Chat now with support
Chat with Support

Binary Tree Power365 Current - Help Center

Help Center Home Power365 Platform Tenant-to-Tenant Directory Sync Migration for Active Directory Release Notes Known Limitations Support

Environments

All Power365 Projects require at least 2 Microsoft 365 Multi-Tenants or environments be added to your Power365 Project to establish at least one source and one target environment for migration and integration activities. Additional environments can be added for more complex migration scenarios.

 

What is an Environment?  

An "environment" or “tenant” or is this context is referring to an Microsoft 365 Worldwide subscription.

 

What should I prepare before adding an environment?  

Before creating your project, it is recommended that an Application Service Account be created in each of your Microsoft 365 environments. This account will be used for the duration of the project or services requirement.

This account will be used to grant delegated permissions to Power365 on-behalf of the signed-in user. The administrator consents to the permissions that the app requests and the app has delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some higher-privileged permissions require administrator consent. Power365 requires Global Administrator consent for 4 Graph permissions anytime a tenant is added or reconnected.

Follow these recommended steps to prepare your accounts for project setup:

  1. Create a cloud only Power365 Application Service Account in each environment.
  2. The recommended name of the account would be “Power365 App Services”.
  3. Set the account password expiration date to correspond with the project end date or set to “do not expire”.
  4. Assign Global Administrator Role to the account.
  5. Assign an Microsoft 365 License to the user. The minimal subscription should include Exchange Online.
  6. Login to the account for the first time in Microsoft 365 to verify access.
  7. Make the account information available to the authorized administrator for each client environment.

Please Note: It is acceptable to use an existing administrator account if that is preferred.

 

How do I add an environment to my project?  

During the start of your project setup you will be asked to add your environments. Follow these steps to complete the process.

  1. Login to Power365 with your Microsoft account.
  2. Click the New Project button or open your existing project.
  3. Navigate through the setup wizard to the add a tenant step.
  4. Click the Add Tenant button.

    Add Tenant button

  5. When you add a tenant, you will be prompted for your Microsoft account.
  6. Enter the credentials of an administrative account for this Office365 tenant.
  7. Read and accept the permission notice related to MS Graph permissions required to manage your migration and integration projects. For more details about required Graph permissions, see the Power365 Application Permission Requirements topic.

    Permissions notice

  8. You will then be returned to the Add Tenant screen. You will repeat this process for each tenant that is part of the project.

 

What happens when I add a Tenant to my Project for the first time?  

When setting up your project for the first time, a Binary Tree PowerShell account will be created in each tenant added to the project and the Power365 App will be installed. This account is used for PowerShell related tasks and to provide full access to the source and target mailboxes for migration purposes.

To complete this process, each tenant must have at least 1 available Microsoft 365 license, so it may be assigned to the account.

  1. Power365 will use your Application Service Account you created to connect to Microsoft 365. Credentials are never stored or transmitted between Power365 and Microsoft 365.

  2. Power365 will add the Power365 App to your Tenant. See figure 2 below.

  3. Power365 will create a cloud only account in your Microsoft 365 tenant for PowerShell.

  4. Power365 will license your new account with the available subscription that has the Exchange Online plan. A lower cost license will be used if available. For example, if you have both E3 and E1; E1 will be used if a license is available.

  5. Power365 by default will grant the Exchange and SharePoint Administrator Roles to this account.

    Office 365 apps

    Figure 2: Example Power365 App

 

What permissions am I granting to Power365?  

Here is the list of minimal Graph permissions required to operate a Power365 project.

  1. Sign in and read user profile (User.Read)

  2. Read and write all users’ full profile (User.ReadWrite.All)

  3. Read and write all groups (Group.ReadWrite.All)

  4. Read and write directory data (Directory.ReadWrite.All)

  5. Access directory as the singed in user (Directory.AccessAsUser.All)

  6. Have full access to all files user can access (Files.ReadWrite.All)

  7. Send mail as user (Mail.Send)

For more details about the required Graph permissions, check out the Application Permission Requirements topic.

