When making an O365 Tenant connection using Metalogix Content Matrix, the SharePoint Administration URL must be used in order for the connection to be completed; that is:
If an incorrect URL, such as a specific site or Site Collection URL is used, then the connection will not be completed and the following connection error will display:
Office 365 OAuth Authentication is a token-based authentication method that can be used as an alternative to Standard/ADFS Authentication to reduce throttling.
If Multi-Factor Authentication is set up for the tenant and enabled for the account (as described in the Microsoft TechNet article SharePoint Online - O365: Set up Multi-Factor Authentication), you can connect using Office 365 OAuth with MFA Authentication as an alternative to Office 365 Web Browser authentication.
NOTE: If you are using the Office 365 OAuth with MFA Authentication type, be aware that some migration limitations apply.
The very first time OAuth Authentication is selected, the application Metalogix Content Matrix SharePoint Client must be registered for the tenant.
IMPORTANT: Prior to version 9.2, the Metalogix SharePoint Migration Client application was used for OAuth Authentication. Jobs created before version 9.2 (including those that use PowerShell or Distributed Migration) will continue to use this application (as long as it is still registered in Azure Active Directory). Starting with version 9.2, all jobs using OAuth Authentication will use the Metalogix Content Matrix SharePoint Client application.
At a minimum, the following permissions are required to register and provide consent for the Metalogix Content Matrix SharePoint Client application.
·For a site-level connection, the account must have a minimum of Site Administrator and Application Administrator permission roles.
·For a tenant-level connection, the account must have a minimum of SharePoint Administrator and Application Administrator permission roles.
Providing Consent to Grant the Application Requested Permissions
The first time a Content Matrix user attempts to connect to SharePoint Online using Office 365 OAuth Authentication, a dialog displays requesting that you grant the permissions that the application needs to perform migrations.
A Global Administrator can check the Consent on behalf of your organization box, which will prevent this dialog from displaying for other users. If the account is not a Global Administrator, the Consent on behalf of your organization option will be hidden.
IMPORTANT: If a Global Administrator does not consent on behalf of the organization, each Content Matrix user who attempts to connect using Office 365 OAuth Authentication for the first time must sign in with an account that has the Application Administrator permission role.
After [Accept] is clicked, the connection is created (and the application will be registered if it does not already exist in Azure Active Directory). In addition, the token cache file ConnectionsTokenCache.dat is created in the AppData/Roaming/Metalogix folder. (Note, if you have used OAuth Authentication in an earlier version of Content Matrix, this file will already exist.)
When you select one of the Office 365 OAuth authentication types, before making a connection to SharePoint Online, a pop-up specific to the authentication type will display, as described in the following table.
NOTE: If you click the Do not show the message again. box, Content Matrix will continue to use the selected option and no longer display the pop-up. You can resume having the pop-up display by clicking Reset Configuration Options on the ribbon toolbar Settings tab.
If you selected...
Auto Detect or Office365 OAuth/Standard/ADFS Authentication
the pop-up will ask you to confirm that you want to use the Office 365 OAuth option.
Choose [Yes - Use OAuth].
Office 365 OAuth with MFA Authentication (Not Auto Detected)
the pop-up will inform you of some migration limitations associated with this authentication type.
See the topic Migration Limitations When Using Office 365 OAuth with MFA Authentication for details.
Signing into your O365 Account to Use Office 365 OAuth Authentication
When prompted to sign into your O365 account, for Auto Detect or Office365 OAuth/Standard/ADFS Authentication, you must use the account you specified as the Connect As account in Content Matrix. The connection will fail if you try to sign in with another account. (This is not an issue with Office 365 OAuth with MFA Authentication, which does not use a Connect As account.)
IMPORTANT: If you are using OAuth Authentication for the first time, a dialog may display requesting that you consent to granting permissions that the application needs to perform migrations. To provide this consent, the account must be an Application Administrator. (This dialog will not display if a Global Administrator has granted consent on behalf of the organization.)