-
Title
Sites.Selected Permissions and On Demand Migration for SharePoint and Teams -
Description
Sites.Selected permissions allow the user to limit the access of the On Demand for SharePoint and Teams migration tools to specified sites.
If Sites.Selected is used for the source tenant, only the sites granted Sites.Selected permissions can be discovered and read as the source site for a migration.
If Sites.Selected is used for the target tenant, the target sites must be pre-provisioned before the migration and granted permission. Only target sites granted Sites.Selected permission can be used as a target site for a migration.
Feature Flag migration.sharepoint.siteselected.allow must be enabled for the customer Organization. A Support Case should be raised with Quest Support to request migration.sharepoint.siteselected.allow be enabled for their ODM Organization.
Using Sites.Selected permission will restrict access to tenant level information. The following are the limitations when using Sites.Selected permission:
For Source or Target using Sites.Selected permission:
-
Hub settings are not migrated
-
Term Store migration, including site term stores are not supported
-
Migrations in Multi Geo tenants is limited to migration into and out of the central region
-
Tenant level site settings are not migrated or discovered in Collect Statistics task
-
- External Sharing
-
- Site Resource Quota
-
- Site Storage Quota
- Site Storage Quota
-
Site Type (M365 group site, Teams site) can’t be retrieved
In addition, for Source using Sites.Selected permissions:
-
Site with Sites.Selected permissions can only be discovered if included in Discover from File task
For Target using Sites.Selected permissions:
-
Target site must be pre-provisioned and give Sites.Selected permission before migration
-
OMSP will not be able to automatically manage Custom Script site setting that must be set to “Allowed” to support Site Page migrations
For Teams migrations:
-
ODMT will not be able to archive chats due to lack of permissions on OneDrive.
-
-
Resolution
Set up the Teams and SharePoint consent application for the tenant that will be modified to use Sites.Selected
From the Tenants page:
-
Add tenant, granting consent to Core Basic application
-
Edit tenant consents and grant consent to Migration Basic application, needed for user account management and mapping.
-
Grant consent to one of the SharePoint applications. This application will be updated to use Sites.Selected permissions using the provided PowerShell script.
-
Grant consent the Teams Full application. This application will be updated to use Sites.Selected permissions using the provided PowerShell script.
SharePoint application display name IDs required for the following procedures.
Quest On Demand - Migration - SharePoint - Minimal
5e65ffd9-9538-437b-957c-1111098b3d3c
Quest On Demand - Migration - SharePoint - Full
574da12a-fdd0-4b44-9c4f-b1a126167672
Quest On Demand - Migration - Teams - Full
63ac4074-febd-4dff-9339-1f9ea35990f5
Update permissions from an OnDemand SharePoint and Teams Migration Azure AD Application to use Sites.Selected permissions using the provided PowerShell scripts.
To view and update the application permissions:
-
Select Enterprise applications from left side menu.
-
Search for name of SharePoint and Teams application that was granted consent for the tenant (e.g. “Quest On Demand - Migration - SharePoint – Full”) and select it.
-
Select Security/Permissions from the left side menu to view the current permissions.
-
Use the provided PowerShell script using the noted application ID to remove default permissions and replace with site selected.
-
Install the Micsoft.Graph module
PS C:\> Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery –Force -
Connect to MS Graph with tenant admin credentials
PS C:\> Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All" -
Use provided scripts to update SharePoint and Teams applications using the appropriate application ID. (Make sure to PowerShell script files are unblocked.
PS C:\> .\UpdateAppConsent_ODMSP.ps1 -ApplicationId <application_Id>
PS C:\> .\UpdateAppConsent_ODMTeams.ps1 -ApplicationId <application_Id>
-
-
Refresh the permissions to confirm permissions have been updated. For SharePoint, the following 3 permissions should now be granted to the application.
Use Graph Explorer to assign the application to specific site:
The following steps in Graph Explorer will need to be performed for each site. For Teams migrations the permissions Post update must be performed for the SharePoint and Teams permissions. If the Team has Private or Shared channels the process must be performed for the Private and Shared channel sites for both SharePoint and Teams permissions.
-
Open Graph Explorer
https://developer.microsoft.com/en-us/graph/graph-explorer?adlt=strict
-
Login to graph explorer using tenant credential
-
Run GET https://graph.microsoft.com/v1.0/me in graph explorer to confirm the current user.
-
Run GET https://graph.microsoft.com/v1.0/sites/<hostname>:/<relativeUrl> to get the site “id”. Note the format includes host name and relative site Url separated with a colon “:”.
e.g.