 

How are these permissions being used?  

The following lists the basic need for each Graph permission. For more details about required Graph permissions, see the Power365 Application Permission Requirements topic.

  1. Sign in and read user profile (User.Read) - Used to connect a tenant.

  2. Read and write all users’ full profile (User.ReadWrite.All) - Used for OneDrive Sync.

  3. Read and write all groups (Group.ReadWrite.All) – Used for OneDrive Sync.

  4. Read and write directory data (Directory.ReadWrite.All) - Used to discover Azure directory and automate licensing.

  5. Access directory as the singed in user (Directory.AccessAsUser.All) - Used to provision the Binary Tree PowerShell account and assign the required roles.

  6. Have full access to all files user can access (Files.ReadWrite.All) – Used to read and write OneDrive files during Sync.

  7. Send mail as user (Mail.Send) - Used to send the User Cutover email notification.

 

Does Power365 save my account password?  

Power365 will not ask you to save or transmit your administrator credentials in any cloud environment endpoint configuration.

 

What account roles are required to manage my project(s)?  

For daily migration and integration operations and services, the minimum Microsoft 365 administrator roles required are:

  1. Exchange Administrator (Mailboxes, Archives, PFs)
  2. SharePoint Administrator (OneDrive)

For complete details about the required account roles, check out the Requirements.

 

What account roles are required to add or reconnect a tenant to my project(s)?  

Anytime a tenant is connected for the first time or reconnect later, the minimum Microsoft 365 administrator role required is:

  1. Global Administrator

For complete details about the required account roles, check out the Requirements.

 

When should I reconnect my tenant?  

There are a few reasons why you could be required to reconnect your Microsoft 365 tenant to your Power365 project. The following lists the most common reasons this action is required.

  1. Office 365 OAuth Token has Expired – After 90 days a standard OAuth token will expire. So, if your project is running longer than 3 months, please be sure to update your token by reconnecting your tenant to your project.
  2. Before a Domain Cutover Event – Before a domain cutover event, raise your application account’s role to Global Administrator to facilitate the domain move orchestration and automation.
  3. Application Account has Changed – If the Application Account is deleted, recreated or changed it will be required that you reconnect your tenant to the project to continue services.

 

Additional Information  

Application Permission Requirements

Domain Cutover

Discovery

 

What is discovery?  

The discovery service is used to collect user and group identity and properties for the purposes of migration preparation.

 

What is discovered?  

When discovery is complete, it will have collected all user, group, and contact information within the configured Azure directory environments. It will use this data based on project configuration to find matching objects between environments for the purposes of data migration and synchronization.

 

When does discovery occur?  

The Power365 Directory Discovery Service runs by default every twenty-four (24) hours. This frequency may be changed as needed.

 

Should I change the default discovery frequency?  

After the initial discovery has successfully completed, subsequent discovery jobs will be deltas, which are quicker. Monitor the time it takes to run a delta sync. If the total discovery time exceeds 24 hrs., adjust the frequency to fit the environment size. The more directory objects, the more time a discovery will take. Be sure the initial discovery completed successfully. Otherwise, each new discovery job will run a full discovery again.

 

When can I run discovery?  

The Power365 Directory Discovery Service may be run at any time by an authorized project administrator.

 

Can I run a full discovery?  

Yes, a full discovery may be run after the initial discovery has completed when required. However, it is recommended that delta discovery be allowed to run to ensure new and modified object changes are processed quickly.

 

How do I run a full discovery?  

To manually run Discovery and adjust the Discovery Delta Timestamp,

  1. Click the drop-down menu located in the top left corner.

  2. Click the Discovery link from menu.

  3. Hover over the desired tenant environment.
  4. Click RUN DISCOVERY to begin the process.

    RUN DISCOVERY option

  5. In the pop-up window displayed, adjust the Delta Timestamp via the date time control text box.

    Run Discovery Delta Timestamp option

 

When should I run a full discovery?  

