.

Since source EXO mailboxes are controlled by the Application Access policy, verify what group this policy is applied to, then add affected users as members of the said group onprem. After ADconnect syncs user's membership to the cloud, mailbox migration should work for them.

It may be required to remove Application Access Policy using PowerShell as there's no convenient way to see them using Microsoft Azure GUI

To retrieve a list of Application Access Policies and test ability to access a specific mailbox, please do the following command in bold:

Connect-ExchangeOnline -UserPrincipalName <admin_account using onmicrosoft UPN> -ShowProgress $true

Get-ApplicationAccessPolicy | Select-Object Identity, AppId, AccessRight, ScopeIdentity, PolicyScopeGroupId

Note: <AppId> is the id that come from output of 2nd cmdlet.

Test-ApplicationAccessPolicy -Identity "<email of user's account>" -AppId <AppId>

Result of Test-ApplicationAccessPolicy will indicate whether AppID has access to the mailbox. Quest ODM AppId are listed in Microsoft AzureAD -> Enterprise Application, search for "quest" in the search bar on the right pane.

Note: error could also be "error creating target session". This should pinpoint what tenant exactly is experiencing an issue.