GET https://graph.microsoft.com/v1.0/sites/m365x13156933.sharepoint.com:/sites/TargetSitesSelectedSample response:
{"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET sites('<key>')/microsoft.graph.getByPath(path=<key>)?$select=displayName,error",
"createdDateTime": "2025-02-17T17:49:32.977Z",
"description": "",
"id": "m365x13156933.sharepoint.com,59ce1e8e-cb4f-44e6-9f38-99ed413d7c1d,2b139a34-a9ae-491d-a767-06948ddfa38c",
"lastModifiedDateTime": "2025-02-17T17:53:55Z",
"name": "TargetSitesSelected",
"webUrl": "https://m365x13156933.sharepoint.com/sites/TargetSitesSelected",
"displayName": "Target Sites Selected",
"root": {},
"siteCollection": {
"hostname": "m365x13156933.sharepoint.com"
}
} -
Copy the site “id” value as returned in the above response and run
Post command POST https://graph.microsoft.com/v1.0/sites/<siteId>/permissions with the following request body which includes the SharePoint or Teams application id and display name. Make sure to include “/permissions” at end of command.e.g. For SharePoint – Full permission
POST https://graph.microsoft.com/v1.0/sites/m365x13156933.sharepoint.com,59ce1e8e-cb4f-44e6-9f38-99ed413d7c1d,2b139a34-a9ae-491d-a767-06948ddfa38c/permissionswith request body
{
"roles": ["fullcontrol"],
"grantedToIdentities": [{
"application": {
"id": "574da12a-fdd0-4b44-9c4f-b1a126167672",
"displayName": " Quest On Demand - Migration - SharePoint – Full"
}
}]
}Sample Response for SharePoint permission:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#sites('m365x13156933.sharepoint.com%2C59ce1e8e-cb4f-44e6-9f38-99ed413d7c1d%2C2b139a34-a9ae-491d-a767-06948ddfa38c')/permissions/$entity",
"id": "aTowaS50fG1zLnNwLmV4dHw1NzRkYTEyYS1mZGQwLTRiNDQtOWM0Zi1iMWExMjYxNjc2NzJAYjcyMzY5NjktYmQ1Yy00YjVhLTg1YjQtN2MwYmIxYTdjYzll",
"roles": [
"fullcontrol“
],
"grantedToIdentitiesV2": [
{
"application": {
"displayName": " Quest On Demand - Migration - SharePoint – Full",
"id": "574da12a-fdd0-4b44-9c4f-b1a126167672“
}
}
],
"grantedToIdentities": [
{
"application": {
"displayName": " Quest On Demand - Migration - SharePoint – Full",
"id": "574da12a-fdd0-4b44-9c4f-b1a126167672"
}
}
]
} -
For Teams migrations, repeat step 5 for Teams application.
Running SharePoint migrations using Sites.Selected Permissions with ODMSP
Sites.Selected on Source-
Update the SharePoint application for the source using the provided PowerShell script
-
Grant the sites you want to migrate Sites.Selected permissions from Graph Explorer
-
Discover the sites using the Discover from File Task
-
Migrate sites as usual.
Sites.Selected on Target
-
Update the SharePoint application for the target using the provided PowerShell script
-
Pre-provision target sites
-
Grant the sites you want to migrate Sites.Selected permissions from Graph Explorer
-
Migrate sites as usual.
Note that if Custom script setting is reset to blocked during a migration, the Sites Pages library may not be migrated.
Running Teams migrations using Sites.Selected Permissions with ODM Teams
Sites.Selected on Target-
Update the SharePoint and Teams applications for the target using the provided PowerShell script.
-
Discover Teams or M365 Groups.
-
Provision Teams or M365 Groups.
-
Grant the Teams or M365 Group sites you want to migrate Sites.Selected permissions for the SharePoint and Teams applications from Graph Explorer. For Teams grant the Private and Shared channel sites Sites.Selected permissions as needed.
-
Migrate Teams or M365 Groups as usual.
Note: If you are migrating Teams and SharePoint contents using the Standard and Customized (All SharePoint Content) manually update the target site “Custom scripts” settings to “Allowed” -
-
Additional Information
Attached Add_Applications_to_Sites.ps1 script, and Siteslist.csv as example to automatically add Sharepoint and Teams applications to sites. Edit $FilePath variable in the first row of the script to point to the csv file with the site urls.