Full discovery should only be run when previously skipped objects are now required for the project. To discover the previously skipped objects, set the delta timestamp to a time before the initial discovery when the objects were created or last modified.

 

Who is authorized to run discovery?  

The Client Administrator, Power User and Operator may manually run a new discovery.

 

Who is authorized to modify the Delta Timestamp?  

Only the Client administrator role may adjust the Delta Timestamp.

 

What is the Delta Timestamp?  

After the first full tenant discovery is completed, only new or modified objects are discovered during subsequent delta discovery jobs. The Delta Timestamp field allows authorized administrators to set the timestamp so that previously skipped objects will now be added to the scope of the project. Essentially, objects created, or modified before the timestamp will be skipped.

 

Can I suspend discovery?  

Yes, the Power365 Directory Discovery Service can be disabled at any time by an authorized project administrator. Click DISABLE for the desired tenant while in the discovery management page.

 

How do I suspend discovery?  

To manually disable all future discoveries, follow these steps.

  1. Click the drop-down menu located in the top left corner.

  2. Click the Discovery link from menu.

  3. Hover over the desired tenant environment.
  4. Click DISABLE to stop all future the processes.

    DISABLE OPTION

 

When should I disable discovery?  

In most cases, discovery services should not be disabled during an active project. Inactive projects can either be archived if they are no longer required, which will end all related services, or the discovery service can be disabled until the project becomes active.

It is recommended that discovery services be disabled before a Domain Cutover event is started. For more information about Domain Cutovers, review this help article.

 

Is there a discovery log?  

Yes, Power365 provides authorized administrators access to the discovery and tenant logs. To download the logs, simply navigate to the DISCOVERY section from your project dashboard then click the LOGS link for the desired environment.

 

After discovery has ran, is there a report?  

Yes, after the initial discovery is complete there is a discovery report designed to help with migration planning.

 

What is in the discovery report?  

The purpose of the discovery report is to provide an overall view of your environment’s data size and scope to help with migration planning.

Pages 1 – 3 focus on data derived from the designated source tenant environment(s). Providing an easy view of data in scope and user averages across different workloads. Data includes mailboxes, archives, OneDrive/OneNote files and other shared resources like, Office 365 Groups. You may also filter collections of data based on the desired project, on the tenants needed or by project type.

Page 4 goes beyond the scope of only the source environments. During discovery, Power365 collects all tenant environment information required to prepare for migration activities. This page lists all configured projects, all accepted domains, discovery history and tenant details to help keep track of all the different projects and environments configured. Select an item in any table to filter the other tables. For example, when selecting a single project, only the domains related to that project will be displayed.

Pages 5 – 8 provide exportable lists of directory objects by type and their corresponding known properties. Additional filter options are available based on object types. You can easily export all your environment data for migration planning and tracking activities.

Please note, all filters selected on a page will remain when navigating between pages.

 

How do I access the discovery report?  

Authorized project users and administrators may go to the following URL to access reports for all their projects.

https://power365.quest.com/Reports

You may also click the Reports action in the dashboard menu. The default report is the discovery report. Additional reports can be selected from the dropdown menu in reports.

Dashboard Action menu

 

Can I export data from the report?  

Yes, any visual that has an export option can be exported. Click the top right menu of the desired visual within the report for options.

For additional help with exporting data from visualizations, please read this MS article.

 

Additional Information  

Domain Cutover

How to export data from visualizations

Create your Project

Add your Tenants

Pair your Environments, Domains, and Attributes

Directory Integration

What is Directory Integration?  

Directory Integration refers to the Power365 Directory Sync components that are automatically deployed and configured when you set up a Premium Integration project.

 

Where do I manage Directory Integration?  

Directory Integration will display under Settings when a Premium Integration project is created and is part of Power365 coexistence services. To manage the Directory Sync components of your Integration project, click Directory Integration from the left navigation menu, see figure 1.

Figure 1: Settings Menu for Premium Integration Pro Project

Figure 1: Settings Menu for Premium Integration Pro Project

 

What can be managed from Directory Integration?  

After project configuration, Client Administrator’s may use the Directory Integration tab to check on the status of their workflows and local agents, download history logs and manage the Organizational Units (OU) for creating new objects during Prepare and Cutover activities.

 

How do I create additional workflows?  

If you wish to create new workflows to manage additional directory object synchronizations and services, then follow these steps.

  1. Login to Power365
  2. From the top banner, select the right application menu
  3. Click Power365 Directory Sync

     

    Figure 3: Application Menu

Figure 3: Application Menu

For detailed steps on how to create a workflow, click here. And for even more about Directory Sync, check out our Quick-Start Guides.

 

How do I create a new agent?  

From Directory Integration management, see figure 2, click the New button to begin creating a new agent for your existing environments.

For more information on how to create and manage agents, click here.

 

Are agents automatically upgraded when a new version is available?  

Yes, if the Auto Upgrade feature is checked (see figure 2), then agents will automatically be upgraded when new versions are available.

 

What workflows are created automatically?  

A workflow is automatically created for the Prepare, Provision, and Cutover activities for each environment.

 

What other components are automatically configured in Directory Sync?  

During the Tenant-to-Tenant Project setup, the local and cloud Environments will be automatically deployed and configured. The related workflows, templates, and advanced mappings are also auto generated.

 

Can I edit the workflows or template mappings?  

Yes, Client Administrators have access to edit some areas of the workflows that are automatically created during project set up. To edit, locate the workflow in question and click Settings. If a section is not editable that area is disabled and cannot be modified.

 

Where do I setup GAL Sync?  

All directory integration functionality will be configured and managed from Power365 Directory Sync.

 

Where do I migrate or sync Distribution & Security Groups?  

Although Distribution and Security Groups are still discovered and displayed in Tenant-to-Tenant, it no longer migrates groups or members. They are discovered and displayed for matching, domain migration & reporting purposes. In the past, DS Lite provided limited solutions for Bi-Directional GAL Sync therefore all directory integration functionality will now be managed from Power365 Directory Sync.

 

How do I sync a user’s personal contact properties?  

All directory integration functionality is managed from Power365 Directory Sync.

 

How do I sync SID History?  

All directory integration functionality is managed from Power365 Directory Sync.

 

How do I sync OUs?  

All directory integration functionality is managed from Power365 Directory Sync.

 

How do I sync passwords?  

All directory integration requirements is managed from Power365 Directory Sync.

 

How do I migrate servers and workstations?  

Power365 Migration for Active Directory should be utilized to prepare and migrate Active Directory domain joined workstations and servers to a new domain.

 

How do I re-prepare a user that was deleted?  

Unlike Power365 DS Lite, re-preparing a user that was deleted in the tenant requires the following to be done:

  1. After the target user was removed from On-Prem AD, AADC sync must take place to sync up the changes.
  2. Reconcile should be performed for target on-prem environment.
  3. Discovery should be performed in T2T to pick up the object deletion and the User Migration record should then reflect the changes.

 

Additional Information  

Power365 Directory Sync Lite (Deprecated)

Workflows

Templates

Agents

Calendar Sharing

What is Calendaring Sharing?  

Power365 Integration Projects provide the option to automatically configure calendar sharing between Microsoft 365 tenants. This will allow end-users to see each other’s calendaring free/busy or availability information when scheduling meetings.

 

How do I enable Calendar Sharing?  

During the configuration of a Power365 Project you will be asked if this feature should be enabled. Answer “Yes” to allow Power365 to automatically configure your calendar sharing options. Additional questions will follow to complete the setup.

 

How does it work?  

Once enabled Power365 will automatically create the Organization Relationships between the Microsoft Microsoft 365 tenants. Once these configurations are in place, calendar sharing is enabled.

 

The following is an example of the PowerShell command run against each tenant to establish calendar sharing.

New-OrganizationRelationship -DomainNames $domains -Name $name -Enabled -FreeBusyAccessEnabled -FreeBusyAccessLevel AvailabilityOnly -FreeBusyAccessScope $groupName -TargetApplicationUri "outlook.com" -TargetAutodiscoverEpr https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity

  • The “$Domains” parameter in the example below includes all accepted domains from the destination tenant, including the onmicorosoft.com domains. See figure 1 below for an example.

  • The “$Name” parameter is automatically calculated by Power365.

  • The Free Busy Access Level is always set to the lowest setting of, Availability Only.

  • The Free Busy Scope is set to all users for the target and can be filtered by group from the source is desired. The Power365 Project wizard will walk you through these questions.

  • None of the other available organization relationship parameters are setup by Power365.

 

What if I already have an Organization Relationship setup with the destination domains?  

If you already have an organization relationship setup in your tenant pointing to the destination tenant accepted domains, then you must; A) Remove it before enabling it in your Power365 Project or B) Do not allow Power365 to manage this component and keep it disabled in your Power365 Project.

 

How do I know when calendar sharing is ready?  

There are several ways to confirm if the Organization Relationships were deployed in each tenant.

  1. Use Remote PowerShell authenticate to each tenant. Run the Get-OrganizationRelationship command to get a list of items. The Power365 configured items will include the name Binary Tree.
  2. Open the Exchange Admin Center within the Microsoft 365 Admin Center. Navigate to the Organization tab in the left menu. Review the items listed under the Organization Sharing section.
  3. Check on the status of “Calendar Availability” from the Power365 Dashboard.

 

How do I control which users are sharing and how much they share?  

During Project setup, Power365 provides the option to expose all source users or just a subset of users. This is achieved through membership in a Group. It is recommended this be a local AD group that is synchronized to Microsoft 365. A cloud only distribution list group will also work but must be managed in the cloud.

Furthermore, the Organization Relationship can be modified by an Exchange Online administrator at any time. Follow these steps to modify the existing Organization Relationship in a tenant.

  1. From the Microsoft 365 admin center dashboard, go to Admin > Exchange.
  2. Go to organization > sharing.
  3. Under Organization Sharing, Select the proper record then click Edit.
  4. To set the free/busy access level, select one of the following:

        a. Calendar free/busy information with time only

         b. Calendar free/busy with time, subject, and location

    To set which users will share calendar free/busy information, select one of the following:

         c. Everyone in your organization

         d. A specified security group

             Click browse to pick the security group from a list, then click ok.

  5. Click save to create the organization relationship.

Figure 1 and 2 below provide examples of successfully completed configurations within your Microsoft 365 Exchange Online Portal.

Figure 1: Example Organization Relationship General Settings

Figure 1: Example Organization Relationship General Settings

 

Figure 2: Example Organization Relationship Sharing Settings

Figure 2: Example Organization Relationship Sharing Settings

 

How do I Disable Calendar Sharing?  

To disable and remove the previous configurations, edit the Power365 Project. Follow these steps to complete this process.

  1. Login to Power365.
  2. Open the Power365 Project Dashboard.
  3. Click the “EDIT” action to start the Project Wizard.
  4. Click “NEXT” until asked about sharing calendar availability between tenants.
  5. Click “NO” to disable calendar sharing.
  6. Click “NEXT” until you reach the end of the Wizard.
  7. Within 30 mins, the Organization Relationships configurations will be automatically removed from each tenant.

 

Additional Information  

Create an organization relationship in Exchange Online

Get-OrganizationRelationship

Remove-OrganizationRelationship

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating